Manuals
/
IBM
/
Computer Equipment
/
Server
IBM
10 SP1 EAL4
manual
Page Address Translation and access control
Models:
10 SP1 EAL4
1
117
246
246
Download
246 pages
443 b
114
115
116
117
118
119
120
121
Signals
Login
Operation and administration
Configfs
Access Control Lists
Batch processing user commands
TOE services
Boot methods
Process switch
Real mode addressing
Page 117
Image 117
Figure
5-48:
Page Address Translation and access control
105
Page 116
Page 118
Page 117
Image 117
Page 116
Page 118
Contents
Page
EJR
Table of Contents
2.1 DAC AppArmor Programs with software privilege
Permission bits Access Control Lists
100
142
175
207
250
252
269
Document overview
Purpose of this document
Conventions used in this document
Terminology
System Overview
Suse Linux Enterprise Server
Product history
EServer systems
High-level product overview
Overall structure of the TOE
EServer host computer structure
Page
EServer system structure
TOE services
Security policy
Local and network services provided by Sles
TSF interfaces
Operation and administration
Approach to TSF identification
Page
Page
System x hardware overview System x hardware architecture
System
System p
System p hardware overview
System p hardware architecture
System z hardware overview System z hardware architecture
System z
EServer
EServer 326 hardware overview
EServer 326 hardware architecture
AMD x86-64 architecture in compatibility mode
Page
Hardware and software privilege
Hardware privilege
Privilege level
Levels of Privilege
Software privilege
AppArmor
2.1 DAC
Programs with software privilege
TOE Security Functions software structure
Kernel TSF software
Logical kernel subsystems and their interactions
Logical components
Execution components
Base kernel
Kernel threads
Kernel modules and device drivers
Non-kernel TSF software
Page
Definition of subsystems for the CC evaluation
TSF databases
Firmware
Hardware
Kernel subsystems
Trusted process subsystems
User-level audit subsystem
Page
File and I/O management
Functional descriptions
Ext3 and CD-ROM file systems before mounting
Virtual File System
Ext3 and CD-ROM file systems after mounting
Pathname translation
VFS pathname translation and access control checks
Open
Write
Mount
Shared subtrees
Disk-based file systems
2.1 Ext3 file system
Extended Attributes
Data structures
Page
Page
Data structures and algorithms
ISO 9660 file system for CD-ROM
Pseudo file systems
Procfs
Tmpfs
Sysfs
Devpts
Rootfs
Configfs
Discretionary Access Control DAC
Inotify
Binfmtmisc
Indicates read
Permission bits
Access Control Lists
Types of ACL tags
ACL qualifier
ACL permissions
Default ACLs and ACL inheritance
Relationship to file permission bits
Aclmask
ACL enforcement
7 I/O scheduler
Asynchronous I/O
Deadline I/O scheduler
Anticipatory I/O scheduler
Completely Fair Queuing scheduler
Noop I/O scheduler
8 I/O interrupts
Top halves
Bottom halves
Machine check
Processor interrupts
Tasklets
Work queue
Data structures
Process control and management
Page
Process creation and destruction
Control of child processes
DAC controls
Kernel threads
Process switch
Setresuidand setresgid
Execve
Hyperthreading scheduler
Scheduling
14 Hyperthreaded scheduling
Kernel preemption
Inter-process communication
Data structures and algorithms
Pipes
Fifo creation
First-In First-Out Named pipes
System V IPC
Fifo open
Common data structures
Message queues
Common functions
Semaphores
Shared memory regions
Sockets
Signals
Data structures
Algorithms
16 Object reuse handling in socket allocation
Network subsystem
Overview of the network protocol stack
18 How data travels through the Network protocol stack
Network layer protocols
Transport layer protocols
3.2.2 IPv6 Header
Addressing
Security
Flow Labels
Transition between IPv4 and IPv6
IP Security IPsec
AH Header
Functional Description of IPsec
An IP Packet with tunnel mode AH
An IP Packet with tunnel mode ESP
Link layer protocols
Internet Control Message Protocol Icmp
Address Resolution Protocol ARP
Network services interface
Bind
Socket
Listen
Accept
Connect
Access control
Memory management
Generic calls
Page
24 Previous three-level page-tables architecture
Four-Level Page Tables
System
Memory addressing
26 System x virtual addressing space
Segmentation
28 Access control through segmentation
Paging
30 Regular paging
32 Access control through paging
For more information about call gates, refer to
System p
33 Paging data structures
34 Logical partitions
Privilege State
36 Determination of processor mode in Lpar
Real mode addressing
Address Translation on LPARs
Hypervisor
Virtual mode addressing
Access to I/O address space
Direct Memory Access addressing
Run-Time Abstraction Services
Preventing denial of service
System p native mode
39 Effective address
Machine State Register
41 Block address
Descriptor
Segment descriptor
Block descriptor
Address translation mechanisms
45 Block Address Translation entry
Address Translation and access control
47 Block Address Translation access control
Page
48 Page Address Translation and access control
Lpar mode
Native hardware mode
2.4.3 z/VM Guest mode
System z
Address sizes
Address spaces
Address translations
49 System z address types and their translation
51 Address translation modes
52 64-bit or 31-bit Dynamic Address Translation
53 Low-address protection on effective address
Memory protection mechanisms
Table protection
113
114
56 Key match logic for key-controlled protection
Logical address
EServer
Effective address
Linear address
Physical address
59 Data access privilege checks
Access control through type check
Page
121
63 Page map level four entry
Translation Lookaside Buffers
Kernel memory management
Reverse map Virtual Memory
Support for Numa servers
Huge Translation Lookaside Buffers
65 Rmap VM
66 TLB Operation
Frame management
Remapfilepages
Process address space
Memory area management
Noncontiguous memory area management
68 Object reuse handling while allocating new linear address
Symmetric multiprocessing and synchronization
Atomic operations
Memory barriers
Audit components
Audit subsystem
Spin locks
Kernel semaphores
Kernel-userspace interface
Audit kernel components
Syscall auditing
Filesystem watches
Task structure
Audit context fields
71 Task Structure
File system audit components
User space audit components
Configuration
Audit operation and configuration options
Option Description Possible values
Operation
Audit records
Audit record generation
Kernel record generation
Syscall audit record generation
73 Audit Record Generation
File system audit record generation
74 Extension to system calls interface
Socket call and IPC audit record generation
Record generation by trusted programs
Audit record format
Page
Event Description LAF audit events
Audit tools
Login uid association
Kernel modules
Auditctl
Linux Security Module framework
Structure
LSM capabilities module
LSM AppArmor module
AppArmor
Var/log/boot.msg Rwl Var/run/klogd.pid
AppArmor administrative utilities
Securityfs
AppArmor access control functions
Device drivers
1 I/O virtualization on System z
Interpretive-execution facility
State description
Hardware virtualization and simulation
Character device driver
Block device driver
Init
System initialization
System
Boot methods
Boot loader
Boot process
Linuxrc
79 System x Sles boot sequence
System p
Page
System p in Lpar
80 System p Sles boot sequence
Etc/sysconfig/init script
81 System p Lpar Sles boot sequence
Control program
System z
82describes the boot process for Sles as a z/VM guest
EServer
82 System z Sles boot sequence
169
83schematically describes the boot process of eServer 170
83 eServer 326 Sles boot sequence
Identification and authentication
Overview
Pluggable Authentication Module
Modules
Configuration terminology
Etc/security/pamenv.conf
Protected databases
Access control rules
Trusted commands and trusted processes
11.2.1.1 DAC
Agetty
Gpasswd
Login
Newgrp
Mingetty
11.3.7 su
Passwd
Interaction with audit
Network applications
OpenSSL Secure socket-layer interface
84 SSL location in the network stack
Encryption
Concepts
87 Encryption Algorithm and Key
88 Asymmetric keys
Message digest
Message Authentication Code MAC
Digital certificates and certificate authority
SSL architecture
SSL handshake protocol
90 SSL Protocol
187
Symmetric ciphers
OpenSSL algorithms
Asymmetric ciphers
Certificates
Hash functions
Secure Shell
SSH server daemon
SSH client
Cups
Very Secure File Transfer Protocol daemon
Cupsd
Ping
Ping6
Openssl
Stunnel
Account Management
System management
Xinetd
Chage
Chsh
Chfn
User management
Useradd
Usermod
Userdel
Groupadd
Group management
Groupdel
Groupmod
202
Other System Management
System Time management
Date
Hwclock
Memory
Supervisor mode instructions
Memory separation
13.5.1.3 I/O controller and network
System p
Star
Amtu output
207
Batch processing user commands
13.6 I&A support
Batch processing
14.1.2 at
Batch processing daemons
Cron
14.2.2 atd
Audit daemon
User-level audit subsystem
Audit utilities
Aureport
Audit configuration files
Audit logs
Autrace
TSF libraries
Supporting functions
LibraryDescription
System call linking mechanism
Library linking mechanism
System call argument verification
Pageoffset
Audit
Discretionary Access Control
Object reuse
Security management
TSF protection
Secure communications
Trusted processes TP.4
Testing the TOE protection mechanisms TP.7
TSF Databases TP.5
Internal TOE protection mechanisms TP.6
Summary of kernel subsystem interfaces
Kernel subsystem file and I/O
External Interfaces
Internal function Interfaces defined
Internal Interfaces 1.1.3
External interfaces system calls
Kernel subsystem process control and management
Kernel subsystem inter-process communication
Internal Interfaces
Dopipe
Kernel subsystem memory management
Kernel subsystem networking
Internal interfaces
Kernel subsystem audit
Kernel subsystem device drivers
Other functions
Kernel subsystems kernel modules
Summary of trusted processes interfaces
References
RSA
234
Top
Page
Image
Contents