IBM 10 SP1 EAL4 Figure 5-71: Task Structure

1

Download on canonical page 246 pages, 2.94 Mb

5.6.1.1.5 Audit context fields

•Login ID: Login ID is the user ID of the logged-in user. It remains unchanged through the

setuid() or seteuid() system calls. Login ID is required by the Controlled Access Protection

Profile to irrefutably associate a user with that user’s actions, even across su() calls or use of setuid

binaries.

•state: state represents the audit state that controls the creation of per-task audit context and

filling of system call specifics in the audit context. It can take the following values:

AUDIT_DISABLED Do not create per-task audit_context. No

syscall specific audit records will be

generated for the task

AUDIT_SETUP_CONTEXT Create the per task audit_context,

but don't necessarily fill it in a syscall

entry time (i.e., filter instead).

AUDIT_BUILD_CONTEXT Create the per task audit_context,

and always fill it in at syscall entry time.

This makes a full syscall record available

if some other part of the kernel decides it

should be recorded.

AUDIT_RECORD_CONTEXT Create the per task audit_context,

always fill it in at syscall entry time, and

always write out the audit record at

syscall exit time.

Table 5-1: Audit Context States

•in_syscall: States whether the process is running in a syscall versus in an interrupt.

134

Figure 5-71: Task Structure

Models

10 SP1 EAL4

Contents

3Table of Contents
13 1 Introduction
- 1.1 Purpose of this document
- 1.2 Document overview
- 1.3 Conventions used in this document
- 1.4 Terminology
14 2 System Overview
- Figure 2-1: Series of TOE systems connected by a physically protected LAN
- 15 2.1 Product history
- 2.1.1 SUSE Linux Enterprise Server
- 2.1.2 eServer systems
- 2.2 High-level product overview
- 16 2.2.1 eServer host computer structure
  - Figure 2-2: Overall structure of the TOE
- 18 2.2.2 eServer system structure
- 2.2.3 TOE services
- 19 2.2.4 Security policy
  - Figure 2-3: Local and network services provided by SLES
- 20 2.2.5 Operation and administration
- 2.2.6 TSF interfaces
- 21 2.3 Approach to TSF identification
24 3 Hardware architecture
- 3.1 System x
- 3.1.1 System x hardware overview
- 3.1.2 System x hardware architecture
- 25 3.2 System p
- 3.2.1 System p hardware overview
- 3.2.2 System p hardware architecture
- 26 3.3 System z
- 3.3.1 System z hardware overview
- 3.3.2 System z hardware architecture
- 27 3.4 eServer 326
  - Figure 3-1: z/VM as hypervisor
- 3.4.1 eServer 326 hardware overview
- 3.4.2 eServer 326 hardware architecture
  - 28Figure 3-2: AMD x86-64 architecture in compatibility mode
30 4 Software architecture
- 4.1 Hardware and software privilege
- 4.1.1 Hardware privilege
  - 4.1.1.1 Privilege level
  - 31Figure 4-1: Levels of Privilege
- 32 4.1.2 Software privilege
  - 33 4.1.2.1 DAC
  - 4.1.2.1.1 Subjects and objects
  - 4.1.2.1.2 Attributes
  - 4.1.2.1.3 Access control rules
  - 4.1.2.1.4 Software privilege
  - 4.1.2.2 AppArmor
  - 4.1.2.3 Programs with software privilege
- 34 4.2 TOE Security Functions software structure
  - Figure 4-2: TSF and non-TSF software
- 35 4.2.1 Kernel TSF software
  - 4.2.1.1 Logical components
  - 36Figure 4-3: Logical kernel subsystems and their interactions
    - 4.2.1.2 Execution components
  - 37Figure 4-4: Kernel execution components
    - 4.2.1.2.1 Base kernel
    - 4.2.1.2.2 Kernel threads
    - 4.2.1.2.3 Kernel modules and device drivers
- 38 4.2.2 Non-kernel TSF software
- 40 4.3 TSF databases
- 4.4 Definition of subsystems for the CC evaluation
- 41 4.4.1 Hardware
- 4.4.2 Firmware
- 4.4.3 Kernel subsystems
- 4.4.4 Trusted process subsystems
- 42 4.4.5 User-level audit subsystem
44 5 Functional descriptions
- 5.1 File and I/O management
  - Figure 5-1: File and I/O subsystem and its interaction with other subsystems
- 45 5.1.1 Virtual File System
  - Figure 5-2: ext3 and CD-ROM file systems before mounting
  - 46Figure 5-3: ext3 and CD-ROM file systems after mounting
  - Figure 5-4: Virtual file system
    - 47 5.1.1.1 Pathname translation
    - 5.1.1.2 open()
  - 49Figure 5-6: VFS data structures and their relationships with each other
    - 50 5.1.1.3 write()
    - 5.1.1.4 mount()
    - 5.1.1.5 Shared subtrees
- 51 5.1.2 Disk-based file systems
  - 5.1.2.1 Ext3 file system
  - 5.1.2.1.1 Extended Attributes
  - 5.1.2.1.2 Data structures
  - 52Figure 5-7: Security attributes, extended security attributes, and data blocks for the ext3 inode
  - 55Figure 5-9: Access control on ext3 file system
    - 5.1.2.2 ISO 9660 file system for CD-ROM
    - 5.1.2.2.1 Data structures and algorithms
- 56 5.1.3 Pseudo file systems
  - Figure 5-10: File lookup on CD-ROM file system
    - 5.1.3.1 procfs
    - 5.1.3.2 tmpfs
    - 57 5.1.3.3 sysfs
    - 5.1.3.4 devpts
    - 5.1.3.5 rootfs
    - 5.1.3.6 binfmt_misc
    - 5.1.3.7 securityfs
    - 5.1.3.8 configfs
- 58 5.1.4 inotify
- 5.1.5 Discretionary Access Control (DAC)
  - 59 5.1.5.1 Permission bits
  - 60 5.1.5.2 Access Control Lists
  - 5.1.5.2.1 Types of ACL tags
  - 5.1.5.2.2 ACL qualifier
  - 61 5.1.5.2.3 ACL permissions
  - 5.1.5.2.4 Relationship to file permission bits
  - 5.1.5.2.5 ACL_MASK
  - 5.1.5.2.6 Default ACLs and ACL inheritance
  - 5.1.5.2.7 ACL representations and interfaces
  - 62 5.1.5.2.8 ACL enforcement
- 63 5.1.6 Asynchronous I/O
- 5.1.7 I/O scheduler
  - 64 5.1.7.1 Deadline I/O scheduler
  - 5.1.7.2 Anticipatory I/O scheduler
  - 5.1.7.3 Completely Fair Queuing scheduler
  - 5.1.7.4 Noop I/O scheduler
- 65 5.1.8 I/O interrupts
  - 5.1.8.1 Top halves
  - 5.1.8.2 Bottom halves
  - 5.1.8.3 Softirqs
  - 5.1.8.4 Tasklets
  - 5.1.8.5 Work queue
- 66 5.1.9 Processor interrupts
- 5.1.10 Machine check
- 67 5.2 Process control and management
  - Figure 5-11: Process subsystem and its interaction with other subsystems
- 5.2.1 Data structures
  - Figure 5-12: The task structure
- 69 5.2.2 Process creation and destruction
  - 5.2.2.1 Control of child processes
  - 5.2.2.2 DAC controls 5.2.2.2.1 setuid()and setgid()
  - 5.2.2.2.2 seteuid()and setegid()
  - 5.2.2.2.3 setreuid()and setregid()
  - 5.2.2.2.4 setresuid()and setresgid()
  - 5.2.2.3 execve()
  - 5.2.2.4 do_exit()
- 70 5.2.3 Process switch
- 5.2.4 Kernel threads
- 71 5.2.5 Scheduling
  - Figure 5-13: O(1) scheduling
- 72 5.2.6 Kernel preemption
  - Figure 5-14: Hyperthreaded scheduling
- 73 5.3 Inter-process communication
- 74 5.3.1 Pipes
  - Figure 5-15: Pipes Implementation
    - 5.3.1.1 Data structures and algorithms
- 75 5.3.2 First-In First-Out Named pipes
  - 5.3.2.1 FIFO creation
  - 5.3.2.2 FIFO open
- 76 5.3.3 System V IPC
  - 5.3.3.1 Common data structures
  - 77 5.3.3.2 Common functions
  - 5.3.3.2.1 ipc_alloc()
  - 5.3.3.2.2 ipcperms()
  - 5.3.3.3 Message queues
  - 5.3.3.3.1 msg_queue
  - 5.3.3.3.2 msg_msg
- 80 5.3.4 Signals
  - 5.3.4.1 Data structures
  - 5.3.4.2 Algorithms
- 5.3.5 Sockets
- 81 5.4 Network subsystem
  - Figure 5-16: Object reuse handling in socket allocation
- 82 5.4.1 Overview of the network protocol stack
  - Figure 5-17: Network subsystem and its interaction with other subsystems
  - 83Figure 5-18: How data travels through the Network protocol stack
- 84 5.4.2 Transport layer protocols
  - 5.4.2.1 TCP
  - 5.4.2.2 UDP
- 5.4.3 Network layer protocols
  - 5.4.3.1 Internet Protocol Version 4 (IPv4)
  - 5.4.3.2 Internet Protocol Version 6 (IPv6)
  - 85 5.4.3.2.1 Addressing
  - 5.4.3.2.2 IPv6 Header
  - 86 5.4.3.2.3 Flow Labels
  - 5.4.3.2.4 Security
  - 5.4.3.3 Transition between IPv4 and IPv6
  - 5.4.3.4 IP Security (IPsec)
  - 87 5.4.3.4.1 Functional Description of IPsec
- 90 5.4.4 Internet Control Message Protocol (ICMP)
  - 5.4.4.1 Link layer protocols
  - 5.4.4.1.1 Address Resolution Protocol (ARP)
- 91 5.4.5 Network services interface
  - Figure 5-19: Server and client operations using socket interface
    - 5.4.5.1 socket()
  - 92Figure 5-20: bind() function for internet domain TCP socket
    - 5.4.5.2 bind()
  - 93Figure 5-21: bind() function for UNIX domain TCP socket
    - 5.4.5.3 listen()
    - 5.4.5.4 accept()
    - 5.4.5.5 connect()
    - 5.4.5.6 Generic calls
    - 5.4.5.7 Access control
- 94 5.5 Memory management
  - Figure 5-22: Mapping read, write and close calls for sockets
  - 95Figure 5-23: Memory subsystem and its interaction with other subsystems
- 96 5.5.1 Four-Level Page Tables
  - Figure 5-24: Previous three-level page-tables architecture
- 97 5.5.2 Memory addressing
  - 5.5.2.1 System x
  - Figure 5-25: New page-table implementation: the four-level page-table architecture
  - 98Figure 5-26: System x virtual addressing space
  - Figure 5-27: Logical Address Translation
    - 5.5.2.1.1 Segmentation
  - 99Figure 5-28: Access control through segmentation
    - 5.5.2.1.2 Paging
  - 100Figure 5-29: Contiguous linear addresses map to contiguous physical addresses
  - 102Figure 5-32: Access control through paging
  - 104Figure 5-33: Paging data structures
    - 5.5.2.2 System p
  - 105Figure 5-34: Logical partitions
  - Figure 5-35: Machine state register
    - 108 5.5.2.2.1 Address Translation on LPARs
    - 5.5.2.2.2 Hypervisor
    - 5.5.2.2.3 Real mode addressing
    - 109 5.5.2.2.4 Virtual mode addressing
    - 5.5.2.2.5 Access to I/O address space
    - 5.5.2.2.6 Direct Memory Access addressing
  - 110Figure 5-38: DMA addressing
    - 5.5.2.2.7 Run-Time Abstraction Services
    - 5.5.2.2.8 Preventing denial of service
    - 5.5.2.3 System p native mode
  - 111Figure 5-39: Effective address
  - Figure 5-40: Virtual address
    - 5.5.2.3.1 Machine State Register
  - 112Figure 5-41: Block address
  - Figure 5-42: Machine state register
    - 5.5.2.3.2 Page descriptor
    - 5.5.2.3.3 Segment descriptor
    - 5.5.2.3.4 Block descriptor
  - 113Figure 5-43: Page table entry
  - Figure 5-44: Segment Table Entry
    - 5.5.2.3.5 Address translation mechanisms
  - 114Figure 5-46: Address translation method selection
  - Figure 5-45: Block Address Translation entry
  - 115Figure 5-47: Block Address Translation access control
    - 5.5.2.3.6 Page Address Translation and access control
    - 118 5.5.2.4 System z
    - 5.5.2.4.1 Native hardware mode
    - 5.5.2.4.2 LPAR mode
    - 5.5.2.4.3 z/VM Guest mode
    - 5.5.2.4.4 Address types
    - 119 5.5.2.4.5 Address sizes
    - 5.5.2.4.6 Address spaces
    - 5.5.2.4.7 Address translations
  - 121Figure 5-51: Address translation modes
    - 5.5.2.4.8 Memory protection mechanisms
  - 123Figure 5-53: Low-address protection on effective address
  - 127Figure 5-56: Key match logic for key-controlled protection
  - 128Figure 5-57: Fetch protection override for key-controlled
    - 5.5.2.5 eServer 326
    - 5.5.2.5.1 Logical address
    - 5.5.2.5.2 Effective address
  - 129Figure 5-58: eServer 326 address types and their conversion units
    - 5.5.2.5.3 Linear address
    - 5.5.2.5.4 Physical address
    - 5.5.2.5.5 Segmentation
  - 130Figure 5-59: Data access privilege checks
    - 131 5.5.2.5.6 Paging
    - 5.5.2.5.7 Translation Lookaside Buffers
- 135 5.5.3 Kernel memory management
  - 5.5.3.1 Support for NUMA servers
  - 136Figure 5-64: NUMA Design
    - 5.5.3.2 Reverse map Virtual Memory
  - 137Figure 5-65: Rmap VM
    - 5.5.3.3 Huge Translation Lookaside Buffers
  - 138Figure 5-66: TLB Operation
    - 5.5.3.4 Remap_file_pages
  - 139Figure 5-67: Remap_ file_ pages for database applications
    - 5.5.3.5 Page frame management
    - 5.5.3.6 Memory area management
    - 5.5.3.7 Noncontiguous memory area management
- 140 5.5.4 Process address space
  - 141Figure 5-68: Object reuse handling while allocating new linear address
- 142 5.5.5 Symmetric multiprocessing and synchronization
  - 5.5.5.1 Atomic operations
  - 5.5.5.2 Memory barriers
  - 5.5.5.3 Spin locks
  - 5.5.5.4 Kernel semaphores
- 143 5.6 Audit subsystem
- 5.6.1 Audit components
  - 144Figure 5-69: Audit framework components
    - 5.6.1.1 Audit kernel components
    - 5.6.1.1.1 Kernel-userspace interface
    - 5.6.1.1.2 Syscall auditing
  - 145Figure 5-70: Audit Kernel Components
    - 5.6.1.1.3 Filesystem watches
    - 5.6.1.1.4 Task structure
  - 146Figure 5-71: Task Structure
    - 5.6.1.1.5 Audit context fields
    - 147 5.6.1.2 File system audit components
    - 148 5.6.1.3 User space audit components
- 149 5.6.2 Audit operation and configuration options
  - Figure 5-72: Audit User Space Components
    - 5.6.2.1 Configuration
    - 151 5.6.2.2 Operation
- 152 5.6.3 Audit records
  - 5.6.3.1 Audit record generation
  - 5.6.3.1.1 Kernel record generation
  - 153Figure 5-73: Audit Record Generation
    - 5.6.3.1.2 Syscall audit record generation
  - 154Figure 5-74: Extension to system calls interface
    - 5.6.3.1.3 File system audit record generation
    - 5.6.3.1.4 Socket call and IPC audit record generation
  - 155Figure 5-75: User Space Record Generation
    - 5.6.3.1.5 Record generation by trusted programs
    - 5.6.3.2 Audit record format
- 158 5.6.4 Audit tools
  - 5.6.4.1 auditctl
  - 5.6.4.2 ausearch
- 5.6.5 Login uid association
- 5.7 Kernel modules
- 159 5.7.1 Linux Security Module framework
- 161 5.7.2 LSM capabilities module
  - Figure 5-76: LSM hook architecture
- 5.7.3 LSM AppArmor module
- 5.8 AppArmor
- 162 5.8.1 AppArmor administrative utilities
- 163 5.8.2 AppArmor access control functions
- 5.8.3 securityfs
- 164 5.9 Device drivers
- 5.9.1 I/O virtualization on System z
  - 5.9.1.1 Interpretive-execution facility
  - 165 5.9.1.2 State description
  - 5.9.1.3 Hardware virtualization and simulation
- 166 5.9.2 Character device driver
- 167 5.9.3 Block device driver
  - Figure 5-77: Setup of f_op for character device specific file operations
- 168 5.10 System initialization
  - Figure 5-78: Setup of f_op for block device specific file operations
- 5.10.1 init
- 169 5.10.2 System x
  - 170 5.10.2.1 Boot methods
  - 5.10.2.2 Boot loader
  - 5.10.2.3 Boot process
- 173 5.10.3 System p
  - 5.10.3.1 Boot methods
  - 5.10.3.2 Boot loader
  - 5.10.3.3 Boot process
  - 176 5.10.4.1 Boot process
- 178 5.10.5 System z
  - 5.10.5.1 Boot methods
  - 5.10.5.2 Control program
  - 5.10.5.3 Boot process
- 180 5.10.6 eServer 326
  - Figure 5-82: System z SLES boot sequence
    - 5.10.6.1 Boot methods
    - 181 5.10.6.2 Boot loader
    - 5.10.6.3 Boot process
- 183 5.11 Identification and authentication
  - Figure 5-83: eServer 326 SLES boot sequence
- 184 5.11.1 Pluggable Authentication Module
  - 5.11.1.1 Overview
  - 185 5.11.1.2 Configuration terminology
  - 5.11.1.3 Modules
- 187 5.11.2 Protected databases
  - 5.11.2.1 Access control rules 5.11.2.1.1 DAC
  - 5.11.2.1.2 Software privilege
- 188 5.11.3 Trusted commands and trusted processes
  - 5.11.3.1 agetty
  - 189 5.11.3.2 gpasswd
  - 5.11.3.3 login
  - 190 5.11.3.4 mingetty
  - 5.11.3.5 newgrp
  - 191 5.11.3.6 passwd
  - 5.11.3.7 su
- 192 5.11.4 Interaction with audit
- 5.12 Network applications
- 5.12.1 OpenSSL Secure socket-layer interface
  - 193Figure 5-84: SSL location in the network stack
    - 5.12.1.1 Concepts
    - 5.12.1.1.1 Encryption
  - 194Figure 5-86: Decryption
  - Figure 5-85: Encryption
  - 195Figure 5-87: Encryption Algorithm and Key
    - 197 5.12.1.1.2 Message digest
    - 5.12.1.1.3 Message Authentication Code (MAC)
    - 5.12.1.1.4 Digital certificates and certificate authority
    - 5.12.1.2 SSL architecture
  - 198Figure 5-90: SSL Protocol
    - 5.12.1.2.1 SSL handshake protocol
  - 200Figure 5-92: SSL protocol action
    - 5.12.1.3 OpenSSL algorithms
    - 5.12.1.4 Symmetric ciphers
    - 201 5.12.1.4.1 Asymmetric ciphers
    - 5.12.1.4.2 Certificates
    - 5.12.1.4.3 Hash functions
- 202 5.12.2 Secure Shell
  - 203 5.12.2.1 SSH client
  - 5.12.2.2 SSH server daemon
- 204 5.12.3 Very Secure File Transfer Protocol daemon
- 5.12.4 CUPS
  - 205 5.12.4.1 cupsd
  - 206 5.12.4.2 ping
  - 5.12.4.3 ping6
  - 5.12.4.4 openssl
  - 207 5.12.4.5 stunnel
  - 5.12.4.6 xinetd
- 208 5.13 System management 5.13.1 Account Management
  - 5.13.1.1 chage
  - 209 5.13.1.2 chfn
  - 5.13.1.3 chsh
- 210 5.13.2 User management
  - 5.13.2.1 useradd
  - 5.13.2.2 usermod
  - 211 5.13.2.3 userdel
- 212 5.13.3 Group management
  - 5.13.3.1 groupadd
  - 213 5.13.3.2 groupmod
  - 5.13.3.3 groupdel
- 215 5.13.4 System Time management
  - 5.13.4.1 date
  - 5.13.4.2 hwclock
- 5.13.5 Other System Management
  - 5.13.5.1 AMTU
  - 216 5.13.5.1.1 Memory
  - 5.13.5.1.2 Memory separation
  - 5.13.5.1.3 I/O controller and network
  - 5.13.5.1.4 I/O controller and disk
  - 5.13.5.1.5 Supervisor mode instructions
  - 218 5.13.5.1.6 AMTU output
  - 5.13.5.2 star
- 220 5.13.6 I&A support
  - 5.13.6.1 pam_tally
  - 5.13.6.2 unix_chkpwd
- 5.14 Batch processing
- 5.14.1 Batch processing user commands
  - 5.14.1.1 crontab
  - 221 5.14.1.2 at
- 222 5.14.2 Batch processing daemons
  - 5.14.2.1 cron
  - 5.14.2.2 atd
- 223 5.15 User-level audit subsystem
- 5.15.1 Audit daemon
- 5.15.2 Audit utilities
  - 5.15.2.1 aureport
  - 5.15.2.2 ausearch
  - 5.15.2.3 autrace
- 224 5.15.3 Audit configuration files
- 5.15.4 Audit logs
- 225 5.16 Supporting functions
- 5.16.1 TSF libraries
  - 226Library Description
- 227 5.16.2 Library linking mechanism
- 5.16.3 System call linking mechanism
  - 5.16.3.1 System x
  - 5.16.3.2 System p
  - 5.16.3.3 System z
  - 5.16.3.4 eServer 326
- 228 5.16.4 System call argument verification
230 6 Mapping the TOE summary specification to the High-Level Design
- 233 6.7.4 Trusted processes (TP.4)
- 6.7.5 TSF Databases (TP.5)
- 6.7.6 Internal TOE protection mechanisms (TP.6)
- 6.7.7 Testing the TOE protection mechanisms (TP.7)
- 6.8 Security enforcing interfaces between subsystems
- 234 6.8.1 Summary of kernel subsystem interfaces
  - 6.8.1.1 Kernel subsystem file and I/O
  - 6.8.1.1.1 External Interfaces
  - 235 6.8.1.1.2 Internal Interfaces 6.8.1.1.3
  - 236 6.8.1.1.4 Data Structures
  - 6.8.1.2 Kernel subsystem process control and management
  - 6.8.1.2.1 External interfaces (system calls)
  - 237 6.8.1.2.2 Internal Interfaces
  - 6.8.1.2.3 Data Structures
  - 6.8.1.3 Kernel subsystem inter-process communication
  - 238 6.8.1.3.1 External interfaces (system calls)
  - 6.8.1.3.2 Internal Interfaces
  - 6.8.1.3.3 Data Structures
  - 239 6.8.1.4 Kernel subsystem networking
  - 6.8.1.4.1 External interfaces (system calls)
  - 6.8.1.4.2 Internal interfaces
  - 6.8.1.4.3 Data Structures
  - 6.8.1.5 Kernel subsystem memory management
  - 6.8.1.5.1 External interfaces (system calls)
  - 240 6.8.1.5.2 Internal interfaces
  - 6.8.1.5.3 Data Structures
  - 6.8.1.6 Kernel subsystem audit
  - 6.8.1.6.1 External interfaces
  - 6.8.1.6.2 Internal interfaces
  - 241 6.8.1.6.3 Data structures
  - 6.8.1.7 Kernel subsystem device drivers 6.8.1.7.1 External interfaces (system calls)
  - 6.8.1.7.2 Internal interfaces
- 243 6.8.2 Summary of trusted processes interfaces
244 7 References