Exec and Setuid

LinSec implementation, as outlined in this Chapter, heavily depends on two kernel mechanisms to trigger LinSec specific process' privilege recomputation mechanisms. As the mechanisms play the central role in LinSec and they were referred to throughout the Chapter it is worth summarizing the actions they trigger for clarity. The mechanisms, their role within LinSec and the LinSec actions they trigger are:

• Executing a binary (do_execve function, fs/exec.c) - a trigger for process' privilege recomputation to reflect the privileges of newly executed binary (linsec_do_exec, kernel/linsec_exec.c). LinSec actions performed on the event:
  1. recompute process' capabilities, linsec_compute_creds function (kernel/linsec_exec.c),
  2. allocate new linsec_task structure for the process,
  3. read SAC settings from file's extended attributes into the linsec_task, linsec_read_file_sac (kernel/linsec_attr.c),
  4. read IPL settings from file's extended attributes into the linsec_task, linsec_read_file_ipl (kernel/linsec_attr.c),
  5. if suid flag is not set in old linsec_task perform AD inheritance, do_ad_inh (kernel/linsec_exec.c),
  6. read AD settings from file's extended attributes into the linsec_task, linsec_read_file_adgrps (kernel/linsec_attr.c) and expand_ad_gid (kernel/linsec_exec.c),
  7. clean up old linsec_task, linsec_cleanup_task (kernel/linsec_misc.c),
  8. replace old linsec_task with the new one.

• Changing ownership of a process (sys_setXuid family of functions, kernel/sys.c) - a trigger for process' privilege recomputation to reflect privileges of the new owner (linsec_do_suid, kernel/linsec_suid.c). LinSec actions performed:
  1. set suid flag in current's linsec_task to denote that process ownership switch took place,
  2. recompute process' capabilities according to the new user's capability settings and the capability settings of the binary whose image the process is running.
  Reference from linsec_task structure, describing the process changing the owner, to the linsec_usr structure, containing LinSec specific information about the new owner, is updated prior to execution of the above algorithm. As linsec_usr is referenced indirectly via struct user_struct (Section 5.5), the update of struct user_struct (function set_user, kernel/sys.c ) is at the same time the update of the linsec_usr. However, if it happens that struct user_struct for the particular user does not exist in kernel buffers at the time (i.e. no process in the system are currently owned by the user), a new one is created by the set_user function and appropriate linsec_usr is requested from LinSec via linsec_get_user function. If no linsec_usr for the user exists in LinSec kernel buffers a new one is created, initialized to default and stored in the buffers for future reference.