| Main Archive Page > Month Archives > linux-security-module archives |
Re: [PATCH 25/28] CRED: Documentation [ver #5]
From: Casey Schaufler <casey_at_nospam>Date: Fri Jul 04 2008 - 16:17:10 GMT
To: David Howells <dhowells@redhat.com>
David Howells wrote:
> Document credentials and the new credentials API.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
>
> Documentation/credentials.txt | 563 +++++++++++++++++++++++++++++++++++++++++
> 1 files changed, 563 insertions(+), 0 deletions(-)
> create mode 100644 Documentation/credentials.txt
>
>
> diff --git a/Documentation/credentials.txt b/Documentation/credentials.txt
> new file mode 100644
> index 0000000..3caf1ea
> --- /dev/null
> +++ b/Documentation/credentials.txt
> @@ -0,0 +1,563 @@
> + ====================
> + CREDENTIALS IN LINUX
> + ====================
> +
> +By: David Howells <dhowells@redhat.com>
> +
> +Contents:
> +
> + (*) Overview.
> +
> + (*) Types of credentials.
> +
> + (*) File markings.
> +
> + (*) Task credentials.
> +
> + - Accessing task credentials.
> + - Accessing another task's credentials.
> + - Altering credentials.
> + - Managing credentials.
> +
> + (*) Open file credentials.
> +
> + (*) Overriding the VFS's use of credentials.
> +
> +
> +========
> +OVERVIEW
> +========
> +
> +There are several parts to the security check performed by Linux when one
> +object acts upon another:
> +
> + (1) Objects.
> +
> + Objects are things in the system that may be acted upon directly by
> + userspace programs. Linux has a variety of actionable objects, including:
> +
> + - Tasks
> + - Files/inodes
> + - Sockets
>
Sockets haven't become objects since my last set of objections to documenting them as such.
> + - Message queues
> + - Shared memory segments
> + - Semaphores
> + - Keys
> +
> + As a part of the description of all these objects there is a set of
> + credentials. What's in the set depends on the type of object.
> +
> + (2) Object ownership.
> +
> + Amongst the credentials of most objects, there will be a subset that
> + indicates the ownership of that object. This is used for resource
> + accounting and limitation (disk quotas and task rlimits for example).
> +
> + In a standard UNIX filesystem, for instance, this will be defined by the
> + UID marked on the inode.
> +
> + (3) The objective context.
> +
> + Also amongst the credentials of those objects, there will be a subset that
> + indicates the 'objective context' of that object. This may or may not be
> + the same set as in (2) - in standard UNIX files, for instance, this is the
> + defined by the UID and the GID marked on the inode.
> +
> + The objective context is used as part of the security calculation that is
> + carried out when an object is acted upon.
> +
> + (4) Subjects.
> +
> + A subject is an object that is acting upon another object.
>
The Orange Book definition:
"An active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state. Technically, a process/domain pair."
The system clock, which is not an object, could be considered a subject because it causes signals to be generated. If the system had a time stamp LSM then the system clock would definitely be a subject because a change in the time would result in a change in the accesses available. -- ---------------------- Casey Schaufler casey@schaufler-ca.com 650.906.1780 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html