next up previous contents
Next: File Controls Up: Overview Previous: Support for Policy Changes   Contents


Process Controls

Flask provides several controls over the ability to change the label of a process. The security label of a process is only allowed to change upon program execution so that the inheritance of state and the initialization of the process in the new label can be controlled. Flask controls the ability of a process to transition to a new security label upon program execution through the transition permission, and it controls what programs may be used to perform such transitions through the entrypoint permission. It also controls the ability of a process to inherit open file descriptions across a transition.

Flask provides strong controls over the full set of code that can be executed by a process through the process execute permission. This permission is checked between the label of the transformed process and the label of the executable on every program execution. It is also checked when an ELF or script interpreter is executed, and when a file is memory-mapped with execute access (i.e. a shared library). This process execute permission differs from the separate entrypoint permission, which only controls what programs may be used to enter a new label. It also differs from the file execute permission, which only controls what programs may be initiated by a process, regardless of whether the process label is changed by the execution.

Flask controls the sending of signals, including the ability to indirectly send a signal via asynchronous I/O. It also controls the ability to trace another process, including the ability to continue tracing a process when a transition occurs. Flask controls several additional process management services, such as fork, wait, setpgid, getpgid, getsid, setpriority, getpriority, and the sched calls. These controls are described further in Section 5.1.

Flask provides an equivalent permission for each Linux capability. This allows the security policy to control the use of capabilities. Flask could be extended to provide a finer-grained replacement mechanism for capabilities. Such a mechanism was developed for one of Flask's predecessors, the DTOS system. This mechanism permitted privileges to be granted based on both the attributes of the process and the attributes of the relevant object, e.g. discretionary read override could be granted to a particular set of files. Since the mechanism obtained privilege decisions from the Flask security server, management of privileges was centralized and verification that privileges were granted appropriately was straightforward.


next up previous contents
Next: File Controls Up: Overview Previous: Support for Policy Changes   Contents