Process Access Domains

Next: Access Domain Inheritance Up: LinSec Filesystem Access Domains Previous: User Access Domains Contents

Process Access Domains

Since processes are the only active entities in an operating systems, AD associated with each of them needs to reflect permissions (ADs in this context) of:

executable file (Subsection 4.3.5) whose image a process is running, and
user on whose behalf it is running.

Therefore, each process' AD is split into:

User AD (as specified in Subsection 4.3.6), and
Executable File related AD.

The latter consisting of:

Non-Inheritable Read Only AD,
Non-Inheritable Read Write AD,
Inheritable Read Only AD, and
Inheritable Read Write AD

obtained when executable file ADs (Subsection 4.3.5) are split by the value of the non-inheritable flag of every AD Element contained. Elements of the Non-Inheritable AD do not take part in the AD Inheritance Algorithm (Subsection 4.3.8).

The reason for keeping User ADs and Executable File ADs separately within a process is put forward in Subsection 4.3.8.

The structure of a Process AD is illustrated in Figure 4.3.7.

**Figure 4.3:** Process' AD structure
$\begin{figure}\epsfig{figure=images/proc_ad.eps} \end{figure}$

Next: Access Domain Inheritance Up: LinSec Filesystem Access Domains Previous: User Access Domains Contents