Manuel d'utilisation / d'entretien du produit 10 SP1 EAL4 du fabricant IBM
Aller à la page of 246
SUS E Li nu x Ent erp ris e Se rve r 10 S P1 EA L4 High - Le vel D esi gn Ver sio n 1.2. 1.
Version Author Date Comments 1.0 EJR 3/15/07 First draft based on RHEL5 HLD 1.1 EJR 4/19/07 Updates based on comments from Stephan Mueller and Klaus Weidner 1.2 GCW 4/26/07 Incorporated Stephan's comment to remove racoon 1.2.1 GCW 10/27/08 Added legal matter missing from fina l draft.
Ta ble o f Co nt en ts 1 Int rodu ction................................................................................................................................................. .. . 1 1 .1 Purpos e of t his do cument ..........................
4.1 .2.1 D AC.......................................................................................................................... ... .. ... .. 25 4.1 .2.2 A p pArmor ..............................................................................
5.1 .5 Dis cretion ary Acce ss Con trol (DA C)................................................................................... ... ... . 55 5 .1.5.1 P ermissio n bits .................................................................................
5 .3.3.2 C ommon fu nctions ................................................................................................... ... .. ... .. .. 76 5 .3.3.3 Me ssage queue s .............................................................................
5.5 .3 Ke rnel me mory manage ment ........................................................................... ... .. ... .. ... .. ... ... .. ..1 4 2 5 .5.3.1 Su pport for NUMA ser vers.................................................................
5.8.3 secu rityfs ....................................................................................................................... ... .. ... .. ... 174 5 .9 Dev ice driver s......................................................................
5 .11.3.1 age tty ........................................................................................................................... ... .. 203 5 .11.3.2 g p asswd ..............................................................................
5 .13.3.2 g roupmo d.......................................................................................................... ... .. ... .. ... .. 232 5 .13.3.3 g roupde l...............................................................................
6.1 Ide ntificat ion and authe ntication ................................................................................... .. ... .. ... .. ... .. ...2 51 6.1.1 User identification and authentication da ta management (IA.1)..... .... ..... .... ....
6.8 Secur ity en forcing interf aces bet ween su bsyste ms................................................................... .. ... .. ...25 5 6.8.1 Summary of kernel subsystem interfaces ... ..... ..... .... ..... .... ..... ..... .... ..... .... ..
1 Introduction This document describes the High Level Design ( HLD) for the SUSE® Linux® Enterprise Server 10 Service Pack 1 operating system. For ease of reading, this document uses the phrase SUSE Linux Enterprise Server and the abbreviation SLES as a synonym for S USE Linux Enterprise Server 10 SP1.
2 System Overview The Target of Evaluation (TOE) is SUS E Linux Ente rprise Server (SLES) running on an IBM eServer host computer. The SLES product is ava ilable on a wide range of hardware platforms. This evaluation covers the SLES product on the IBM eServer System x™, System p ™, and System z™, and eServer 326 (Opteron).
The TOE system provides user Identification a nd Authentication (I&A) mechanism by requiring each user to log in with proper password at the local workstation, a nd also at any remote computer where the user can enter commands to a shell program (for examp le, remote ssh sessions).
The Common Criteria for Information Technology Security Evaluation [CC] a nd the Common Methodology for Information Technology Security Evaluation [CEM] dema nd breaking the TOE into logical subsystems that can be either (a ) products, or (b) logical functions performed by the system.
The SLES kernel includes the base kernel and sepa rately-loadable kernel modules and device drivers. (Note that a device driver can a lso be a ker nel module.
2.2.2 eServer system structure The system is an eServer computer, which permits one user at a time to log in to the computer console. Several virtual consoles can be mapp ed to a single physical console. Different users can login through different virtual consoles simultaneously.
Network services, such as ssh or ftp , involve client-server architecture a nd a network service-layer protocol. The client-server model splits the softwa re that provides a service into a client portion that ma kes the request, and a server portion that ca rries out the reque st, usually on a different computer.
Objects are pa ssive re posi tories of data. The TOE defines three types of objects: named obj ects, storage objects, and public objects. Nam ed objects are resources, such as files and IPC objects, which can be manipulated by multiple users using a nami ng convention defined at the TSF interface.
The local TSF interfaces p rovided by an individual host computer include: • Files that are pa rt of the TSF database that define the configuration pa rameters used by the security functions. • System calls made by trusted a nd untrusted programs to the privileged kernel-mode software.
The SLES operating system is distributed a s a collection of packages. A package can include programs, configuration data, and documentation for the package. Analysis is performed at the file level, except where a particular package can be treated collectively.
11.
3 Hardware architecture The TOE includes the IBM System x, System p, System z, and eServer 326. This section describes the hardware architecture of these eServer sys tems. For more detailed information about Linux support and resources for the entire eServer line, refer to http: //www.
In this mode, applications may a ccess: • 64-bit flat linear addressing • 8 new general-purpose registers (GPRs) • 8 new registers for streaming Single Instruction/Multiple Data (SIMD) extension.
USB (except keyboard and mouse), PCMCIA, and IEEE 1394 (Firewire) devices are not supported in the evaluated configuration. 3.3 System z The IBM System z is designed a nd optimized for high-performance data and transaction serving requirements.
For more details about z/Architecture, refer to the z/Architecture document z/Architecture Princip les of Operation at http://publibz.boulder.ibm.c om/epubs/pdf/dz9zr002.pdf . USB (except keyboard and mouse), PCMCIA, and IEEE 1394 (Firewire) devices are not supported in the evaluated configuration.
processor extensions are activated, a llowing the processor to operate in one of two sub-modes of LMA. These are the 64-bit mode and the compa tibility mode.
17.
4 Software architecture This chapter summarizes the software structure a nd design of the SLES system and provides references to detailed design documentation. The following subsections describe the TOE S ecurity Functions (TSF) software and the TSF databases for the SLES system.
System x: The System x servers are pow ered by Intel processors. Intel processors provide four execution modes, identified with processor privilege levels 0 through 3. The highest privilege level execution mode corresponds to processor privilege level 0; the lowest privi lege level execution mode corresponds to processor privilege level 3.
• When the processor is in kernel mode, the program has ha rdware privilege because it can execute certain privileged instructions that a re not available in user mode. Thus, any code that runs in kernel mode executes with ha rdware privileges. Software that runs with hardware privileges includes: • The base SLES kernel.
4.1.2.1 DAC The DAC model allows the owner of the object to decide who can access that object, and in what manner. Like any other access control model, DAC implementation can be explained by which sub.
4.1.2.3 Program s with softwa re privilege Examples of programs running with software privi lege are: • Programs that are run by the system, such as the cron and init daemons. • Programs that are run by trusted a dministrators to perform system administration.
The concept of breaking the TOE product into logica l subsystems is described in the Common Criteria. These logical subsystems are the building blocks of the TOE, a nd are described in the Functional Descriptions chapter of this paper. They include logica l subsystems and trusted processes that implement security functions.
4.2.1.1 Logical components The kernel consists of logical subsystems that p rovide different functionalities. Even though the kernel is a single executable program, the various services i t provides can be broken into logical components. These components interact to p rovide specific functions.
• Audit subsystem: This subsystem implements functions related to recording of security-critical events on the system. Implemented functions include those that trap each system call to record security critical events and those that imp lement the collection and recording of audit data.
4.2 .1. 2.3 Ker nel m odul es a nd dev ice dri vers Kernel modules are pieces of code that can be loaded a nd unloaded into and out of the kernel upon demand.
• The crontab program is the program used to install, deinstall, or list the tables used to drive the cron daemon. Users can have their own crontab files that set up the time and frequency of execution, as well as the command or script to execute.
• The chfn command allows users to change their finger i nformation. The finger command displays that information, which is stored in the /etc/passwd file. • The date command is used to print or set the system da te and time. Only an administrative user is allowed to set the system date a nd time.
This section briefly describes the functiona l subsystems that implement the required security functionaliti es and the logical subsystems that a re part of each of the functional subsystems. The subsystems are structured into those imp lemented within the SLES kernel, and those implemented a s trusted processes.
• gpasswd • chage • useradd, usermod, userdel • groupadd, groupmode, groupdel • chsh • chfn • openssl 4.4.5 User-level audit subsyst em This subsystem contains the portion of the a udit system that lies outside the kernel.
31.
5 Functional descr iptions The kernel structure, its trusted software, and its Target of Evaluation (TOE) Security Functions (TSF) databases provide the foundation for the descriptions in this chapter. 5.1 File and I/O management The file and I/O subsystem is a management system for defining objects on secondary storage devices.
In order to shield user programs from the underlying details of different types of disk devices and disk-based file systems, the SLES kernel provides a softwa re layer that handles all system calls related to a standa rd UNIX file system.
The root directory is contained in the root file sys tem, which is ext3 in this TOE. All other file systems can be mounted on subdirectories of the root file system. The VFS allows programs to perform operations on files without having to know the implementation of the underlying disk-based file system.
inode : Stores general information a bout a specific file, such as file type and access rights, file owner, group owner, length in bytes, operations vector, time of last file access, time of last file w rite, and time of last inode change. An inode is associated to each file a nd is described in the kernel by a struct inode data structure.
Figure 5-5 VFS pathname translation a nd access control checks 36 Fig ure 5-5: VF S pa thn ame tra nsla tion and ac cess co ntro l che cks.
5.1.1. 2 open() The following describes the call sequence of a n open() call to create a file: 1. Call the open() system call with a relative pa thname and flags to create a file for read and write. 2. open () calls open_namei() , which ultimately derives the dentry for the directory in which the file is being created.
5.1.1.3 write() Another example of a file system operation is a write() system call to write to a file that wa s opened for writing. The write() system call in VFS is very straightforward, becaus e access checks have already been performed by open() .
• Unbindable Mount: This mount does not forward or receive propa gation. This mount type can not be bind-mounted, and it is not valid to m ove it under a shared mount. • Slave Mount: A slave mount remains tied to its parent mount and receives new mount or unmount events from there.
5.1.2 .1.1 .1 Acc ess Contr ol L ists ACLs provide a way of extending directory a nd file access restrictions beyond the traditional owner, group, and world permission settings. For more details about the ACL format, refer to Discretionary Access Control, Section 5.
• ext3_group_desc : Disk blocks are pa rtitioned into groups. Each group has its own group descriptor. ext3_group_desc stores information such as the block number of the inode bitma p, and the block number of the block bitmap.
42 Fig ure 5-8: N ew d ata bloc ks a re a lloc ated an d ini tial ized for an e xt3 field.
Figure 5-9 shows how for a file on the ext3 file system, inode_operations ma p to ext3_file_inode_operations . Similarly, for directory, sym link, and special-file types of objects, inode operations map to ext3_dir_inode_operations , ext3_symlink_inode_operations , and ext3_special_inode_operations , respectively.
from the superblock’s s_root field of the superblock, a nd then invokes isofs_find_entry() to retrieve the object from the CD-ROM. On a CD-ROM file system, inode_operations map to isofs_dir_inode_operations .
Since VM is volatile in na ture, tmpfs data is not preserved between reboots. Hence this file system is used to store short-lived temporary files. An a dministrator is allowed to specify the memory placement policies (the policy itself and the preferred nodes to be alloca ted) for this file system.
5.1.3.6 binfmt_m isc binfmt_misc provides the abi lity to register additional binary formats to the kernel without compiling an additional module or kernel. Therefore, binfmt_mi sc needs to know magic numbers at the beginning, or the filename extension of the bina ry.
chown() system call. The owner and the root user are allowed to define and change ac cess rights for an object. This following subsection looks at the kernel functions imp lementing the access checks.
• If the process is neither the owner nor a member of a n appropriate group, and the permission bits for world allow the type of access requested, then the subject is permitted access. • If none of the conditions above are satisfied, and the effective UID of the process is not zero, then the access attempt is denied.
5.1 .5. 2.3 AC L per mis si ons An ACL entry can define separa te permissions for read, write, and execute or search. 5.1 .5. 2.4 Rel ati ons hip to file per mi ssio n b its An ACL contains exactly one entry for each of the ACL_USER_OBJ , ACL_GROUP_OBJ , and ACL_OTHER types of tags, called the required ACL entries.
5.1 .5. 2.8 AC L enf orc eme nt The ext3_permission() function uses ACLs to enforce DAC. The algorithm goes through the following steps: 1. Performs checks such as “no write access if read-only file sys tem” and “no write access if the file is immutable.
file by adding ACLs with the setfacl command. For examp le, the following command allows a user named john read access to this file, even if john does not belong to the root group.
application, the I/O scheduler is considered a n important kernel component in the I/O path. SLES includes four I/O scheduler options to optimize system performa nce. 5.1.7.1 Deadline I/O scheduler The deadline I/O scheduler available in the Linux 2.6 kernel incorporates a per-request expiration-based approach, and operates on five I/O queues.
requests. This capability makes it behaves simi larly to the Anticipa tory I/O scheduler . I/O priorities are also considered for the processes, which are derived from their CPU p riority.
5.1.8.4 Tasklets Tasklets are dynamically linked and built on top of softirq mechanisms. Tasklets differ from softirqs in that a tasklet is always serialized with respect to itself. In other words, a tasklet cannot be executed by two CPUs at the same time.
5.2 Proces s control and mana gement A process is an instance of a program in execution. Process management consists of creating, manip ulating, and terminating a p rocess. Process management is handled by the process management subsystems of the kernel.
The SLES kernel maintains information about each process in a task_struct process type of descriptor. Each process descriptor contains information such as run-state of process, address space, list of .
Fig ure 5-1 2: T he t ask stru ctur e The kernel maintains a circular doubly-linked list of all existing process descriptors. The head of the list is the init_task descriptor referenced by the first element of the task array. The init_task descriptor belongs to process 0 or the swapper, the ancestor of all p rocesses.
5.2 .2. 2.4 set resu id() and se tres gid( ) These set the real user and group ID, the effective user a nd group ID, and the saved set-user and group ID of the current process.
5.2.5 Scheduling Scheduling is one of the features that is highly imp roved in the SLES 2.6 kernel over the 2.4 kernel. It uses a new scheduler algorithm, called the O (1) algorithm, that provides greatly increased scheduling scalability.
For more information about hyperthreading, refer to http://www.intel.com/technology/hyp erthread/ . 5.2.6 Kerne l preem pti on The kernel preemption feature has been imp lemented in the Linux 2.6 kernel. This should significantly lower latency times for user-interactive app lications, multimedia a pplications, and the like.
The following code snippet demonstrates the p er-CPU data structure problem, in an SMP system: int arr[NR_CPUS]; arr[smp_processor_id()] = i; /* kernel preemption could happen here */ j = arr[smp_proc.
5.3.1 Pipes Pipes allow the transfer of data in a FIFO manner. The pipe() sy stem call creates unnamed pipes. Unnamed pipes are only accessible to the creating process and its descendants through file descriptors. Once a pipe is created, a process ma y use the read() and write() VFS system calls to access it.
pipe_inode_info : Contains generic state informa tion about the pipe with fields such as base (which points to the kernel buffer), len (which represents the number of bytes written into the buffer and yet to be read), wait (which represents the wait queue), and start (which points to the read position in the kernel buffer).
The inode allocation routine of the disk-bas ed file system does the allocation and initializa tion of the inode object; thus, object reuse is handled by the disk-based fi le system. 5.3.2.2 FIFO open A call to the open() VFS system call performs the sam e operation as it does for device special files.
• ipc_id : The ipc_id data structure describes the security credentials of an IPC resource with the p field, which is a pointer to the credential structure of the resource. • kern_ipc_perm : The kern_ipc_perm data structure is a credential structure for an IPC resource with fields such as key, uid, gid, cuid, cgid, mode, seq, and security.
5.3 .3. 3.3 ms gg et() This function is invoked to create a new message queue, or to get a descriptor of an existing queue based on a key. The newly created credentials of the message queue a re initialized from the credentials of the creating process.
5.3 .3. 4.4 sem ctl( ) A function that is invoked to set a ttributes, query status, or delete a semaphore. A semaphore is not deleted until the process waiting for a semaphore has received it. DAC is performed by invoking the ipcperms() function. 5.3.
5.3.4 Signals Signals offer a means of delivering as ynchronous event s to processes. Processes can send signals to each other with the kill() system call, or the kernel can internally deliver the signals.
specifying the target a ddress of the ser ver. For an Internet domain socket, the address of the server is i ts IP address and its port number. Sockets are created using the socket() system call.
• The protocol-independent interface module p rovides an interface that is independent of hardware devices and network protocol. This is the interfac e module that is used by other kernel subsystems to access the network without having a dependency on particular p rotocols or hardware.
The transport layer consists of the TCP, UDP and simi lar protocols. The application layer consists of a ll the various application clients and servers, such as the Sa mba file and print server, the Apache web server, and others.
5.4.2 Transpo rt l ayer proto cols The transport layer protocols supported by the SLES kernel are TCP and UDP. 5.4.2.1 TCP TCP is a connection-oriented, end-to-end, reliable protocol designed to fit into a layered hierarchy of protocols that support multi-network app lications.
The following section introduces Internet Protocol Version 6 (IPv6). F or additional information about referenced socket options and advanced IPv6 applica tions, see RFC 3542. Internet Protocol Version 6 (IPv6) was designed to imp rove upon and succeed Internet Protocol Version 4 (IPv4).
5.4 .3. 2.3 Flo w L abel s The IPv6 header has a field to in which to enter a flow label. This p rovides the ability to identify packets for a connection or a traffic stream for sp ecial processing. 5.4 .3. 2.4 S ecuri ty The IPv6 specifications mandate IP security.
The phrase data integrity implies that the data received is as it wa s when sent. It has not been tampered, altered, or impa ired in any way. Data authentication ensures that the sender of the data is really who you believe it to be.
In tunnel mode, the entire IP datagram is encapsulated, protecting the entire IP datagram. An IP P acket with tunne l mo de AH 5.4 .3.4.1 .2 Enc apsu latin g Sec uri ty Pay load Prot oco l (E SP) The Encapsulating Security Payload (ESP) header is defined in RFC 2406.
An IP P acket with tunne l mo de ESP 5.4 .3.4.1 .3 Sec urit y As soc iation s RFC2401 defines a Security Association (S A) as a simplex or one-way connection that affords security services to the traffic it carries. S eparate SAs must exist for each direction.
5.4 .3.4.1 .8 Cry ptog raph ic sub sys tem IPSec uses the cryptographic subsystem described in thi s section. The cryptographic subsystem performs several cryptographic-related assignments, includi ng.
5.4 .4. 1.1 Ad dres s R esol utio n P rotoc ol ( AR P) Address Resolution Protocol (ARP) is a protocol for map ping an IP address to a physical machine address that is recognized in the local network. For examp le, in IP Version 4, the most common level of IP in use today, an address is 32 bits long.
The following subsections describe access control and object reuse handling associated with establishing a communications channel. 5.4.5.1 socket() socket() creates an endpoint of communica tion using the desired protocol type. Object reuse handling during socket creation is described in Section 5.
Similarly, for UNIX domain sockets, bind() invokes unix_bind() . unix_bind() creates a n entry in the regular ext3 file system spa ce. This process of creating an entry for a socket in the regular file system space has to undergo all file system access control restrictions.
5.4.5.6 Generic calls read(), write() and close() : read() , write() and close() are generic I/O system calls that operate on a file descriptor. Depending on the type of object, whether regular file, directory, or socket, appropriate object-specific functions are invoked.
• A system call interface is provided to p rovide restricted access to user processes. This interface allows user processes to allocate and free storage, a nd also to perform memory-mapped file I/O.
5.5.1 Four-Level Page Tables Before the current implementation of four-level page tables, the kernel implemented a three-level p age table structure for all architectures. The three-level pa ge table structure that previously existed was constituted, from top to bottom, for the pa ge global directory (PGD), page middle directory (PMD), a nd PTE.
The creation and insertion of a new level, the PUD level, immediately below the top-level PGD directory aims to maintain p ortability and transparency once all architectures have a n active PGD at the top of hierarchy and an active PTE at the bottom. The PMD and PUD levels are only used in architectures that need them.
The larger kernel virtual address space allows the system to manage more physical memory. Up to 64 GB of main memory is supported by S LES on x86-compatible systems. The larger user virtual address spac e allows applications to use approximately 30% more memory (3.
5.5 .2. 1.1 S egme ntati on The segmentation unit translates a logical address into a linear address. A logical a ddress consists of two parts: a 16 bit segment identifier ca lled the segment selector, and a 32-bit offset.
5.5 .2. 1.2 Pa gin g The paging unit translates linear a ddresses into physical addresses. It checks the requested access type a gainst the access rights of the linear address.
In extended paging, 32 bits of linear address are divided into two fields: • Directory: The most significant 10 bi ts represents directory. • Offset: The remaining 22 bits represents offset. Each entry of the page directory a nd of the page table is represented by the same data structure.
User-Supervisor flag: This flag contains the privilege level that is required for accessing the page or page table. The User-Supervisor flag is either 0, which indica tes that the page can be accessed only in kernel mode, or 1, which indicates that it ca n always be accessed.
For more information about call ga tes, refer to the http://www.csee.umbc.edu/~plusquel/310/slides/micro_arch4.html Web site. 5.5 .2.1.2 .3 Tran slati on lookas ide buffe rs The System x processor includes other caches, in a ddition to the hardware caches.
The PS flag in the page directory entry (PDE.PS) selects between 4 KB and 2 MB page sizes. 5.5.2.2 System p Linux on POWER5 System p systems runs only in Logical Partitioning (LPAR) mode. The System p offers the ability to pa rtition one system into several independent systems through LPAR.
Fig ure 5-3 4: L ogic al p artitio ns On System p systems without logical pa rtitions, the processor has two operating modes, user and supervisor. The user and supervisor modes are implemented using the PR bit of the Machine State Register (MSR). Logical partitions on System p systems necessitate a third mode of operation for the processor.
• 0 The processor is not in hypervisor state. • 1 If MSRPR= 0 the processor is in hypervisor state; otherwise, the processor is not in hypervisor state.
Just as certain memory a reas are protected from access in user mode, some memory areas, such as hardwa re page tables, are accessible only in hyp ervisor mode.
hardware address of the memory. This translation is done by the hypervisor, which keeps a logical pa rtition unaware of the existence of other logical partitions.
5.5 .2. 2.4 Vi rtua l m ode addre ss ing Operating systems use another type of a ddressing, virtual addressing, to give user applications an effective address space that exceeds the amount of physical m emory installed in the system.
5.5 .2. 2.7 Ru n-Tim e Ab stra cti on S ervic es System p hardware platforms provide a set of firmware Run-Time Abstraction Services (RTAS) ca lls. In LPAR, these calls perform additiona l validation checking and resource virtualization for the partitioned environment.
For further information about PowerPC 64 bit p rocessor, see PowerPC 64-bit Kernel Internals by David Engebretson, Mike Corrigan & Peter Bergner at http://lwn.net/2001/features/OLS/pdf/pdf/p pc64.pdf . You can find further in formation about System p ha rdware at http://www-1.
• To access a particular memory loca tion, the CPU transforms an effective address into a physical address using one of the following address translation mechanism s. • Real mode address translation, where a ddress translation is disabled. The physical address is the same as the effective a ddress.
• DR: Data Address Translation. The value of 0 disables transla tion, and the value of 1 enables translation. 5.5 .2. 3.2 P age desc ript or Pages are described by Page Table Entries (PTEs). The operating system generates and places PTEs in a page table in memory.
• Vs: Supervisor mode valid bit. Used with MSR[PR] to restrict translation for some block addresses. • Vp: User mode valid bit. Used with MSR[PR] to restrict translation for some block addresses.
Real Mode Address Translation: Real Mode Address Translation is not technically the translation of a ny addresses. Real Mode Address Translation signifies no tra nslation. That is, the physical address is the sam e as the effective address. The operating system us es this mode during initialization a nd some interrupt processing.
Page address translation begins with a check to s ee if the effective segment ID, corresponding to the effective address, exists in the Segment Lookaside Buffer (SLB). The SLB provides a mapping between Effective Segment Ids (ESIDs) and Virtual Segment Ids (VSIDs).
105 Fig ure 5-4 8: P age Ad dres s T rans latio n and acc ess con trol.
5.5.2.4 System z SLES on System z systems can run either in na tive mode or in LPAR. Additionally, it can run as z/VM guests, which is specific to this series.
Absolute address: An absolute address is the a ddress assigned to a main memory location. An absolute address is used for a memory access without any transformations performed on it. Effective address: An effective address is the a ddress that exists before any transformation takes p lace by dynamic address translation or p refixing.
5.5 .2.4.7 .1 Dyn amic addr ess tran slat ion Bit 5 of the current PSW indicates whether a virtual a ddress is to be translated using pa ging tables. If it is, bits 16 and 17 control which address space translation mode (p rimary, secondary, access-register, or home) is used for the translation.
Fig ure 5-5 1: A ddr ess tran sla tion mod es Each address-space translation mode tra nslates virtual addresses corresponding to that address spac e. For example, primary a ddress-space mode translates virtual addresses from the primary a ddress space, and home address space mode translates virtual addresses belonging to the home address space.
5.5 .2.4.7 .2 Pref ixing Prefixing provides the ability to a ssign a range of real addresses to a different block in absolute memory for each CPU, thus permitting more than one CPU sharing main memory to operate concurrently wi th a minimum of interference.
For a detailed description of prefixing a s well as implementation details, see z/Archi tectu re Prin ciple s of Oper ation at http://publibz.boulder.ibm.
5.5 .2.4.8 .2 Page table pro tect ion The page table protection m echanism is applied to virtual addresses during their translation to real addresses. The page table protection m echanism controls access to virtual storage by using the pa ge protection bit in each page-table entry and segment-ta ble entry.
113 Fig ure 5-5 4: 3 1-b it D ynam ic Add ress T ra nsla tion with pag e ta ble pr otec tion.
114 Fig ure 5-5 5: 6 4-b it D ynam ic Add ress T ra nsla tion with pag e ta ble pr otec tion.
5.5 .2.4.8 .3 Key -co ntro lled pro tect ion When an access attempt is ma de to an absolute address, which refers to a memory location, key-controlled protection is app lied. Each 4K page, real memory location, has a 7-bit storage key associa ted with it.
5.5.2.5 eServer 326 eServer 326 systems use AMD Opteron processors. The Opteron processors ca n either operate in legacy mode to support 32-bit operating systems, or in long m ode to support 64-bit operating systems.
The segment selector specifies an entry in either the global or local descriptor table. The sp ecified descriptor- table entry describes the segment loca tion in virtual-address space, its size, and other characteristics. The effective address is used as an offset into the segment sp ecified by the selector.
• Requestor Privilege Level (RPL):RPL represents the privilege level of the program that created the segment selector. The RPL is stored in the s egment selector used to reference the segment descriptor. • Descriptor Privilege Level (DPL):DPL is the privilege level that is associated with an individua l segment.
calls. If the code segment is non-conforming (with conforming bi t C set to zero in the segment descriptor), then the processor first checks to ensure that CPL is equal to DPL. If CPL is equal to DPL, then the processor performs the next check to see if the RPL va lue is less than or equal to the CPL.
The eServer 326 supports a four-level page table. The uppermost level is kept private to the architecture- specific code of SLES. The pa ge-t able setup supports up to 48 bits of address spac e. The x86-64 architecture supports page sizes of 4 KB and 2 MB.
When the page size is 2 MB, bits 0 to 20 represent the byte offs et into the physical page. That is, page table offset and byte offset of the 4 KB page trans lation are combined to provide a byte offset into the 2 MB physical page.
Each entry of the page map level-4 table, the page-directory pointer table, the pa ge-directory table, and the page table is represented by the sa me data structure. This data structure includes fields that interact in implementing a ccess control during paging.
• Read/Write flag: This flag contai ns access rights of the physical pages mapped by the table entry. The R/W flag is either read/write or read. If set to 0, the corresponding page can only be read; otherwise, the corresponding page can be written to or read.
5.5.3.1 Suppor t for NUMA servers NUMA is an architecture wherein the memory access time for different regions of memory from a given processor varies according to the nodal distance of the memory region from the processor. Each region of memory, to which access times are the sam e from any CPU, is called a node.
systems, this operation is unaccepta bly slow. With Rmap VM, additional memory mana gement structures have been created that enable a p hysical address to be back-translated to its associated virtual a ddress quickly and easily. For more information about Rmap VM, see http://lwn.
Huge TLB File system ( hugetlbfs ) is a p seudo file system, implemented in fs/hugetlbfs/inode.c . The basic idea behind the imp lementation is that large pa ges are being used to back up any file that exists in the file system.
5.5.3.4 Remap_file_pages Remap_file_pages is another memory management feature that is suitable f or large memory and database applications. It is p rimarily useful for x86 systems that use the shared memory file system ( shmemfs ).
5.5.3.6 Memor y area management Memory areas are sequences of memory cells ha ving contiguous physical addresses with an arbitrary length. The SLES kernel uses the buddy algorithm for dealing with relatively large memory requests, but in order to satisfy kernel needs of small memory areas, a different scheme, called slab allocator, is used.
address returned by arch_get_unmapped_area() to contain a linear a ddress that is part of another process’s address space. In addition to this process compartmentali zation, the do_mmap() routine al.
5.5.5 Symm etric multipro cessi ng and synchronization The SLES kernel allows multiple processes to execute in the kernel simultaneously (the kernel is reentrant). It also supports symmetric multiprocessing (SMP), in which two or more processors share the same memory and have equal access to I/O devices.
5.5.5.3 Spin locks Spin locks provide an additional synchroniza tion primitive for app lications running on SMP systems. A spin lock is just a simple flag. When a kernel control pa th tries to claim a spin lock, it first checks whether or not the flag is already set.
Fig ure 5-6 9: A udi t fra mew ork co mpo nents 5.6.1.1 Audit kernel components Linux Audit of the SLES kernel includes three kernel-side components relating to the audit functionality. The first component is a generic mechanism for creating audit records and communicating wi th user space.
The kernel checks the effective capabi lities of the sender process. If the sender does not possess the right capability, the netlink message is discarded. 5.6 .1. 1.2 Sy sca ll au ditin g The second component is a mechanism that a ddresses system call auditing.
5.6 .1. 1.5 Au dit co ntex t fiel ds • Login ID: Login ID is the user ID of the logged-in user. It remains unchanged through the setuid() or seteuid() system calls. Login ID is required by the Controlled Access Protection Profile to irrefutably associate a user with that user’s actions, even across su() calls or use of setuid binaries.
• serial : A unique number that helps identify a pa rticular audit record. Along with ctime , it can determine which pieces belong to the sam e audit record. The (timestamp, serial) tuple is unique for each syscall and it lives from syscall entry to syscall exit.
When a filesystem object the audit subsystem is watching changes, the inotify subsystem calls the audit_handle_event() function. audit_handle_event() in turn updates the audit subsystem's watch data for the watched entity. This process is deta iled in Section 5.
5.6.2 Audit operation and configuration op tions 5.6.2.1 Configu ration There are many ways to control the operation of the audit subsystem. The controls are available a t compilation time, boot time, daemon startup time, a nd while the daemon is running.
Option Description Possible values log_file n ame of the log file log_format How t o flush the data from auditd to the log. RAW . Only RAW is supported in this version. priority_boost The nice v alue for auditd . Used to run audi td at a certain priority.
Optio n descriptio n Possib le values -b Sets max number of outstanding buffer allowed. If all buffers are exhausted, the failure flag is checked. Default is 64 -e Sets enabled flag 0|1 -f Sets failure flag silent , printk , panic -r Sets the rate of messages/second.
7. If audit is enabled, the kernel intercepts the system calls, and generates audit records a ccording to the filter rules. Or, the kernel generates audit records for watches set on particular file system files or directories.
5.6 .3. 1.2 Sy sca ll au dit re cor d g enera tion Once attached, every security-relevant sys tem call performed by the process is evaluated in the kernel.
generates the audit record, and sends the record to netlink s ocket. Both audit_syscall_entry() and audit_syscall_exit() call audit_filter_syscall() to apply filter logic, to check whether to audit or not to audit the call.
5.6 .3. 1.4 Soc ket call and IP C au dit re cor d gen erati on Some system calls pass an argument to the kernel specifying which function the system call is requesting from the kernel. These system calls request multiple services from the kernel through a single entry point.
timestamp of the record and the serial number are used by the user-space daemon to determine which pieces belong to the same audit record. The tuple is unique for each sy scall and lasts from syscall entry to syscall exit. The tuple is composed of the timestamp and the serial number.
Event Description LAF audit events Startup and shutdown of audit functions DA EMON_START , DAEMON_END are generated by auditd Modification of audit configuration fi les DAEMON_CONFIG , DAEMON_RECONFIG are generated by auditd .
Event Description LAF audit events Execution of the test of the underlying ma chine and the result of the test Audit message from amtu utility: a udit record type: USER . Changes to system time Syscall settimeofday , adjtimex Setting up a trusted channel Sycall exec (of stunnel program) Table 5-4: Audit Subsystem event codes 5.
Lower-layer functions, such as scheduling and interrupt management, cannot be modularized. Kernel modules can be used to add or replace system ca lls. The SLES kernel supports dynamically-loadable kernel modules that are loaded automa tically on demand.
STR UC TU RE OB JEC T task_struct T ask(Process) linux_binprm Pr ogram super_block File syste m inode Pi pe, Fi le, or Socket file Open File sk_buff Net work Buffer(Packet) net_device Net work Device .
LSM adds a general security system ca ll that simply invokes the sys_security hook. This system call and hook permits security modules to imp lement new system calls for security-aware a pplications. 5.7.2 LSM capabilities mo dule The LSM kernel patch moves most of the existing POSIX.
● Administrative utilities p rovide a mechanism for administrators to configure, query, a nd control AppArmor. For background information on AppArmor which was originally named SubDomain, SubDomain: Parsimonious Server Security by Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor at https://forgesvn1.
● px - discrete profile execute ● Px - discrete profile execute after scrubbing the environment ● ix - inherit execute ● m - allow PROT_EXEC with mmap(2) calls ● l – link For more information about complete AppArmor profile syntax, please see the apparmor.
5.9 Devic e drivers A device driver is a software layer that makes a ha rdware device respond to a well-defined programming interface. The kernel interacts with the device only through these well-defined interfaces. For detailed information about device drivers, see Linux Dev ice Drive rs, 2nd Edition , by Alessandro Rubini and Jonathan Corbet.
guest program or interpreted ma chine. The interpreted and host machines execute guest and host programs, respectively. The interpretive-execution fa cility is invoked by executing the Start Interpret.
• Conditional interceptions refer to functions that are executed for the guest unless a specified condition is encountered that causes control to be returned to the host by the process that called the interception.
This extra level of indirection is needed for cha racter devices, but not for block devices, because of the large variety of character devices a nd the operations they support. The following diagram illustrates how the kernel maps the file operations vector of the device file object to the correct set of operations routines for that device.
5.10 System initialization When a computer with SLES is turned on, the operating system is loaded into memory by a special program called a boot loader.
the system runlevel by controlling PID 1. F or more information on the /etc/inittab file, please see the inittab(5) man page. For more information on the init program, please see the init(8) manpa ge. The init program generally follows these startup steps: 1.
5.10.2.1 Boot methods SLES supports booting from a hard disk, a CD-ROM, or a floppy disk. CD- ROM and floppy disk boots are used for installation, and to perform diagnostics a nd maintenance. A typical boot is from a boot ima ge on the local hard disk.
14. The boot loader sets the IDT with null interrupt handlers. It puts the system parameters obtained from the BIOS and the pa rameters passed to the operating system into the first p age frame. 15. The boot loader identifies the model of the p rocessor.
160 Fig ure 5-7 9: S yste m x SL ES b oot sequ enc e.
5.10.3 System p This section briefly describes the system initia lization process for System p servers. 5.10.3.1 Boot methods SLES supports booting from a hard disk or from a CD-ROM. CD-ROM boots are used for installation and to perform diagnostics and maintenance.
1. Yaboot allows an administrator to p erform interactive debugging of the startup process by executing the /etc/sysconfig/init script. 2. Mounts the /proc special file system. 3. Mounts the /dev/pts special file system. 4. Executes /etc/rc.d/rc.local , which was set by an administrator to p erform site-specific setup functions.
5.10.4 System p in LPAR SLES runs in a logical partition on an Sy stem p system. The hypervisor program creates logical partitions, which interacts with actual hardware a nd provides virtual versions of hardware to operating systems running in different logical partitions.
5.10.4.1 Boot process For an individual computer, the boot p rocess consists of the following steps when the CPU is powered on or reset: 1. The hypervisor assigns memory to the pa rtition as a 64 MB contiguous load area and the balance in 256 KB chunks.
• Starts the agetty program. For more details about services s tarted at run level 3, see the scripts in /etc/rc.d/rc3.d on a SLES system. Figure 5-81 schematically describes the boot p rocess of System p LPARs.
5.10.5 System z This section briefly describes the system initia lization process for System z servers. 5.10.5.1 Boot methods Linux on System z supports three installation methods: native, LPAR, and z/VM guest installations. SLES only supports z/VM guest installation.
4. Executes /etc/rc.d/rc.local , which was set by an administrator to p erform site-specific setup functions. 5. Performs run-level specific initializa tion by executing startup scripts defined in /etc/inittab . The scripts are named /etc/rc.d/rcX.d , where X is the default run level.
5.10.6 eServer 326 This section briefly describes the system initia lization process for eServer 326 servers. For detailed information on system initia lization, see AMD 64 Arc hitec ture, Progr amm er’s Manu al Volum e 2: Syste m Prog ram ming , at http://www.
5.10.6.2 Boot loader After the system completes the ha rdware diagnostics setup in the firmware, the first p rogram that runs is the boot loader. The boot loader is responsible for copyi ng the boot image from hard disk and then transferring control to it.
17. x86_ 64_start_kernel() completes the kernel initializa tion by initializing Page Tables, Memory Handling Data S tructure s IDT tables, slab allocator (described in Section 5.5.3.6), system date, and system time. 18. Uncompress the initrd initial RAM file system, mounts it, and then executes /linuxrc .
5.11 Identification and authentication Identification is when a user possesses an identity to a system in the form of a login ID. Identification establishes user accountability and acc ess restrictions for actions on the system.
provides a way to develop programs that a re independent of the authentication scheme. These programs need authentication modules to be attached to them at run-time in order to work. Which authentication module is to be attached is dependent upon the local sy stem setup and is at the discretion of the local sys tem administrator.
6. Each authentication module performs its a ction and relays the result back to the applica tion. 7. The PAM library is modified to create a USER_AUTH type of audit record to note the success or failure from the authentication module. 8. The application takes app ropriate action based on the aggregate results from a ll authentication modules.
• pam_passwdqc.so : Performs additional pas sword stre ngth checks. For example, it rejects passwords such as “1qaz2wsx” that follow a pattern on the keyboa rd. In addition to checking regular passwords it offers support for passphrases and can provide randomly generated p asswords.
5.11.2 Protecte d data bases The following databases are consulted by the identifi cation and authentication subsystem during user session initiation: • /etc/passwd : For all system users, it stores the login nam e, user ID, primary group ID, real name, home directory, and shell.
• /etc/ftpusers : The ftpusers text file contains a list of users who cannot log in using the File Transfer Protocol (FTP) server daemon. The file is owned by the root user and root group, and its mode is 644. • /etc/apparmor/ * and /etc/apparmor.
6. Execs the login program. The steps that are relevant to the identifica tion and authorization subsystem are step 5, which p rompts for the user’s login name, and step 6, which executes the login p rogram.
17. Sets effective, real, and saved user ID. 18. Changes directory to the user’s home directory. 19. Executes shell. 5.11.3.4 mingetty mingetty , the minimal Linux getty , is invoked f rom /sbin/init when the system transitions from single-user mode to multi-user mode.
16. Sets up signals. 17. Forks a child. 18. Parent waits on child's return; child continues: 19. Adds the new GID to the group list. 20. Sets the GID. 21. Logs an audit record. 22. Starts a shell if the -c flag was specified. 23. Looks for the SHELL environment variable or, if SHELL is not set defaults to /bin/sh .
4. Processes command-line arguments. 5. Sets up the environment variable array. 6. Invokes pam_start() to initialize the PAM library, and to identify the application with a pa rticular service name. 7. Invokes pam_set_item() to record the tty and user name.
Cryptography can be used to neutralize some of these attacks and to ensure confidentiality a nd integrity of network traffic. Cryptography can also be used to implement authentication schemes using digital signa tures. The TOE supports a technology based on cryptography ca lled OpenSSL.
5.12.1.1 Concepts SSL is used to authenticate endpoints a nd to secure the contents of the application-level communica tion. An SSL-secured connection begins by establishing the identities of the peers, and establishing an encryption method and key in a secure way.
Data confidentiality ca n be maintained by keeping the a lgorithm, the key, or both, secret from unauthorized people. In most cases, including OpenSSL, the a lgorithm used is well-known, but the key is protected from unauthorized people. 5.12. 1.1. 1.
If encryption is done with a public key, only the corresponding p rivate key can be used for decryption. This allows a user to communicate confidentially with another user by encrypting messages with the intended receiver’s public key. Even if m essages are intercepted by a third party, the third pa rty cannot decrypt them.
5.1 2.1 .1. 2 M essag e dig est A message digest is text in the form of a single string of digits created with a one-way hash function. One- way hash functions are algorithms that transform a m essage of arbitrary length into a fixed length tag ca lled a message digest.
The SSL architecture differentiates between an SSL session and an SSL connection. A connection is a transient transport device between p eers. A session is an association between a client and a server. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections.
1. Client hello message: The CipherSuite list, passed from the client to the server in the client hello message, contains the combinations of cryp tographic algorithms supported by the client in order of the client's preference (first choice fi rst) .
For the list of Cipher suites supported, see FCS_COP.1(2) in the Security Target. 5. SSL Change cipher spec protocol: The SSL change cipher spec protocol signals transitions in the security parameters. The protocol consists of a single message, which is encrypted with the current security parameters.
• Blowfish: Blowfish is a block cipher that operates on 64-bit blocks of data. It supports variable key sizes, but generally uses 128-bit keys. • Data Encryption Standard ( DES): DES is a symmetric key cryptosystem derived from the Lucifer algorithm developed at IBM.
MD2, MD4, and MD5 are cryptographic m essage-digest algorithms that take a message of arbitrary length and generate a 128-bit message digest. In MD5, the m essage is processed in 512-bit blocks in four distinct rounds. MDC2 is a method to construct hash functions with 128-bit output from block ciphers.
mac = MAC (key, sequence_number || unencrypted_packet) where unencrypted_packet is the entire packet without MAC (the length fields, payload and pa dding), and sequence_number is an implicit p acket sequence number represented as uint32.
5.12.3 Very Secure File Transfer Proto col daem on Very Secure File Transfer Protocol daemon (VSFTPD) provides a secure, fast, and stable file transfer service to and from a remote host. The behavior of VSFTPD can be controlled by its configuration file /etc/vsftpd/vsftpd.
For background on CUPS labeled printing, p lease see: http://free.linux.hp.com/~mra/docs/ . CUPS uses the Internet Printing Protocol (IPP) that wa s designed to replace the Line Printer Daemon (LPD) protocol, as a basis for mana ging print jobs. CUPS also supports LPD, Server Message Block (SMB), and AppSocket protocols with reduced functionality.
24. Check for input or output requests with select() . 25. If select() fails, logs error messages, notifies cli ents, and exits the main loop for shutdown processing. 26. Gets the current time. 27. Checks print status of print jobs. 28. Updates CGI data.
cryptography standards that they require. The open ssl command can be used by an administrative user for the following: • Creation of RSA, DH, and DSA pa rameters. • Generation of 1024-bit RSA keys. • Creation of X.509 certificates, CSRs, and CRLs.
# Service-level configuration # --------------------------- [ssmtp] accept = 465 connect = 25 The above configuration secures localhost-SMTP when someone connects to it via port 465. The configuration tells stunnel to listen to the SSH port 465, and to send all info to the plain port 25 on localhost.
14. Invokes pam_chauthok() to rejuvenate user’s authentication tokens. 15. Exits. 5.13.1.2 chfn The chfn program allows users to change their finger informa tion. The finger command displays the information, stored in the /etc/passwd file. Refer to the chfn man page for detailed information.
11. Invokes setpwnam() to update appropriate databa se files with the new shell. 12. Exits. 5.13.2 User managem ent 5.13.2.1 useradd The useradd program allows an authorized user to create new user a ccounts on the system. Refer to the useradd man page for more information.
6. Processes command-line arguments. 7. Ensures that the user account being modified exists. 8. Invokes open_files() to lock and open authentication databa se files. 9. Invokes usr_update() to update authentication database files with updated account information.
5.13.3 Group management 5.13.3.1 groupadd The groupadd program allows an administrator to c reate new groups on the system. Refer to the groupadd man page for more detailed informa tion on usage of the command. groupadd generally follows these steps: 1.
5.13.3.2 groupmod The groupmod program allows an administrator to modi fy existing groups on the system. Refer to the groupmod man page for more information. groupmod generally follows these steps: 1. Sets language. 2. Invokes getpwuid ( getuid() ) to obtain application user’s passwd structure.
202.
5.13.4 System Time manageme nt 5.13.4.1 date The date program, for a normal user, displays current da te and time. For an administrative user, date can also set the system date a nd time. Refer to the date man page for more information. date generally follows these steps: 1.
This tool works from a premise that it is working on a n abstract machine that is providing functiona lity to the TSF. The test tool runs on all hardware architectures that a re targets of evaluation and reports problems with any underlying functionalities.
5.13 .5.1 .5.1 Syste m p The instruction set for the PowerPC processor is given in the book a t the following URL: http://www.ibm.com/chips/techlib/techlib.nsf/ techdocs/852569B20050FF778525699600682CC7/$file/booke _rm.pdf For each instruction, the description in the book li sts whether it is available only in supervisor mode or not.
To test CPU control registers, use MOVL %cs, 28(%esp) . This overwrites the va lue of the register that contains the code segment. The register that c ontains the address of the next instruction ( eip ) is not directly addressable. Note that in the Intel documentation of MOV it is explicitly stated that MOV cannot be used to set the CS register.
2. Gets its euid and uid. 3. Transforms old-style command line a rgument syntax into new-style syntax. 4. Processes the command line a rguments. 5. Sets up signal handling. 6. Initializes the fifo. 7. Initializes any remote connection. 8. Sets back the real UID.
5.13.6 I&A support 5.13.6.1 pam_tally The pam_tally utility allows administrative users to reset the failed login counter kept in the /var/log/faillog . Please see the /usr/share/doc/packages/pam/modules/README.pam_tally file on a SLES system for more information.
The crontab program is used to install, deinstall, or list the tables used to drive the cron daemon in Vixie Cron. The crontab program allows an administrator to perform specific tasks on a regularly-scheduled basis without logging in. Users can have their own crontabs that allow them to create jobs that will run at given times.
commands that are to be executed. Informa tion stored in this job file, along with its attributes, is used by the atd daemon to recreate the invocation of the user’s identity while performing tasks a t the scheduled time. 5.14.2 Batch processing daem ons 5.
5.15 User-level audit subsystem The main user-level audit components consist of the auditd daemon, the auditctl control program, the libaudit library, the auditd.conf configuration file, a nd the auditd.rules initial setup file. There is also the /etc/init.
2. Processes the command line a rguments. 3. Attempts to raise its resource limits. 4. Sets its umask. 5. Resets its internal counters. 6. Emits a title. 7. Processes audit records from an audit log file or stdin , incrementing counters depending on audit record contents.
5.16 Suppor ting functions Trusted programs and trusted processes in a n SLES system use libraries. Libraries do not form a subsystem in the notation of the Common Criteria, but they provide supporting functions to trusted commands and processes. A library is an archive of link-edited objects a nd their export files.
Lib rar y Des crip tion /lib/libc.so.6 C Run time library functions. /lib/libcrypt.so.1 Library that performs one-way encryption of user a nd group passwords. /lib/libcrypt.so.o.9.8b Replacement library for libcrypt.so.1 Supp orts bigcrypt and blowfish password encryption.
5.16.2 Library l inking mechanism On SLES, a binary executable automa tically causes the program loader /lib/ld-linux.so.2 to be loaded and run. This loader takes care of analyzing the library names in the executable file, locating the library in the system directory tree, and ma king requested code available to the executing process.
system initialization, a nd sets the IDT entry corresponding to vector 128 (Ox80) to invoke the system call exception handler. When compiling and linking a p rogram that makes a system call, the libc .
passed as system-call parameters. For the sa ke of efficiency, and satisfying the access control requirement, the SLES kernel performs validation in a two-step process, as follows: 1.
6 Mapping the TOE summary specification to the High-Level Design This chapter provides a mapp ing of the security functions of the TOE summary specification to the functions described in this High-Level Design document. 6.1 Identification and authentication Section 5.
6.2.3 Audit record fo rmat (AU.3) Section 5.6.3.2 describes information stored in each a udit record. 6.2.4 Audit post-processing (AU .4) Section 5.15.2 describes audit subsystem utilities provided for post-processing of audit data. 6.3 Disc retionary Access Contro l Sections 5.
6.5.1 Roles (SM.1) Section 5.13 provides details on va rious commands that support the notion of an administrator a nd a normal user. 6.5.2 Access control configuration and managem ent (SM.2) Sections 5.1.1 and 5.1.2.1 provide details on the system calls of the file system that are used to set attributes on objects to configure access control.
6.7.4 Trusted processes (TP.4) Section 4.2.2 provides details on the non-kernel trusted p rocess on the SLES system. 6.7.5 TSF Databases (TP.5) Section 4.3 provides details on the TSF da tabases on the SUSE Linux Enterprise Server system. 6.7.6 Inte rnal TOE prot ecti on mecha nisms (TP.
• Kernel Modules • Device Drivers • Trusted process subsystems: • System Initialization • Identification and Authentication • Network Applications • System Management • Batch Processing • User-level audit subsystem 6.
6.8 .1. 1.2 Int ern al I nter fac es 6.8 .1. 1.3 Internal function Interfaces defined in permission This document, Section 5.1.1.1 vfs_permission This document, Sections 5.1 . 1.1 and 5.1.5.1 get_empty_filp This document, Section 5.1.1.1 fget This document, Section 5.
read_inode w rite_super read_inode2 w rite_super_lockfs dirty_inode u nlockfs write_inode s tatfs put_inode r emount_fs delete_inode c lear_inode Dentry operations: Note that they a re not used by other subsystems, so there is no subsystem interface: • d_revalidate • d_hash • d_compare • d_delete • d_release • d_iput 6.
System calls are listed in the F unctional Specification mapping table. 6.8 .1. 2.2 Int ern al I nter fac es Internal function Interfaces defined in current Un ders tand ing the LI NUX KERN EL , Chapter 3, 2nd Edition, Daniel P.
6.8 .1. 3.1 Ex tern al int erf ace s ( sys tem ca lls) • TSFI system calls • Non-TSFI system calls System calls are listed in the F unctional Specification mapping table. 6.8 .1. 3.2 Int ern al I nter fac es Internal function Interfaces defined in do_pipe U nde rstan ding the L INU X K ERNE L , Chapter 19, 2nd Edition, Dani el P.
6.8.1.4 Kernel subsystem networking This section lists external interfaces, internal interfaces and data structures of the networking subsystem. 6.8 .1. 4.1 Ex tern al int erf ace s ( sys tem ca lls) • TSFI system calls • Non-TSFI system calls System calls are listed in the F unctional Specification mapping table.
System calls are listed in the F unctional Specification mapping table 6.8 .1. 5.2 Int ern al i nter fac es Internal interfaces Interfaces defined in get_zeroed_page L inux Devic e D river s , O’Reilly, Chapter 7, 2nd Edition June 2001, Alessandro Rubini /this document, chapter 5.
• audit_sockaddr • audit_ipc_perms 6.8 .1. 6.3 Dat a s tru ctu res • audit_sock : The netlink socket through which all user space communicati on is done. • audit_buffer : The audit buffer is used when formatting an audit record to send to user space.
driver methods for character device drivers a nd block device drivers, see [RUBN]. Chapter 3 describes the methods for character devices a nd chapter 6 describes the methods for block devices.
6.8 .1. 7.3 Dat a s tru ctu res device_struct f s/devices.c file_operations i nclude/linux/fs.h block_device_operati ons include/linux/fs.h 6.8.1.8 Kernel subsystems kernel modules This section lists external interfaces, internal interfaces, and data structures of the kernel modules subsystem.
7 References [CC] Com mon Criter ia fo r In form ation Techn olog y Secu rity Eva luati on, CCI MB- 99-031 , Ve rsion 2.1, Augu st 1 999 [CEM] Com mon Meth odo log y for In form atio n T echn olog y S ecur ity E valu ation , C EM- 99/045 , Pa rt 2 – Eva luati on Metho dolo gy, Versio n 1 .
[RSA] "A Method for Obtaining Digital S ignatures and Public-Key Cryptosystems," Comm unic ation s of the ACM , v. 21, n. 2, F eb 1978, pp. 120-126, R. Rivest, A. Shamir, and L. M. Adleman, [DH1] "New Directions in Cryptography," IEE E T rans actio ns on I nform ation Theo ry , V.
Th e follo wing a re tr ade mar ks or reg ister ed t rad ema rks o f the Int erna tion al Bu siness Mac hine s C orpo ration in the Un ited S t ates and /or othe r cou ntries . Fo r a c om plete list o f IB M T rade mar ks, s ee www .ibm.c om/leg al/c opy trade .
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté IBM 10 SP1 EAL4 c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du IBM 10 SP1 EAL4 - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation IBM 10 SP1 EAL4, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le IBM 10 SP1 EAL4 va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le IBM 10 SP1 EAL4, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du IBM 10 SP1 EAL4.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le IBM 10 SP1 EAL4. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei IBM 10 SP1 EAL4 ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.