next up previous contents
Next: System Call Review Up: Implementation Previous: API Extensions   Contents

Control Requirements

The semctl, msgctl and shmctl system calls with the IPC_RMID or IPC_SET options each allowed a process with CAP_SYS_ADMIN to bypass the standard Linux owner checks. The Flask checks, however, are not bypassed by CAP_SYS_ADMIN, and as described in Section 5.2, the use of CAP_SYS_ADMIN even to bypass the standard owner checks is subject to additional Flask checks.

Each control point that has the potential to generate an audit record adds the ID of the semaphore set, message queue, or shared memory region to the audit data included in the record.

The shmat(!SHM_RDONLY) control point is implemented as a check for read and write since the logical semantics as well as the x86 implementation of not-readonly are read and write.

Since shmat also writes the access granted into the memory segment structures for hardware use on each access, a call-back will eventually be necessary to allow the access control embodied in the memory structures to be revalidated or revoked on a policy change.

The case statement conditions in the sys_semctl function were slightly reordered to collect some read based access checks and getattr access checks that were both covered by the standard Linux read permission bit. A seemingly redundant check was found for the "ID Removed" (EIDRM) condition between switch statements in that function that was already covered by the check at the beginning of sys_semctl. The first case in the switch following the EIDRM check is a permission check for GETALL that also seems to be redundant with the check previously performed in the cases above. No control point was added for the second permission check as the previous permission check should still be valid. (There are no process sleeps in the GETALL code path between these points.) No other changes were made to improve the flow of the case statements, as this was seen as counter-productive given the reorganization in later kernel versions.

The sem_exit function performs a check when freeing undo structures that the semaphore values do not become negative. A printk was added after that check to allow detect failure of that assumption. Since the printk should never be executed unless there is a kernel bug, there should be no impact from this change.


next up previous contents
Next: System Call Review Up: Implementation Previous: API Extensions   Contents