next up previous contents
Next: To Do Up: System Call Review Previous: Kernel Modules   Contents

System Operations

This subsection describes the results of the system call review for calls related to the overall system.

The stime and settimeofday system calls may be used to set the system time and date. Both calls are implemented in kernel/time.c. Linux requires CAP_SYS_TIME to use these calls, so a process must have the Flask cap_sys_time permission to use these calls. No further controls seem to be necessary. The adjtimex call may be used to read or modify the clock adjustment parameters. This call is implemented in kernel/time.c. Linux requires CAP_SYS_TIME to use this call to modify the parameters, so Flask requires cap_sys_time. No further controls seem necessary.

The sethostname and setdomainname calls may be used to set the host and domain names for the system. Linux requires CAP_SYS_ADMIN to use either call. Flask requires cap_sys_admin permission. No other controls seem necessary.

The acct call may be used to enable or disable process accounting. The call is implemented in kernel/acct.c. Linux requires the calling process to have CAP_SYS_PACCT to use the call. If the call is used to set the accounting file, then the calling process must also be able to open the accounting file with append access. The Flask cap_sys_pacct permission is checked when the call is used, and the Flask file mandatory access controls are checked if an accounting file is specified. It might be useful to add a new permission controlling what files may be used for accounting.

The reboot call may be used to reboot the system or to enable or disable the reboot keystroke. The call is implemented in kernel/sys.c. Linux requires that the calling process have CAP_SYS_BOOT, so Flask requires that the calling process have cap_sys_boot permission. No other controls seem necessary.

The ioperm call may be used to set I/O port access permission bits for the calling process for a specified port and range. The call may only be used for the first 0x3ff I/O ports. This call is implemented in arch/i386/kernel/ioport.c. If the permission bits are being set to anything non-zero, then Linux requires that the calling process have CAP_SYS_RAWIO. Thus, Flask requires the corresponding cap_sys_rawio permission. Port access permissions are not inherited on fork but they are inherited across execve. New Flask controls should be defined to control inheritance of port access permissions. It may also be desirable to support individual labeling of different I/O ports and to add a permission controlling access to particular ports.

The iopl call may be used to change the I/O privilege level of the calling process. The call is necessary for more ports than 0x3ff. For example, the call is used by 8514-compatible X servers to run under Linux. This call is implemented in arch/i386/kernel/ioport.c. If the privilege level is being increased, then Linux requires that the calling process have CAP_SYS_RAWIO. Thus, Flask requires the corresponding cap_sys_rawio permission. The privilege level is inherited on fork and across execve. New Flask controls should be defined to control inheritance of I/O privilege levels. It may also be desirable to add separate permissions for the different levels.

The syslog call may be used to read or clear the kernel message ring buffer and to set the console log level. Linux requires that the calling process have CAP_SYS_ADMIN to use any syslog operation except for the operation to read the last 4k of messages in the ring buffer. Hence, Flask requires cap_sys_admin permission for all of the other operations. Separate Flask permissions should be defined for the different kinds of syslog operations, e.g. separate permissions to control reading and clearing the last 4k of messages versus changing the console log level. Additionally, it seems desirable to control the ability of processes to read the last 4k of messages, so a Flask permission should be added to control this operation.

The sysinfo call may be used to obtain information on overall system statistics such as the load average, available memory, and number of current processes. Linux does not control the ability to use this call. A Flask permission should be defined to control the use of this call.


next up previous contents
Next: To Do Up: System Call Review Previous: Kernel Modules   Contents