Date: Sat, 8 Nov 2003 11:54:26 -0800 (PST) From: Ken Smith <kensmith@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 41752 for review Message-ID: <200311081954.hA8JsQo5097199@repoman.freebsd.org>
index | next in thread | raw e-mail
http://perforce.freebsd.org/chv.cgi?CH=41752 Change 41752 by kensmith@kensmith_oliver.cse.buffalo.edu on 2003/11/08 11:53:51 Working with rwatson to finish this document. - Cleaned up minor nits in existing "finished" content. - Added a few extra notes. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/arch-handbook/secarch/chapter.sgml#6 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/arch-handbook/secarch/chapter.sgml#6 (text+ko) ==== @@ -185,7 +185,7 @@ execution in isolated address spaces. Processes each carry a process credential, managed by the kernel, describing user and group information for the process, which will - be used to authorized access to other kernel objects. + be used to authorize access to other kernel objects. Based on the credential and various object properties, several mandatory and discretionary protection models control the interactions between processes, and access by the processes to @@ -381,7 +381,7 @@ arithmetic traps in the instruction stream, exceptional memory accesses such as page faults, or system calls via call gates. Kernel code interacting with user processes is written carefully - so as to provide only support only the desired interactions + so as to provide only support for the desired interactions between the kernel and user processes.</para> <para>Within the kernel, direct manipulation of user memory contents @@ -429,7 +429,7 @@ platform, opening the <filename>/dev/io</filename> device enables direct I/O access. Other platforms provide similar functionality. - Many platforms also offer hardware-specific via the + Many platforms also offer hardware-specific access via the &man.sysarch.2; system call; some of the functions provided by the system call are process-local, but others may provide privileged services. @@ -502,7 +502,7 @@ limits inappropriate interference between processes, preventing accidental or intentional leakage of data, damage to data or operational integrity, and leakage of system privilege. - System debugging interfaces break down these barries, and must + System debugging interfaces break down these barriers, and must be carefully controlled.</para> <sect2 id="secarch-process-credentials"> @@ -554,7 +554,7 @@ kernel data structures, generally at the point at which initial access to the object occurs. This caching permits "time of open" UNIX security semantics to - be implemented for a several objects, including file descriptors + be implemented for several objects, including file descriptors and mountpoints. These credential references are then used to authorize asynchronous write-behind, such as found in NFS.</para> @@ -580,10 +580,10 @@ When a process receives upgraded privileges, such as on execution of a setuid binary, the system must revoke access to debug the process by other processes that may already have had - debugging sessions opon.</para> + debugging sessions open.</para> <para>These protections are introduced in three ways: first, - disallowing of operations that may upgrade of process credentials + disallowing of operations that may cause upgrade of process credentials if access to the process cannot be revoked. Second, storage of a "credential change flag", named P_SUGID for historical reasons, which will be used to modify the @@ -599,7 +599,7 @@ However, under some circumstances, additional process information may also be used in the decision to exempt closely related processes from certain protections--for example, participation in - the same sesion is sufficient to authorize delivery of the + the same session is sufficient to authorize delivery of the "continue" signal between processes, regardless of credentials. </para> </sect2> @@ -617,7 +617,7 @@ Because of this concentration of privilege, required to perform a number of system activities, system services running with root privilege are popular targets for attack, - as gain access to uid 0 grants access to most other + as gaining access to uid 0 grants access to most other privileges in the system.</para> <para>FreeBSD ships with the securelevel protection mechanism, @@ -637,7 +637,7 @@ combination with the jail() security extension, described later in this chapter.</para> - <para>The TrustedBSD MAC Framework is also capability of + <para>The TrustedBSD MAC Framework is also capable of limiting certain root privileges, such as the cability to read files based on system labels. The MAC Framework and policies are described later in this @@ -653,7 +653,7 @@ consistent and appropriate use. As UNIX-derived systems are frequently deployed in environments in which users or processes contend for resources, a variety of - approaches are taken to preventing inappropriate exclusion of + approaches are taken to prevent inappropriate exclusion of other users or processes. This includes scheduler behavior to provide for "fair" distribution of CPU resources between independent processes @@ -866,12 +866,12 @@ <para>Object sessions are initially referred to by one file descriptor, but references may be duplicated to additional file - descriptors, as well as inheritted across fork() operations, and + descriptors, as well as inherited across fork() operations, and passed to other processes using UNIX Domain Socket ancillary right transfer. In FreeBSD 5.1, objects referenced by file descriptors are: IPC pipes, IPC sockets, vnodes (files, directories, device nodes, - POSIX fifos, etc), kqueues (kernel event notification queues). + POSIX fifos, etc), and kqueues (kernel event notification queues). References to object sessions remain until the the descriptor is explicitly closed via the close() or rfork() system calls, or implicitly closed on process exec() or exit(). @@ -880,7 +880,7 @@ modified, as may the underlying objects. File descriptor properties, such as offset and active access flags, may be explicitly modified using system calls such as - seek() or fcntl(), or implicitly as a result of operations making + lseek() or fcntl(), or implicitly as a result of operations making use of the file descriptor, such as read() or write().</para> <para>In most cases, accesses made using a file descriptor are @@ -934,10 +934,22 @@ caution must be applied when relying on namespace-based protections to limit access to an object.</para> + <para>There is another way to protect an object used by some + programs. If an object is completely removed from the + namespace but there is one or more process on the + system that has the object open it will not be removed from + the underlying file system until all references to the object + are closed. The process(es) that have the object open can still + access it but no other process can gain access to it through + the file system namespace. The object could be accessed using + fhopen() (which is restricted to the superuser) or by passing + its descriptor to another process through a UNIX domain socket + but is otherwise inaccessible.</para> + <para>Modifications to the namespace may be performed by adding or removing file system mounts, attaching, overlaying, or detaching parts of the namespace, or by modifying elements - in the namespace by perform operations on objects in the + in the namespace by performing operations on objects in the namespace. Mount and unmount operations require privilege in FreeBSD by default; however, the system policy may be configured to @@ -972,7 +984,7 @@ <para>The FreeBSD VFS defines several classes of objects, and operations that apply to one or more of those objects. The following operations may be supported on a virtual file - node:</para> + node (vnode):</para> <variablelist> <varlistentry> @@ -1339,6 +1351,13 @@ </listitem> </varlistentry> </variablelist> + <para>Note that there is one more file node type called VBLK + which is a Block Device. FreeBSD no longer uses Block Devices + for anything, and attempting to open a Block Device will result + in an error. But for compatibility with other UNIX's, + particularly in an NFS environment where file systems are + shared, Block Devices can be created and their existence is + "tolerated".</para> </sect3> <sect3 id="secarch-fsobjectprotections"> @@ -1592,7 +1611,7 @@ </sect3> </sect2> - <sect2 id="secarch-fs-quotes"> + <sect2 id="secarch-fs-quotas"> <title>File System Quotas</title> <para>UFS file system quotas permit administrators to place softhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311081954.hA8JsQo5097199>