manualshive.com logo in svg

IBM Novell 10 SP1 EAL4, Руководство по конструкции, Страница: 61 / 246

Поделиться
Скачать
IBM Novell 10 SP1 EAL4 Скачать руководство пользователя страница 61

 5.1.5.2.3  ACL permissions 

An ACL entry can define separate permissions for read, write, and execute or search. 

 5.1.5.2.4  Relationship to file permission bits

An ACL contains exactly one entry for each of the 

ACL_USER_OBJ

ACL_GROUP_OBJ

, and 

ACL_OTHER 

types of tags, called the required ACL entries.  An ACL can have between zero and a defined maximum 
number of entries of the 

ACL_GROUP

 and 

ACL_USER

 types.  An ACL that has only the three required ACL 

entries is called a minimum ACL.  ACLs with one or more ACL entries of the 

ACL_GROUP

 or 

ACL_USER 

types are called extended ACLs.
The standard UNIX file permission bits as described in the previous section are equivalent to the entries in the 
minimum ACL.  The owner permission bits correspond to the entry of the 

ACL_USER_OBJ

 type.  The entry 

of the 

ACL_GROUP_OBJ

 type represents the permission bits of the file group. The entry of the 

ACL_OTHER 

type represents the permission bits of processes running with an effective user ID and effective group ID or 
supplementary group ID different from those defined in 

ACL_USER_OBJ

 and 

ACL_GROUP_OBJ

 entries.

Minimum ACLs do not need to be stored on disk.  The permission information contained in the 

inode

 is 

sufficient for the access check.  When adding ACL entries to a file system object that did not previously have 
an explicit ACL, the kernel creates a minimum ACL based on the 

inode

 attributes, and then adds the new 

entries to that.

 5.1.5.2.5  ACL_MASK 

If an ACL contains an 

ACL_GROUP

 or 

ACL_USER

 type of entry, then exactly one entry of the 

ACL_MASK 

type is required in the ACL.  Otherwise, the 

ACL_MASK

 type of entry is optional. 

 5.1.5.2.6  Default ACLs and ACL inheritance 

A default ACL is an additional ACL, which can be associated with a directory.  This default ACL has no 
effect on the access to this directory.  Instead, the default ACL is used to initialize the ACL for any file that is 
created in this directory.  When an object is created within a directory, and the ACL is not defined with the 
function creating the object, the new object inherits the default ACL of its parent directory as its initial ACL. 
This is implemented by 

ext3_create()

, which invokes 

ext3_new_inode()

, which in turn invokes 

ext3_init_acl()

 to set the initial ACL. 

 5.1.5.2.7  ACL representations and interfaces 

ACLs are represented in the kernel as extended attributes.  The kernel provides system calls such as 

getxattr()

setxattr()

listxattr()

, and 

removexattr()

 to create and manipulate extended 

attributes.  User space applications can use these system calls to create and maintain ACLs and other extended 
attributes.  However, ACL applications, instead of directly calling system calls, use library functions provided 
by the POSIX 1003.1e compliant libacl.so.  Inside the kernel, the system calls are implemented using the 

getxattr

setxattr

listxattr

, and 

removexattr

 inode operations.  The kernel provides two 

additional inode operations, 

get_posix_acl() 

and 

set_posix_acl()

, to allow other parts of the 

kernel to manipulate ACLs in an internal format that is more efficient to handle than the format used by the 
inode xattr operations. 
In the ext3 disk-based file system, extended attributes are stored in a block of data accessible through the 

i_file_acl

 field of the 

inode

.  This extended attribute block stores name-value pairs for all extended 

attributes associated with the 

inode

.  These attributes are retrieved and used by appropriate access control 

functions.

49

Содержание Novell 10 SP1 EAL4

Страница 1: ...SUSE Linux Enterprise Server 10 SP1 EAL4 High Level Design Version 1 2 1...

Страница 2: ...in the United States other countries or both Linux is a registered trademark of Linus Torvalds UNIX is a registered trademark of The Open Group in the United States and other countries Intel and Pent...

Страница 3: ...stration 10 2 2 6 TSF interfaces 10 2 3 Approach to TSF identification 11 3 Hardware architecture 14 3 1 System x 14 3 1 1 System x hardware overview 14 3 1 2 System x hardware architecture 14 3 2 Sys...

Страница 4: ...tems 35 4 4 4 Trusted process subsystems 35 4 4 5 User level audit subsystem 36 5 Functional descriptions 38 5 1 File and I O management 38 5 1 1 Virtual File System 39 5 1 1 1 Pathname translation 41...

Страница 5: ...1 8 5 Work queue 64 5 1 9 Processor interrupts 64 5 1 10 Machine check 64 5 2 Process control and management 65 5 2 1 Data structures 66 5 2 2 Process creation and destruction 67 5 2 2 1 Control of c...

Страница 6: ...ion 4 IPv4 86 5 4 3 2 Internet Protocol Version 6 IPv6 86 5 4 3 3 Transition between IPv4 and IPv6 88 5 4 3 4 IP Security IPsec 88 5 4 4 Internet Control Message Protocol ICMP 93 5 4 4 1 Link layer pr...

Страница 7: ...s 151 5 6 Audit subsystem 151 5 6 1 Audit components 152 5 6 1 1 Audit kernel components 153 5 6 1 2 File system audit components 156 5 6 1 3 User space audit components 157 5 6 2 Audit operation and...

Страница 8: ...stem p 185 5 10 3 1 Boot methods 185 5 10 3 2 Boot loader 185 5 10 3 3 Boot process 185 5 10 4 System p in LPAR 187 5 10 4 1 Boot process 188 5 10 5 System z 191 5 10 5 1 Boot methods 191 5 10 5 2 Con...

Страница 9: ...Symmetric ciphers 217 5 12 2 Secure Shell 218 5 12 2 1 SSH client 220 5 12 2 2 SSH server daemon 220 5 12 3 Very Secure File Transfer Protocol daemon 220 5 12 4 CUPS 221 5 12 4 1 cupsd 222 5 12 4 2 p...

Страница 10: ...ns 242 5 14 2 1 cron 242 5 14 2 2 atd 243 5 15 User level audit subsystem 243 5 15 1 Audit daemon 243 5 15 2 Audit utilities 244 5 15 2 1 aureport 244 5 15 2 2 ausearch 245 5 15 2 3 autrace 245 5 15 3...

Страница 11: ...objects DA 4 252 6 4 Object reuse 253 6 4 1 Object reuse file system objects OR 1 253 6 4 2 Object reuse IPC objects OR 2 253 6 4 3 Object reuse memory objects OR 3 253 6 5 Security management 253 6...

Страница 12: ...process control and management 259 6 8 1 3 Kernel subsystem inter process communication 260 6 8 1 4 Kernel subsystem networking 263 6 8 1 5 Kernel subsystem memory management 264 6 8 1 6 Kernel subsys...

Страница 13: ...a source of information about the architecture of the system for any evaluation team 1 2 Document overview This HLD contains the following chapters Chapter 2 presents an overview of the IBM eServer sy...

Страница 14: ...as networked workstations and servers Figure 2 1 shows a series of interconnected TOE systems Each TOE system is running the SLES operating system on an eServer computer Each computer provides the sa...

Страница 15: ...needs by providing unlimited scalability support for open standards and mission critical qualities of service Following are systems in the IBM eServer product line that are included in the TOE System...

Страница 16: ...ent a structural overview of the hardware and software that make up an individual eServer host computer This single computer architecture is one of the configurations permitted under this evaluation 2...

Страница 17: ...t run with the administrative privilege such as the sshd cron atd and vsftpd daemons The TSF also includes the configuration files that define authorized users groups of users services provided by the...

Страница 18: ...on travel across a LAN segment and they are routed by a host in that segment to a host on another LAN segment The packets are eventually routed by the host in the second LAN segment to a host on a thi...

Страница 19: ...s 2 2 4 Security policy A user is an authorized individual with an account Users can use the system in one of three ways 1 By interacting directly with the system thorough a session at a computer cons...

Страница 20: ...other directly attached terminals or through a network connection Authentication is based on a password entered by the user and authentication data stored in a protected file Users must log in to a h...

Страница 21: ...structions are externally visible interfaces However the unprivileged processor instructions do not implement any security functionality and the processor restricts these instructions to the bounds de...

Страница 22: ...oftware that must function correctly to support the system security mechanisms It is required for system administration It consists of TSF data or configuration files It consists of libraries linked t...

Страница 23: ...11...

Страница 24: ...efault asp The Intel Xeon processor is mainly based on EM64 technology which has the following three operating modes 32 bit legacy mode In this mode both AMD64 and EM64T processors will act just like...

Страница 25: ...D configurations of SCSI and fiber channel disks and options for high speed networking The IBM System p servers are equipped with a real time hardware clock The clock is powered by a small battery and...

Страница 26: ...essing units contain the z Architecture logic There are three modes in which Linux can be run on a System z server native hardware mode logical partition mode and z VM guest mode The following paragra...

Страница 27: ...isk drives RAID 1 mirroring and options for high speed networking The IBM eServer 326 server is equipped with a real time hardware clock The clock is powered by a small battery and continues to tick e...

Страница 28: ...with a compatibility thunk layer The thunk layer is a library provided by the operating system The library resides in a 32 bit process created by the 64 bit operating system to run 32 bit applications...

Страница 29: ...17...

Страница 30: ...ovide TSF self protection This section does not enumerate the privileged and unprivileged programs Rather the TSF Software Structure identifies the privileged software as part of the description of th...

Страница 31: ...m z The System z systems also provide two execution modes identified by the Problem State bit bit 15 of the processor s Program Status Word PSW A value of 0 indicates a supervisor or kernel execution...

Страница 32: ...d with user ID zero into a set of discrete privileges based on the operation being attempted For example if a process is trying to create a device special file by invoking the mknod system call instea...

Страница 33: ...er what conditions DAC access control lists are described in detail in Section 5 1 5 4 1 2 1 4 Software privilege Software privilege for DAC policy is based on the user ID of the process At any time e...

Страница 34: ...t have any means of bypassing the enforcement mechanisms This unprivileged software need not be trusted in any way and is thus referred to as untrusted software Trusted processes that do not implement...

Страница 35: ...ance of processes to share portions of their address space under certain conditions but protection of the private address space of a process from outside tampering If the system runs low on free memor...

Страница 36: ...those that allow the creation scheduling execution and deletion of process and thread subjects Memory subsystem This subsystem implements functions related to the management of memory resources of a s...

Страница 37: ...specific C kernel functions Kernel threads reside in kernel space and only run in the kernel mode Following are some of the kernel threads keventd is a process context bottom half handler that execute...

Страница 38: ...ed by the init program during system initialization The auditd daemon reads audit records from the kernel buffer through the audit device and writes them to disk in the form of audit logs The cron dae...

Страница 39: ...update a user s password The passwd command turns off terminal echo while the user is typing the old as well as the new password in order to prevent displaying the password typed by the user Refer to...

Страница 40: ...en two untrusted hosts over an insecure network star is a version of the tar command that preserves extended attributes Extended attributes are the means by which ACLs are associated with file system...

Страница 41: ...rocess communication This subsystem includes the IPC kernel subsystem Networking This subsystem contains the kernel networking subsystem Memory management This subsystem contains the kernel memory man...

Страница 42: ...tem contains the portion of the audit system that lies outside the kernel This subsystem contains the auditd trusted process which reads audit records from the kernel buffer and transfers them to on d...

Страница 43: ...31...

Страница 44: ...tems The file systems supported by TOE are ext3 proc tmpfs sysfs devpts CD ROM rootfs and binfmt_misc At the user interface level a file system is organized as a tree with a single root called a direc...

Страница 45: ...ections describe data structures and algorithms that comprise each subsystem with special focus on access control and allocation mechanisms 5 1 1 Virtual File System The Virtual File System VFS provid...

Страница 46: ...le model of VFS involve the use of a file pathname The file pathname is either an absolute pathname such as ext3mnt file1 or a relative pathname such as ext3mnt file1 The translation of a pathname to...

Страница 47: ...s has write access to the directory being modified Directories cannot be directly written into Access checking in VFS is performed while an inode is derived from the corresponding pathname Each access...

Страница 48: ...Figure 5 5 VFS pathname translation and access control checks 36 Figure 5 5 VFS pathname translation and access control checks...

Страница 49: ...e the process is authorized to write in this directory Again if the operation vector of the inode is set then the call to permission is diverted to the disk based file system specific permission call...

Страница 50: ...l buffers acquires the big kernel lock and invokes the do_mount function to perform the mount There are no object reuse issues to handle during file system mounting because the data structures created...

Страница 51: ...SLES kernel s ext3 file system kernel is a robust and efficient file system that supports the following Automatic consistency checks Immutable files Preallocation of disk blocks to regular files Fast...

Страница 52: ...ot be modified no link can be created to it and it cannot be renamed or removed Only an administrator can change this attribute Append only if this attribute is set the file may only be modified in ap...

Страница 53: ...t3_lookup This routine is called when VFS real_lookup calls the disk based file system lookup routine of the disk based file system through the inode operation vector The ext3_find_entry is called by...

Страница 54: ...42 Figure 5 8 New data blocks are allocated and initialized for an ext3 field...

Страница 55: ...stems HOWTO html 5 1 2 2 1 Data structures and algorithms The following data structures and inode operations implement the file system on the SLES kernel vfs_permission Because the file system is a re...

Страница 56: ...hich prevents access by normal users to data of other processes In addition to vfs_permission different files in the proc file system define their own access control service functions These service fu...

Страница 57: ...device represent a pseudo terminal The slave device provides a terminal interface Instead of a hardware interface and associated hardware supporting the terminal functions a process that manipulates t...

Страница 58: ...lacement of the dnotify tool which had the same purpose inotify is relevant because different sorts of applications might want or need to know when events such as file changes or creation happen An ex...

Страница 59: ...1 Permission bits generic_permission implements standard UNIX permission bits to provide DAC for file system objects for the procfs devpts sysfs tmpfs securityfs binfmt_misc and ISO 9660 file systems...

Страница 60: ...on A type of tag that specifies the type of the ACL entry A qualifier that specifies an instance a type of an ACL entry A permission set that specifies the discretionary access rights for processes id...

Страница 61: ...is optional 5 1 5 2 6 Default ACLs and ACL inheritance A default ACL is an additional ACL which can be associated with a directory This default ACL has no effect on the access to this directory Inste...

Страница 62: ...ranted else access is denied else if the file system group ID or any of the supplementary group IDs of the process match the qualifier of the entry of type ACL_GROUP_OBJ or the qualifier of any entry...

Страница 63: ...Process destroys the asynchronous I O context using the io_destroy system call AIO uses the kernel bottom half mechanism of work queues to perform deferred work of AIO io_setup sets up a work queue na...

Страница 64: ...ed delay component into the dispatching equation The delay is invoked on any new request to the device driver thereby allowing a thread that just finished its I O request to submit a new request Imple...

Страница 65: ...kernel for processing Depending on the signal the kernel executes an appropriate interrupt handler to process the event Responsiveness of the system can be increased by promptly handling the interrupt...

Страница 66: ...en CPUs must be provided Inter processor interrupts IPIs are used to exchange messages between CPUs in SMP system The following group of functions helps in issuing IPIs send_IPI_all Sends an IPI to al...

Страница 67: ...ant structures that are used to implement processes and highlight security relevant credentials fields Process Creation and Destruction describes creation destruction and maintenance of a process with...

Страница 68: ...suid and sgid which describe the saved user ID and saved group ID of a process groups which lists the groups to which the process belongs state which describes the run state of the process pid which i...

Страница 69: ...security relevant credentials including uid euid gid and egid Because these credentials are used for access control decisions the child is given the same level of access to objects as the parent The c...

Страница 70: ...do_exit Process termination is handled in the kernel by the do_exit function The do_exit function removes most references to the terminating process from the kernel data structures and releases resou...

Страница 71: ...ssignment can cause the expired queue to become the active queue again making turnaround quite efficient For more information about O 1 scheduling refer to Linux Kernel Development A Practical guide t...

Страница 72: ...ad entered into kernel mode via system calls until or unless the task voluntarily relinquished the CPU Because the kernel is preemptible a kernel task can be preempted so that some important user appl...

Страница 73: ...mpt counter preempt_disable increments the preempt counter get_cpu calls preempt_disable followed by a call to smp_processor_id put_cpu re enables preemption Using these defines we could rewrite the a...

Страница 74: ...a simple scenario a curbuf pointer indicates the first buffer that contains data in the array and nrbufs indicates the number of buffers that contain data The page structures are allocated and used as...

Страница 75: ...very similar to the unnamed pipe described in Section 5 3 1 Unlike the unnamed pipe a FIFO has an entry in the disk based file system A large portion of the internal implementation of a FIFO pipe is i...

Страница 76: ...he implementation of the enforcement of DAC and the handling of object reuse by the allocation algorithms The IPC mechanisms share the following common properties Each mechanism is represented by a ta...

Страница 77: ...he kernel uses the memory for the kernel s internal purposes 5 3 3 2 2 ipcperms The ipcperms function is called when a process attempts to access an IPC resource ipcperms enforces the DAC policy Discr...

Страница 78: ...med by invoking the ipcperms function 5 3 3 4 Semaphores Semaphores allow processes to synchronize execution by performing a set of operations atomically on themselves An important data structure impl...

Страница 79: ...key A newly created shared memory segment s credentials are initialized from the creating process s credentials shmget invokes newseg to initialize the shared memory region newseg invokes shmem_file_...

Страница 80: ...ther from the kernel or from another process is performed by invoking the routine send_sig_info The kill system call along with signal generation by the kernel ultimately invokes send_sig_info send_si...

Страница 81: ...by them refer to Section 5 12 of this document 5 4 Network subsystem The network subsystem allows Linux systems to connect to other systems over a network It provides a general purpose framework with...

Страница 82: ...ation see the TCP IP Tutorial and Technical Overview IBM Redbook by Adolfo John Roland It is at the http www redbooks ibm com abstracts gg243376 html website 5 4 1 Overview of the network protocol sta...

Страница 83: ...them down to the link layer Transmission Control Protocol TCP and User Datagram Protocol UDP are the most commonly used transport layer protocols UDP simply provides a framework for addressing packet...

Страница 84: ...nternet Protocol Version 4 IPv4 IPv4 aka simply IP is the standard that defines the manner in which the network layers of two hosts interact These hosts can be on the same network or reside on physica...

Страница 85: ...as well as space for future growth A scope field has been added to multicast addresses to make for increased scalability The scope identifies whether the packet should be multicast only on the link si...

Страница 86: ...tack both IPv4 and IPv6 are implemented in the operating system Linux implements both IPv4 and IPv6 The second mechanism uses tunnels The IPv4 network exists while the IPv6 infrastructure is in progre...

Страница 87: ...is usually used for security between two hosts In tunnel mode AH and ESP provide security to the entire IP datagram The entire original IP datagram is encapsulated and an outer IP header attached Tunn...

Страница 88: ...ESP header When authentication is also chosen within the ESP protocol the data is encrypted first and then authenticated The authenticated data is placed in the authentication data field If no authen...

Страница 89: ...the creation and deletion of policy SAs and keys Automated SA and key management is done through the IKE protocol 5 4 3 4 1 6 Internet Key Exchange Protocol IKE The Internet Key Exchange IKE protocol...

Страница 90: ...oss domain user mappings and other related security information to be cached in the kernel for the file systems to use other kernel services A special kind of key called a keyring which contains a lis...

Страница 91: ...interfaces When sockets are used to establish a connection between two programs across a network there is always an asymmetry between the two ends One end on the server creates a communication endpoin...

Страница 92: ...does not use these LSM hooks 5 4 5 2 bind bind associates a name address to a socket that was created with the socket system call It is necessary to assign an address to a socket before it can accept...

Страница 93: ...y_socket_listen LSM hook but the SLES kernel does not use this hook listen does not create any data objects that are accessible to users so there are no object reuse issues to handle Only TCP sockets...

Страница 94: ...hat provides a mapping between process memory references and the machine s physical memory The memory management subsystem maintains this mapping on a per process basis so two processes can access the...

Страница 95: ...Kernel Memory Management describes how the kernel allocates dynamic memory for its own use and highlights how the kernel takes care of object reuse while allocating new page frames The fourth subsect...

Страница 96: ...s so the kernel was able to recognize all architectures as if they possessed three level page tables The new page table structure actually implemented includes a new level called PUD immediately below...

Страница 97: ...program a processor accesses memory to fetch instructions or to fetch and store data Addresses used by the program are virtual addresses The memory management subsystem provides translation from virt...

Страница 98: ...s A logical address is included in the machine language instructions to specify the address of an operand or an instruction It consists of a segment and an offset or displacement that denotes the dist...

Страница 99: ...Segment Descriptors are stored in either the Global Descriptor Table GDT or the Local Descriptor Table LDT The system has one GDT but may create an LDT for a process if it needs to create additional...

Страница 100: ...of data that can be stored in a page frame in memory or on disk Data structures that map linear addresses to physical addresses are called page tables Page tables are stored in memory and are initiali...

Страница 101: ...s fields that describe the page table or page entry such as accessed flag dirty flag and page size flag The two important flags for access control are the Read Write flag and the User Supervisor flag...

Страница 102: ...levels They define entry points in more privileged code to which control can be transferred Intel processors use these call gates which control CPU transitions from one level of privilege to other Cal...

Страница 103: ...ress extension PAE paging structures to potentially support mapping a 64 bit linear address to a 52 bit physical address In the first implementation of the Intel EM64T PAE paging structures are extend...

Страница 104: ...n describes logical partitions and their impact on memory addressing and access control To learn more about System p systems see PowerPC 64 bit Kernel Internals by David Engebretson Mike Corrigan Pete...

Страница 105: ...ird mode of operation for the processor This third mode called the hypervisor mode provides all the partition control and partition mediation in the system It also affects access to certain instructio...

Страница 106: ...state The hypervisor takes the value of 1 for hypervisor mode and 0 for user and supervisor mode The following table describes the privilege state of the processor as determined by MSR HV and MSR PR a...

Страница 107: ...or calls from the kernel space intended for the hypervisor Hypervisor calls can only be made from the supervisor state This access restriction to hypervisor calls is implemented with general purpose r...

Страница 108: ...box Because the hypervisor is accessible only through the kernel mode no specific access control is performed when the kernel interacts with the hypervisor The kernel does provide an RTAS system call...

Страница 109: ...called logical address regions which have been assigned in granular chunks to that partition These logical address regions provide the physical memory that backs up the virtual page address spaces fo...

Страница 110: ...sing shared resources in a way that would deny or restrict access to those resources by other partitions A key example is the hypervisor itself which is implemented as a library of services shared by...

Страница 111: ...effective address to a physical address It consists of a virtual segment ID bits 0 35 a page offset within the segment bits 36 51 and a byte offset within the page bits 52 63 All processes are given...

Страница 112: ...ective address page or block and settings in the processor Machine State Register MSR Settings in the MSR and page segment and block descriptors are used in implementing access control The following d...

Страница 113: ...egments are described by Segment Table Entries STEs The operating system generates and places STEs in segment tables in memory Each STE is a 128 bit entry that contains information for controlling seg...

Страница 114: ...address translation mechanism based on the MSR settings for instruction IR or data DR access For performance measurement the processor concurrently starts both Block Address Translation BAT and Segmen...

Страница 115: ...only for supervisor mode access only or for user and supervisor access In addition BAT allows the operating system to protect blocks of memory for read access only read write access or no access BAT t...

Страница 116: ...e Register and the segment table Page level access control uses a key bit from Segment Table Entry STE along with the Page Protection PP bits from the Page Table Entry to determine whether supervisor...

Страница 117: ...105 Figure 5 48 Page Address Translation and access control...

Страница 118: ...n Native Hardware mode but still requires device driver support for devices dedicated to a partition 5 5 2 4 3 z VM Guest mode In z VM Guest mode SLES runs as a guest operating system on one or more z...

Страница 119: ...ich allow each number to be associated with a byte location in memory The sequence starts at zero and proceeds left to right The z Architecture provides the means to access different address spaces In...

Страница 120: ...which address space translation mode primary secondary access register or home is used for the translation The following diagram illustrates the logic used to determine the translation mode If the DAT...

Страница 121: ...the CR7 For home address translation mode the Home Address Space Control Element HASCE is obtained from the CR13 In access register translation mode the Access List Entry Token ALET in the access reg...

Страница 122: ...for each CPU thus permitting more than one CPU sharing main memory to operate concurrently with a minimum of interference Prefixing is performed with the help of a prefix register No access control i...

Страница 123: ...ontrolled protection The protection mechanisms are applied independently at different stages of address translation Access to main memory is only permitted when none of the mechanisms prohibit access...

Страница 124: ...ach page table entry and segment table entry Protection can be applied to a single page or an entire segment a collection of contiguous pages Once the ASCE is located the following dynamic address tra...

Страница 125: ...113 Figure 5 54 31 bit Dynamic Address Translation with page table protection...

Страница 126: ...114 Figure 5 55 64 bit Dynamic Address Translation with page table protection...

Страница 127: ...ontrolled protection is based on using the access key and the storage key to evaluate whether access to a specific memory location is granted The 7 bit storage key consists of access control bits 0 1...

Страница 128: ...briefly describes the eServer 326 memory addressing scheme For more detailed information about the eServer 326 memory management subsystem see AMD64 Architecture Programmer s Manual Volume 2 System Pr...

Страница 129: ...resses are translated from virtual addresses using page translation mechanisms 5 5 2 5 5 Segmentation Segmentation is a method by which system software can isolate software processes or tasks and the...

Страница 130: ...e value is lower than the DPL value higher privilege Otherwise a general protection exception occurs and the segment register is not loaded The following diagram from AMD64 illustrates data access pri...

Страница 131: ...the code segment selector located in the call gate the processor performs the following three privilege checks 1 Compare the CPL with the call gate DPL from the call gate descriptor The CPL must be l...

Страница 132: ...e page table setup supports up to 48 bits of address space The x86 64 architecture supports page sizes of 4 KB and 2 MB Figure 5 61 illustrates how paging is used to translate a 64 bit virtual address...

Страница 133: ...and byte offset of the 4 KB page translation are combined to provide a byte offset into the 2 MB physical page Figure 5 62 illustrates how paging is used to translate a 64 bit linear address into a ph...

Страница 134: ...ing paging These fields are the Read Write R W flag the User Supervisor U S flag and the No Execute NX flag The following diagram shows the bit positions in a page map level 4 entry The flags hold the...

Страница 135: ...ded Feature Enable Register EFER In addition to the R W U S and NX flags of the page entry access control is also affected by the Write Protect WP bit of register CR0 If the write protection is not en...

Страница 136: ...5 64 shows a sample NUMA design Each node in the system is simply a 4 processor SMP system Each CPU in the node contains a L1 and L2 cache The node contains an L3 cache which is shared by all process...

Страница 137: ...ing information By using the TLB a translation can be performed without referencing the in memory page table entry that maps the virtual address However to keep translations as fast as possible the TL...

Страница 138: ...ystem The name of the file is determined by an atomic counter called hugetlbfs_counter which is incremented every time a shared region is set up To create a file backed by huge pages the system admini...

Страница 139: ...ts and thousands of concurrent users to be supported This section describes dynamic memory used by the kernel and describes the object reuse requirement This section also discusses the three sections...

Страница 140: ...a gfp_mask flag that is always set to GFP_KERNEL __GFP_HIGHMEM __vmalloc in turn calls vmalloc_area_pages which will allocate the PTEs for the page requested 5 5 4 Process address space The address sp...

Страница 141: ...ntil the process attempts to access that address for a write operation This technique is called demand paging When accessing the address for a read operation the kernel gives the address an existing p...

Страница 142: ...eing interrupted in the middle and avoids accesses to the same memory location by other CPUs The SLES kernel provides a special atomic_t data type and special functions that act on atomic_t variables...

Страница 143: ...fect the security of a computer system In particular an auditing facility records any action by any user that may represent a breach of system security For each action the auditing facility records en...

Страница 144: ...x Audit consists of a standard sockets based interface for user processes and an internal kernel API for kernel modules 5 6 1 1 1 Kernel userspace interface On top of netlink there exists the generic...

Страница 145: ...ject is done based on dev and or inode depending on whether dev inode is specified in the rule or whether a path is specified At kernel startup four lists are created to hold the filter rules One list...

Страница 146: ...reate per task audit_context No syscall specific audit records will be generated for the task AUDIT_SETUP_CONTEXT Create the per task audit_context but don t necessarily fill it in a syscall entry tim...

Страница 147: ...vector of inotify operations using the inotify_init function The operations vector contains the audit subsystem inotify event notification function audit_handle_ievent and the audit subsystem inotify...

Страница 148: ...an initial setup file auditd rules There is also an init script that is used to start and stop auditd etc init d auditd When run this script sources another file etc sysconfig auditd to set the local...

Страница 149: ...ILESYSTEM This enables file system auditing At boot time LAF provides the option audit which enables the system call and file system auditing support If audit is set to 1 system call and file system a...

Страница 150: ...mum log space is reached ignore syslog suspend rotate space_left Low water mark space_left_action What action to take when low water mark is reached ignore syslog suspend single halt admin_space_left...

Страница 151: ...e using auditctl e 1 5 The file system auditing is initialized by creating the watch lists and the hash table for the file system auditing auditd does the following on startup 1 Registers its pid with...

Страница 152: ...al logging mechanism active This mechanism offers a set of APIs that can be used by other kernel subsystems such as SELinux SELinux is not used in SLES If the audit daemon is not listening or Netlink...

Страница 153: ...ended with calls to audit framework functions Ordinarily system calls are performed in a three step process The first step changes from user to kernel mode copies system call arguments and sets up app...

Страница 154: ...s chown chmod setxattr and removexattr are audited by audit_inode hooks inserted into the system calls The hooks directly update the inode information in the audit context When a watched object is acc...

Страница 155: ...y audit information is placed on the netlink 5 6 3 1 5 Record generation by trusted programs Trusted programs create their own audit records in which their actions are described The following describe...

Страница 156: ...ique for each syscall and lasts from syscall entry to syscall exit The tuple is composed of the timestamp and the serial number Each audit record for system calls contain the system call return code w...

Страница 157: ...gments Syscalls shmget shmctl Rejection or acceptance by the TSF of any tested secret Audit record type USER_AUTH from PAM framework and audit record type USER_CHAUTHTOK from shadow utilities Use of i...

Страница 158: ...has the ability to run this tool First ausearch checks the validity of the parameters passed whether they are supported or not Then it opens either the logs or the administrator specified files The lo...

Страница 159: ...remove already tagged modules Modules stay tagged if they remain unused since the previous invocation of rmmod a This two step cleanup approach avoids transiently unused modules Only root administrato...

Страница 160: ...k LSM also provides a simple mechanism for stacking additional security modules with the primary security module It defines register_security and unregister_security hooks in the security_operations s...

Страница 161: ...omputing process capabilities on execve and set uid checking capabilities for a particular process saving and checking capabilities for netlink messages and handling the capget and capset system calls...

Страница 162: ...boot time warn panic build or build panic whether the OWLSM extension should be loaded and whether event logging should occur For more information about AppArmor configuration please see the man page...

Страница 163: ...do the opposite switch from complain to enforcing mode for a particular profile genprof can be used to generate a profile with all of the permission that were exercised during a test run of the target...

Страница 164: ...orking traffic to a network adapter The physical layer of the networking stack invokes appropriate functions to send and receive networking packets through a network adapter The device driver correspo...

Страница 165: ...am addressable guest registers the addresses of related control tables bits for controlling the operation of optional facilities areas for displaying information concerning and interception informatio...

Страница 166: ...be prohibited such as I O Each access to such a virtualized resource causes the SIE instruction to terminate on the requesting processor and to return control back to the CP Based on CP s internal st...

Страница 167: ...es Programs operate on block devices by opening their file system entries The file system entry contains a major and a minor number by which the kernel identifies the device The kernel maintains a has...

Страница 168: ...ture This section describes the system initialization process of eServer systems Because part of the initialization is dependent on the hardware architecture the following subsections identify and des...

Страница 169: ...init_main 11 Tells the kernel to send Ctrl Alt Delete to init for processing 12 Sets up signal handling 13 Initializes the console 14 Sets a default PATH environment variable 15 Initializes the var ru...

Страница 170: ...port conflicts 3 The BIOS searches for the operating system to boot in an order predefined by the BIOS setting Once a valid device is found the BIOS copies the contents of its first sector containing...

Страница 171: ...the etc sysconfig boot script 2 Mounts the proc special file system 3 Mounts the dev pts special file system 4 Executes etc init d boot local which was set by an administrator to perform site specific...

Страница 172: ...160 Figure 5 79 System x SLES boot sequence...

Страница 173: ...control to it with relocation disabled 3 Yaboot interacts with OpenFirmware and determines the system configuration including real memory layout and the device tree 4 Yaboot instantiates the Run Time...

Страница 174: ...rcX d where X is the default run level The default run level for a SLES system in the evaluated configuration is 3 The following lists some of the initializations performed at run level 3 Saves and r...

Страница 175: ...hich interacts with actual hardware and provides virtual versions of hardware to operating systems running in different logical partitions As part of an Initial Program Load the hypervisor performs ce...

Страница 176: ...bed in Section 5 5 3 6 system date and system time 11 Uncompresses the system initrd initial RAM file mounts it and then executes linuxrc 12 Unmount initrd mounts the root file system and executes sbi...

Страница 177: ...For more details about services started at run level 3 see the scripts in etc rc d rc3 d on a SLES system Figure 5 81 schematically describes the boot process of System p LPARs 165 Figure 5 81 System...

Страница 178: ...suing an IPL instruction the CP reads the boot record written to the DASD virtual disk by the zipl utility 2 Based on the boot record CP loads the SLES kernel image into memory and jumps to the initia...

Страница 179: ...onfiguration is 3 The following lists some of the initializations performed at run level 3 Saves and restores the system entropy tool for higher quality random number generation Configures network int...

Страница 180: ...Volume 2 System Programming at http www amd com us en assets content_type white_papers_and_tech_docs 24593 pdf 5 10 6 1 Boot methods SLES supports booting from a hard disk a CD ROM or a floppy disk C...

Страница 181: ...d video card disk controller and floating point unit 6 The boot loader reprograms the Programmable Interrupt Controller and maps the 16 hardware interrupts to the range of vectors from 32 to 47 The bo...

Страница 182: ...pts special file system 4 Executes etc rc d rc local which was set by an administrator to perform site specific setup functions 5 Performs run level specific initialization by executing startup script...

Страница 183: ...kernel are based on the process s user ID established at login time and all mandatory access control decisions made by the kernel are based on the process domain established through login which make t...

Страница 184: ...rnel org pub linux libs pam 5 11 1 1 Overview PAM consists of a set of shared library modules which provide appropriate authentication and audit services to an application Applications are updated to...

Страница 185: ...f the module stack before returning failures to the application optional which indicates that the module is not required and sufficient which indicates that if the module is successful there is no nee...

Страница 186: ...system pam_wheel so Permits root access only to members of the wheel group By default pam_wheel so permits root access to the system if the applicant user is a member of the wheel group First the mod...

Страница 187: ...swords are not used in the TOE var log lastlog The time and date of the last successful login for each user is stored here The file is owned by the root user and tty group and its mode is 644 var log...

Страница 188: ...this ID Additionally the SLES kernel has a framework for providing software privilege for DAC policy through capabilities These capabilities which are based on the POSIX 1e draft allow breakup of the...

Страница 189: ...nt to the pam_tally so module deny 5 Once the password is successfully verified various password aging restrictions which are set up in etc login defs are checked If the password has expired the login...

Страница 190: ...to terminate the program if a user name is not entered within a specific amount of time 5 11 3 5 newgrp The newgrp command changes the group ID using the group password for authentication If run with...

Страница 191: ...ping the old as well as the new password in order to prevent the password from being displayed as it is being typed by the user Refer to the passwd man page for more detailed information passwd genera...

Страница 192: ...re performing actions on behalf of the user The audit subsystem tries to record security relevant actions performed by users Because the user identity attributes such as uid can be changed by an appro...

Страница 193: ...o Rodriguez et al at http www redbooks ibm com redbooks pdfs gg243376 pdf The TLS Protocol version 1 1 by Tim Dierks and Eric Rescorla at http www ietf org rfc rfc2246 txt number 2246 Internet Securit...

Страница 194: ...er encryption with asymmetric keys for exchanging symmetric keys and one way hash functions for data integrity The following sections briefly describe encryption and message digest concepts and how th...

Страница 195: ...et messages have access to this symmetric key 5 12 1 1 1 2 Encryption with asymmetric keys Asymmetric key encryption and decryption also known as public key cryptography involve the use of a key pair...

Страница 196: ...the intended receiver s public key Even if messages are intercepted by a third party the third party cannot decrypt them Only the intended receiver can decrypt messages with his or her private key Th...

Страница 197: ...rcept messages between them replace their public keys with their own public keys and monitor their network traffic The solution for this vulnerability is the digital certificate A digital certificate...

Страница 198: ...e key initialization vectors and sequence numbers 5 12 1 2 1 SSL handshake protocol The SSL handshake protocol is responsible for performing authentication of peers that are attempting secure communic...

Страница 199: ...RTEZZA KEA key exchange This message is not used if the server certificate contains Diffie Hellman DH1 parameters 3 Client key exchange message RSA encrypted premaster secret message In the evaluated...

Страница 200: ...y compresses them Then using all the negotiated security parameters applies a message authentication code MAC encrypts the data and transmits the result to the transport layer TCP The received data is...

Страница 201: ...hic algorithm created by researchers Joan Daemen and Vincent Rijmen AES is an iterative symmetric key block cipher that can use keys of 128 192 and 256 bits and encrypts and decrypts data in blocks of...

Страница 202: ...he SSH protocol requires that each host have a host specific key When the SSH client initiates a connection the keys are exchanged using the Diffe Hellman protocol A session key is generated and all t...

Страница 203: ...nt The ssh client first parses arguments and reads the configuration readconf c then calls ssh_connect in sshconnect c to open a connection to the server and performs authentication ssh_login in sshco...

Страница 204: ...ues The daemon generally follows these steps 1 Parses command line arguments 2 Parses the configuration file 3 Performs sanity checks such as ensuring that standard input is a socket 4 Initializes the...

Страница 205: ...y if they pass both CUPS access checks The cupsd daemon typically follows these processing steps 1 Processes command line arguments 2 Sets up signal handlers 3 Forks a child 4 The parent waits for the...

Страница 206: ...Stops the server 43 Frees all jobs 44 Frees file descriptor sets 45 Closes audit file descriptor 46 Exits 5 12 4 2 ping ping opens a raw socket and uses the ICMP protocol s mandatory ECHO_REQUEST data...

Страница 207: ...ogram via the exec option There is also an option that allows a program to accept incoming connections and then launch stunnel Each SSL enabled daemon needs to present a valid X 509 certificate to the...

Страница 208: ...mation chage generally follows these steps 1 Sets language 2 Sets up a variable indicating whether the application user is the root user 3 Parses command line arguments 4 Performs a sanity check on co...

Страница 209: ...credentials 10 Prompts for new finger information if not supplied on the command line 11 Updates appropriate database files with new finger information 12 Exits 5 13 1 3 chsh The chsh program allows...

Страница 210: ...uthentication database files 10 Invokes usr_update to update authentication database files with new account information 11 Generates audit records to log actions of the useradd command Actions such as...

Страница 211: ...s 1 Sets language 2 Invokes getpwuid getuid to obtain the application user s passwd structure 3 Invokes pam_start to initialize PAM library and to identify the application with a particular service na...

Страница 212: ...es pam_authenticate to authenticate the application user Generates an audit record to log the authentication attempt and its outcome 5 Invokes pam_acct_mgmt to perform module specific account manageme...

Страница 213: ...ase files 11 Invokes pam_chauthok to rejuvenate the user s authentication tokens 12 Exits 5 13 3 3 groupdel The groupdel program allows an administrator to delete existing groups on the system Refer t...

Страница 214: ...202...

Страница 215: ...to set system time from the hardware clock time The hwclock man page gives more information hwclock follows these steps 1 Sets language 2 Parses command line arguments 3 Validates command line argumen...

Страница 216: ...ee packet 7 when opening the socket AMTU performs the following 1 Using the PF_PACKET communication domain opens another connection to the listening server and 2 Ensures that the random data transmitt...

Страница 217: ...90 BOOKS DZ9AR006 CCONTENTS The following privileged instructions are tested by this tool PTLB Purge TLB RRBE Reset reference bit extended PALB Purge ALB EPAR Extract Primary ASN HSCH Halt subchannel...

Страница 218: ...d Global Descriptor Table Register LTR Load Task Register LLDT Load Local Descriptor Table Register To test CPU control registers use MOVL cs 28 esp This overwrites the value of the register that cont...

Страница 219: ...ecks for a FIFO forks and runs operation if so 20 Checks for a copy flag copies the archive if so 21 Checks for TOC create or extract flags 22 If a list file arguments was passed opens that and uses i...

Страница 220: ...ainst the shadow database 9 Zeros the password memory 10 Exits 5 14 Batch processing Batch processing on the SLES system means to submit a job that will be run when the system load permits Batch proce...

Страница 221: ...an audit record to log the replacement of an existing crontab file crontab files are created in the var spool cron directory and are created with the login name of the respective user This establishes...

Страница 222: ...s etc cron weekly hourly daily monthly 4 Calls the load_database routine to read crontab files in the var spool cron tabs directory 5 For every crontab file invokes getpwnam to get the user s identity...

Страница 223: ...on parameters that define among other things what to do when errors are encountered or when the log files are full 5 Usually the etc init d auditd init script runs auditd which issues auditctl R etc a...

Страница 224: ...ile records into a linked list before it checks whether the record matches the requested search criteria 5 15 2 3 autrace Only root can run this command autrace executes the program passed to it after...

Страница 225: ...r the object in the calling process s shared library segment If the library is there the links are resolved and the program can call the shared library code If the library isn t there the loader pages...

Страница 226: ...sed on the number of failed login attempts lib security pam_listfile so Modules that allow use of ACLs based on users ttys remote hosts groups and shells lib security pam_deny so Module that always re...

Страница 227: ...overridden from shared libraries with environment variables LD_PRELOAD and LD_LIBRARY_PATH The LD_PRELOAD variable lists object files with functions that override the standard set The LD_LIBRARY_PATH...

Страница 228: ...uperVisor Call assembly instruction SVC to make a system call The SVC instruction generates an exception The exception handler in the kernel redirects the call to the system call handler system_call s...

Страница 229: ...range of interval addresses reserved for the kernel That is that the linear address is lower than PAGE_OFFSET 2 Because bad addresses lower than PAGE_OFFSET cause a page fault the kernel consults the...

Страница 230: ...description of the interactive login process Section 5 12 2 describes the process of obtaining a shell from the remote system 6 1 4 User identity changing IA 4 Section 5 11 3 7 provides a description...

Страница 231: ...ections 5 1 2 1 5 1 5 2 and 5 1 5 2 1 provide details on DAC based on ACLs on file system objects 6 3 4 DAC IPC objects DA 4 Section 5 3 provides details on DAC for IPC objects 6 4 Object reuse Sectio...

Страница 232: ...audit subsystem 6 5 5 Reliable time stamps SM 5 Sections 3 1 1 3 2 1 3 3 1 and 3 4 1 describe the use of hardware clocks by eServer hardware to maintain reliable time stamps 6 6 Secure communications...

Страница 233: ...e security enforcing in the sense that the subsystems work together to provide a defined security function Interfaces that are not security enforcing are interfaces between subsystems where the interf...

Страница 234: ...subsystem maintains data structures that can be read directly by other kernel subsystems to obtain specific information They are considered to be data interfaces Data structures are defined in header...

Страница 235: ...cument Sections 5 1 2 1 5 1 5 1 and 5 1 5 2 ext3_truncate This document Section 5 1 2 1 Specific isofs methods Interfaces defined in isofs_lookup This document Section 5 1 2 2 Basic inode operations T...

Страница 236: ...ock include linux ext3_fs h isofs_sb_info include linux iso_fs_sb h inode include linux fs h ext3_inode include linux ext3_fs h iso_inode_info include linux iso_fs_i h ext3_xattr_entry include linux e...

Страница 237: ...Alessandro Rubini free_irq Linux Device Drivers O Reilly Chapter 9 2nd Edition June 2001 Alessandro Rubini send_sig_info check_kill_permission Understanding the LINUX KERNEL Chapter 10 2nd Edition Dan...

Страница 238: ...n 5 3 1 1 pipe_write Understanding the LINUX KERNEL Chapter 19 2nd Edition Daniel P Bovet Marco Cesati ISBN 0 596 00213 0 and this document Section 5 3 1 1 init_special_in ode This document Section 5...

Страница 239: ...mmap ioctl sendpage The socket system call creates the inode The system calls such as bind connect poll listen setsockopt getsockopt ioctl and accept are directly implemented by the methods registered...

Страница 240: ...sandro Rubini 6 8 1 5 3 Data Structures mm_struct and include linux sched h 6 8 1 6 Kernel subsystem audit This section lists external interfaces internal interfaces and data structures of the audit s...

Страница 241: ...hlist A linked list that holds all the watches in the system auditfs_hash_table A hash table of hashed inode addresses to store and retrieve inode audit data 6 8 1 7 Kernel subsystem device drivers 6...

Страница 242: ...rivers O Reilly Chapter 3 2nd Edition June 2001 Alessandro Rubini unregister_chrdev Linux Device Drivers O Reilly Chapter 3 2nd Edition June 2001 Alessandro Rubini 6 8 1 7 2 2 Block Devices Possible B...

Страница 243: ...Trusted processes need to use system calls when they need the functions of a kernel subsystem The interfaces to the kernel subsystems therefore are only the system calls Trusted processes can communi...

Страница 244: ...Stevens ISBN 0 13 474222 2 RODR TCP IP Tutorial and Technical Overview Adolfo Rodriguez et al EYNG Internet Security Protocols SSLeay TLS Eric Young DRKS The TLS Protocol version 1 Tim Dierks Eric Res...

Страница 245: ...rd National Institute of Standards and Technology U S Department of Commerce 18 May 1994 SCHNEIR Applied Cryptography Second Edition protocols algorithms and source in code in C 1996 Schneier B FIPS 1...

Страница 246: ...rection and intent are subject to change or withdrawal without notice and represent goals and objectives only This Information is provided AS IS without warranty of any kind This publication was produ...

Отзывы:

Нет отзывов