Re: Question about inode security blob

[Fan Wu <wufan@linux.microsoft.com>]

On 2021/1/11 17:28, Casey Schaufler wrote:
> On 1/11/2021 4:56 PM, Fan Wu wrote:
>> Hi,
>>
>> I'm trying to learn the security blob infrastructure for my future LSM development.
>>
>> Unlike other blobs, I found inode security blob has a special pattern. I couldn’t find useful information on the web so I think this mail list is the most appropriate place to ask this question.
>>
>> The BPF and SELinux will check whether the inode->i_security is NULL before use
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/linux/bpf_lsm.h#n35
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/selinux/include/objsec.h#n164
> 
> The inode security blob should never be NULL in a situation where
> any of the LSM hooks depend on it. The only ways that could possibly
> happen are if an inode is allocated before the LSM infrastructure is
> initialized or if the system is out of memory when an inode is allocated
> and there are no entries in the cache. As the code says, "unlikely" and
> probably in a system failure state already.
> 
>>
>> But for smack, it doesn't do such a check
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack.h#n347
>> Is this because smack_set_mnt_opts() already does the NULL check at
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/security/smack/smack_lsm.c#n784 ?
> 
> Smack tries to be pedantic about having data set up properly. So is the
> LSM infrastructure management of inode blobs. I have not identified a case
> where you should be able to get to an LSM hook requiring the security blob
> if the blob is NULL. If initializing the inode fails it should be impossible
> to use the inode thereafter.
> 
>>
>> Also, I wonder in which situation will the inode->i_security be NULL?
> 
> The inode->i_security should never be NULL if the inode has been
> initialized. Any LSM hook that finds this to be NULL has probably
> identified a bug elsewhere in the system.
> 

Thanks for the quick reply. If I understand correctly, I should follow 
the first pattern if I want to use the inode blob.
>>
>> Thanks, and I hope I could make my contributions to LSM soon.
> 
> Excellent. Please, tell us more about what you're proposing.
> 

My work will be related to the IPE LSM we proposed before. For the inode 
blob, we want to use it to save some file data like FSVerity signature 
so that the LSM can define policy based on that data.
>>
>> Best,
>> Fan