next up previous contents
Next: Permissions Up: Design Previous: Design   Contents

Object Classes


Table: Object classes for the Linux networking component.
OBJECT CLASS
TCP socket
UDP socket
raw IP socket
Unix stream socket
Unix datagram socket
node
network interface


The object classes for the Linux implementation of the AF_INET and AF_UNIX protocol families are shown in Table 21. Since Linux uses the BSD socket API, the socket is the principal controlled object class. The socket object class was refined into separate object classes for the different types of sockets. When a socket is created via the socket call, it inherits the SID of the process that created it by default. If the socket is created by a connection, then it inherits the SID of the listening socket by default. An alternative approach would be to have the security server compute the SID of the new socket based on the SID of the listening socket and the SID of the client socket.

The Linux network component creates two special purpose sockets for use by the AF_INET protocol family. The tcp_socket is used to send resets when a TCP packet is rejected, since there may be no local socket corresponding to the packet. The icmp_socket is used to send ICMP messages. Two initial SIDs were defined for these sockets, with the corresponding security context determined by the security server.

For socket types that maintain message boundaries, each message is separately labeled. For other socket types, each message is implicitly associated with the SID of its sending socket. Although messages are labeled and controlled, a separate object class is not necessary. When a message is sent on a socket, it inherits the SID of the sending socket by default. When the network component receives a message from the network, the SID of the message is initially set to a default message SID associated with the receiving network interface. This default message SID is computed by the security server. If the message was protected using the IPSEC protocols, then the SID of the received message is set based on the information in the corresponding security association.

Each message is also associated with the SID of its source socket and the desired SID for its destination socket. By default, the desired SID for the destination socket of a message is set to the any_socket initial SID. When a message is received from the network, the source socket SID of the message is initially set to the default message SID for the receiving network interface. If the message was protected using IPSEC protocols, then the source socket SID and the destination socket SID are set based on information in the corresponding security association.

The node object class was defined to permit controls on inbound messages based on the source address and to permit controls on outbound messages based on the destination address. The network interface object class was defined to permit controls based on the network interface used to send or receive a message. The SIDs for nodes and the SIDs for network interfaces are computed by the security server.

TCP and UDP port numbers are labeled to permit controls over the ability to bind to particular ports. Only those port numbers which are outside of the range used to automatically bind sockets, ip_local_port_range, are labeled and controlled. Like messages, a separate object class is not necessary for port numbers. The security server computes SIDs for the port numbers.

If an AF_UNIX socket is associated with an object in the file system namespace, there are two different objects with separate SIDs that represent the socket in different ways. The AF_UNIX socket object is created first using the socket call and it inherits the SID of the creating process by default. The socket file object is created by a subsequent bind call on the socket, and it is labeled with a SID computed by the security server based on the SID of the creating process and the SID of the parent directory. The socket file object continues to exist until it is explicitly unlinked from the file system namespace. If an AF_UNIX socket is associated with a name in the abstract namespace, there is no separate object for the name.


next up previous contents
Next: Permissions Up: Design Previous: Design   Contents