File System Access Domain Access Control

LinSec groups all access types into two broad categories for the access control purposes:

• read access: read files, search directories, execute files, follow links etc., and
• write access: create, write, delete, move etc. files and directories.

In general, the AD access control algorithm works as follows: ADs of a process requesting access are checked for existence of the absolute path elements of the target file or directory in reverse order starting with the target file or directory. The algorithm has two possible outcomes:

• Refuse access: when none of the elements of the absolute path of the target file or directory exist in the process' ADs, including the file system root, or when an path element is found in the process' ADs but is marked as excluded from the AD.
• Grant access: if an absolute path element of the target file or directory was found in the process' ADs and the matching AD Element is not marked as excluded from the AD.

Granting access in context of LinSec File System Access Domains means that request is passed on to the lower level file system kernel code, as illustrated in the Figure 4.3.1.

In context of the example from Subsection 4.3.1: access to the file /etc/shadow would be refused for the process as there exists a match denoting exclusion for the requested path (/etc/shadow) in the process' ADs. Both read and write access to eg. /usr/doc/faq/Linux/intro.html would be granted as there exist a match, that is not exclusion, for /usr element of the target path. Finally, write access to eg. /etc/inetd.conf would be refused, even though there is a match for /etc that is not an exclusion, as the AD where the match is found is denoted as Read-Only.

If an access of category write is requested the requesting process' ADs are checked as explained above in the following order:

1. User's Read Write AD
2. Executable Files' Non-Inheritable Read Write AD
3. Executable Files' Inheritable Read Write AD

If an access of category read is requested the check proceeds as if the access request were of the write category. If no hits are encountered in the process, the algorithm proceeds to examine:

1. User's Read Only AD
2. Executable Files' Non-Inheritable Read Only AD
3. Executable Files' Inheritable Read Only AD

N.B. User's Default AD is considered as a part of the User's Read-Write AD.

The order in which different ADs are checked provides scope for optimization depending on the nature of overall system use. The above scenario assumes that most of the activity on the system is initiated by users and that is why User's ADs have precedence in the ordering. Simply, the probability of a hit in User's AD is high in the context. However, if, for example, a web server is considered, checking Executable Files' ADs first would yield better performance. Thus, the ordering in which the check proceeds should be configurable to ensure best performance.

The AD access control algorithm implements the first match policy. It is important to emphasize this point for the complete understanding of the resulting behavior. The behavior was illustrated in the previous example by the fact that on successful match of /etc/shadow against one of the process' AD entries the algorithm stopped further execution and access was refused immediately^4.8.

Footnotes

... immediately^4.8

The behavior of AD access control algorithm is equivalent to the behavior implemented by network firewall rule matching algorithms.