From: Casey Schaufler <casey@schaufler-ca.com>
To: Fan Wu <wufan@linux.microsoft.com>,
linux-security-module@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: Question about inode security blob
Date: Mon, 11 Jan 2021 17:28:15 -0800 [thread overview]
Message-ID: <f4f21823-240c-394b-2222-bb8214e4ba7f@schaufler-ca.com> (raw)
In-Reply-To: <156f6860-73a4-f754-b460-d64de40ff626@linux.microsoft.com>
On 1/11/2021 4:56 PM, Fan Wu wrote:
> Hi,
>
> I'm trying to learn the security blob infrastructure for my future LSM development.
>
> Unlike other blobs, I found inode security blob has a special pattern. I couldn’t find useful information on the web so I think this mail list is the most appropriate place to ask this question.
>
> The BPF and SELinux will check whether the inode->i_security is NULL before use
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/linux/bpf_lsm.h#n35
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/selinux/include/objsec.h#n164
The inode security blob should never be NULL in a situation where
any of the LSM hooks depend on it. The only ways that could possibly
happen are if an inode is allocated before the LSM infrastructure is
initialized or if the system is out of memory when an inode is allocated
and there are no entries in the cache. As the code says, "unlikely" and
probably in a system failure state already.
>
> But for smack, it doesn't do such a check
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack.h#n347
> Is this because smack_set_mnt_opts() already does the NULL check at
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack_lsm.c#n784 ?
Smack tries to be pedantic about having data set up properly. So is the
LSM infrastructure management of inode blobs. I have not identified a case
where you should be able to get to an LSM hook requiring the security blob
if the blob is NULL. If initializing the inode fails it should be impossible
to use the inode thereafter.
>
> Also, I wonder in which situation will the inode->i_security be NULL?
The inode->i_security should never be NULL if the inode has been
initialized. Any LSM hook that finds this to be NULL has probably
identified a bug elsewhere in the system.
>
> Thanks, and I hope I could make my contributions to LSM soon.
Excellent. Please, tell us more about what you're proposing.
>
> Best,
> Fan
next prev parent reply other threads:[~2021-01-12 1:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-12 0:56 Question about inode security blob Fan Wu
2021-01-12 1:28 ` Casey Schaufler [this message]
2021-01-12 2:11 ` Fan Wu
2021-01-12 4:38 ` James Morris
2021-01-12 8:10 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4f21823-240c-394b-2222-bb8214e4ba7f@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=linux-security-module@vger.kernel.org \
--cc=wufan@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox