next up previous contents
Next: Persistent Labeling Up: Design Previous: Permissions   Contents


Control Requirements

After defining permissions for the services provided by the Linux file system component, control requirements were defined for each Linux system call that provides one or more of these services. The control requirements specify the permissions that must be granted for the system call to successfully execute.

In the following tables, the control requirements for each system call are specified, where each control requirement is described by the class, permission, source SID (SSID), and target SID (TSID) used in a permission check. Since multiple calls may have the same requirements, more than one call may be listed in the leftmost column of a single table entry. In this case, all of the requirements in that table entry apply to all of the calls.

In the tables, the path target SID indicates that the permission check should be applied to each directory in the path prefix. File system classes and SIDs are abbreviated by fs, file description classes and SIDs are abbreviated by fd, and directory classes and SIDs are abbreviated by dir. A file permission check uses the class of the file being accessed, so the file class in the tables may be the pipe class, the directory class, or any of the file object classes.

Several of the system calls listed in the tables have two forms, one of which takes a pathname parameter and the other takes a file descriptor parameter, e.g. stat and fstat. In the tables, this is expressed as (f)stat. The corresponding control requirements are identical except that the descriptor-based call naturally does not have the search requirement.


Table 12: Control requirements for manipulating files.
  CONTROL REQUIREMENT(S)
CALL(S) CLASS PERM SSID TSID
open dir search current path
  fd create current fd
  file read current file
  file write current file
  file append current file
read, fd setattr current fd
readv, file read current file
pread      
write, fd setattr current fd
writev, file write current file
pwrite file append current file
sendfile fd setattr current in_fd
  file read current in_file
  fd setattr current out_fd
  file write current out_file
  file append current out_file
mmap fd setattr current fd
mprotect file read current file
  file write current file
  file append current file
  process execute current file
(f)stat dir search current path
lstat file getattr current file
(f)chmod, dir search current path
(f)chown, file setattr current file
lchown,      
(f)truncate,      
utime(s)      
access file access current file
poll, file poll current file
select      
fcntl: file lock current file
F_GETLK,      
F_SETLK,      
F_SETLKW      
flock      
ioctl: file getattr current file
FIBMAP      
ioctl: fd getattr current fd
FIONREAD file getattr current file
ioctl: file getattr current file
FIGETBSZ      
ioctl: file getattr current file
GETFLAGS,      
GETVERSION      
ioctl: file setattr current file
SETFLAGS,      
SETVERSION      
ioctl file ioctl current file


Table 12 shows the control requirements for system calls that manipulate files. The control requirements listed in this table for the open system call are the requirements for opening an existing file rather than the requirements for creating a new file. The process must be able to search the directories in the path prefix, and it must be able to create the file description. The read, write and append requirements on the open system call are enforced in accordance with the flags to open. The write permission grants either write access or append access. The append permission is only checked if write permission is not granted and the O_APPEND flag is specified.

Since the read, write, and append permissions are intended to control the actual services of reading from a file and writing (or appending) to a file, it is necessary to verify that the permissions are still granted when those services are performed. The prior checks during the open call may no longer be valid, since the process may have changed SID, the file may have changed SID, a different process may be using the file description, or a change in the security policy may have occurred. Hence, the system calls which implement those services, such as the read, write and sendfile system calls, must revalidate the permissions obtained during open. The calls must also verify that setattr permission to the file description parameters is granted, since the file offset is modified by these calls.

When a file is mapped into memory via the mmap call, the read, write, and append permissions are revalidated. However, the permissions may become invalid while the file is still mapped. Consequently, the permissions must be revalidated when pages are read from the file or written to the file, and the pages for a file in the page cache must be invalidated when the file is relabeled or a policy change that would affect access to the file occurs. The mmap call must also check the process execute permission to control the ability of a process to execute from a particular shared library. The mprotect call must also revalidate these permissions when the current protection is changed.


Table 13: Control requirements for manipulating directories.
  CONTROL REQUIREMENT(S)
CALL(S) CLASS PERM SSID TSID
(f)chdir, dir search current path
chroot dir search current dir
open, dir search current path
creat fd create current fd
  dir add_name current parent
  file create current file
  fs associate file fs
mkdir, dir search current path
mknod, dir add_name current parent
symlink file create current file
  fs associate file fs
rename dir search current oldpath
  dir remove_name current oldparent
  file rename current file
  dir reparent current file
  dir search current newpath
  dir add_name current newparent
  dir remove_name current newparent
  file unlink current newfile
  dir rmdir current newfile
link dir search current path
  dir add_name current parent
  file link current file
unlink dir search current path
  dir remove_name current parent
  file unlink current file
rmdir dir search current path
  dir remove_name current parent
  dir rmdir current dir
getdents, fd setattr current fd
readdir dir read current dir
readlink file read current file


Table 13 shows the control requirements for system calls that manipulate directories. In addition to requiring search permission to directories in the path prefix, the chdir, fchdir, and chroot system calls require search permission to the last component of the path. The control requirements listed in this table for the open and creat system calls are the requirements for creating a new file. The process must have search permission to the directories in the path prefix, create permission to the file description, add_name permission to the parent directory, and create permission to the new file. Furthermore, the file must have associate permission to the file system. The requirements for mkdir, mknod, and symlink only differ from the requirements for open in that there is no file description.

The rename system call requires search permission to both paths, remove_name permission to the old parent directory, rename permission to the file and add_name permission to the new parent directory. If the file being renamed is a directory, and its parent directory would be changed by the rename, then reparent permission must be granted to the file. If a file already exists at the new pathname, then remove_name permission must be granted to the new parent directory and unlink permission or rmdir permission must be granted to the existing file or directory.


Table 14: Control requirements for manipulating file systems.
  CONTROL REQUIREMENT(S)
CALL(S) CLASS PERM SSID TSID
remount dir search current path
  fs remount current fs
mount dir search current devpath
  dir search current dirpath
  fs mount current fs
  dir mounton current dir
  dir mountassociate root dir
umount dir search current path
  fs unmount current fs
ustat fs getattr current fs
(f)statfs dir search current path
  fs getattr current fs



Table 15: Control requirements for manipulating descriptions.
  CONTROL REQUIREMENT(S)
CALL(S) CLASS PERM SSID TSID
lseek, fd setattr current fd
llseek      
fcntl: fd setattr current fd
F_SETOWN,      
F_SETSIG      
fcntl: fd setattr current fd
F_SETFL file write current file
fcntl: fd getattr current fd
F_GETFL,      
F_GETOWN,      
F_GETSIG      
ioctl: fd setattr current fd
FIONBIO,      
FIOASYNC      


Table 14 shows the control requirements for system calls that manipulate file systems. The remount call in the table represents the mount system call used with the MS_REMOUNT flag. The mount call in the table represents the mount system call used to mount a file system. Mounting a file system requires search permission to both the device special file pathname and to the mount point pathname, mount permission to the file system, and mounton permission to the mount point directory. The root directory of the file system must have mountassociate permission to the mount point directory.

Table 15 shows the control requirements for system calls that manipulate file descriptions. If a file is opened with the O_APPEND flag, and this flag is subsequently cleared via the F_SETFL command of the fcntl system call, then write permission must be granted to the file. The other system calls in this table only observe or modify the state of the file description itself, so they only require getattr or setattr permission to the file description. The F_SETOWN and F_SETSIG commands to the fcntl system call must also be checked against process management control requirements to ensure that the calling process may cause signals to be sent to the owner.

Note that Table 15 does not include entries for fcntl.F_SETFD, fcntl.F_GETFD, ioctl.FIONCLEX or ioctl.FIOCLEX. These operations may be used to observe or modify the close-on-exec flag of a file descriptor. The close-on-exec flag of a file descriptor is private to that file descriptor and is not part of the file description state. Hence, this flag is not shared and access to it does not require any permissions.


next up previous contents
Next: Persistent Labeling Up: Design Previous: Permissions   Contents