Next: SMP Issues Up: Implementation Previous: LinSec Configuration Process Contents

LinSec Data Structures

LinSec implementation defines many data structures most of which are obvious from Chapter 4 (eg. Capability Group, AD Group etc.) and detailed consideration of which is therefore omitted.

Two data structures, however, are worth mentioning explicitly as they take direct part in the enforcement of LinSec mandatory security policy and will, therefore, be referred to frequently in this Chapter. These structures and their main roles are:

linsec_usr (linux/linsec_dt.h): holds per user configuration data such as capability sets, access domain elements etc. (refer to Chapter 4 for full set of items).
linsec_task (linux/linsec_dt.h): generated runtime for each of the processes in a system, containing privileges of the executable file each of them is running (refer to Chapter 4 for a list of mandatory security policy data associated with executable files).

Both of the structures are referenced from the Linux per process structure struct task_struct as illustrated in Figure 5.5 (cardinality is indicated on the arrows).

**Figure 5.1:** Linux - LinSec per process data struct relationships
$\begin{figure}\epsfig{figure=images/data_structs.eps}\end{figure}$

Mapping of struct task_struct to linsec_task is many to one as the reference to linsec_task is copied (shared) on process forking^5.1. To be able to free memory occupied by a linsec_task once it is no longer needed, the structure contains, among other elements, a reference count denoting the number of struct task_struct structures that are referencing it at any particular moment. The reference count is increased on a call to do_fork (kernel/fork.c) and it is decreased on a call to release_task (kernel/exit.c), when a process dies or on call to do_execve (fs/exec.c) i.e. when linsec_task for a process is replaced to reflect privileges of the newly executed binary, respectively. Once the reference count reaches 0 memory occupied by linsec_task is released by linsec_cleanup_task (kernel/linsec_misc.c).

linsec_usr structure is, as depicted in Figure 5.5, referenced from struct task_struct indirectly via the reference to struct user_struct. struct user_struct is used in Linux for user accounting and is shared^5.2 among struct task_struct structures describing processes owned by a same user. Consequently, linsec_usr is shared in the same manner among struct task_struct structures. Unlike linsec_task, linsec_usr does not contain any reference counts as it is safe to release memory it occupies once the referencing struct user_struct is dismissed.

When a process changes its ownership, eg. by calling the sys_setuid function, the struct user_struct referenced by it is replaced with the struct user_struct corresponding to the new owner (uid) which in turn references linsec_usr for the new owner (uid).

Footnotes

...forking ^5.1: Creating new processes by calling the fork syscall.
... shared ^5.2: The first implementation of linsec_usr actually contained a reference count field which was managed in the same sort of way as for linsec_task structure. This, however, did not reflect completely the shared nature of struct user_struct as the reference count represented only the number of processes sharing linsec_usr that belong to the same process creation subtree. It is possible for independently created processes to be owned by the same user and therefore share struct user_struct and corresponding linsec_usr. This omission was noticed when the code for releasing of the memory occupied by linsec_usr was implemented and tested. The kernel OOPS messages caused by LinSec code referencing linsec_usr through invalid pointers were extremely difficult to follow and it was very hard to locate the problem.

Next: SMP Issues Up: Implementation Previous: LinSec Configuration Process Contents