Access Domain Inheritance

Next: File System Access Domain Up: LinSec Filesystem Access Domains Previous: Process Access Domains Contents

Access Domain Inheritance

There are two events in the lifetime of a process when its AD needs to be altered:

When a process executes another binary, or
When ownership of a process changes.

When an executable is invoked by a process, the process' AD needs to be modified to account for the AD of the newly executed file. The algorithm adopted for process AD recomputation, on the former event, is:

$inh\_rw\_acd^\star = inh\_rw\_acd + executable$ $\rightarrow$ inh_rw_acd
$ninh\_rw\_acd^\star = executable$ $\rightarrow$ ninh_rw_acd
$inh\_ro\_acd^\star = inh\_ro\_acd + executable$ $\rightarrow$ inh_ro_acd
$ninh\_ro\_acd^\star = executable$ $\rightarrow$ ninh_ro_acd

Where:

$inh\_rw\_acd^\star, ninh\_rw\_acd^\star, inh\_ro\_acd^\star, ninh\_ro\_acd^\star$ are inheritable and non-inheritable read-write and read only ADs obtained after the execution of the algorithm respectively.
executable $\rightarrow$ inh_rw_acd, executable $\rightarrow$ ninh_rw_acd, executable $\rightarrow$ inh_ro_acd, executable $\rightarrow$ inh_rw_acd are read-write and read only ADs associated with the executable file split into inheritable and non-inheritable portions by examining value of the inheritance flag of the constituent AD Elements respectively.
$inh\_ro\_acd$ , $inh\_rw\_acd$ are Inheritable Read Only and Read-Write ADs of the current process before the execution of the algorithm.

As can be seen from the algorithm, Non-Inheritable ADs of the process involved are not taken into account when computing new ADs -- they are just overwritten. This allows security policy administrator to decide on AD Elements associated with an executable that will be passed over to any other executable in the exec call chain (these AD Elements will not have their inheritance flag set to the Non-Inheritable value).

When ownership of a process changes the only thing that needs to be altered is User ADs associated with the process. This is simply accomplished by swapping User ADs of a user owning the process with User ADs of the new owner.

With reference to Subsection 4.3.7, if User ADs and Executable File ADs were not kept separately, in the context of a process, it would be extremely complicated to properly alter Process ADs on the change of ownership as it would be impossible to differentiate between AD Elements that originate from owner's ADs and the ones that were inherited from a, possibly very long, exec call chain. The chosen solution is a tradeoff between the complexity of the AD Inheritance algorithm and some overhead on performing access control checks. As is shown in Subsection 4.3.9, it is much more important to keep the inheritance algorithm simple.

Next: File System Access Domain Up: LinSec Filesystem Access Domains Previous: Process Access Domains Contents