IBM 10 SP1 EAL4 manual

•A system call interface is provided to provide restricted access to user processes. This interface allows user processes to allocate and free storage, and also to perform memory-mapped file I/O.

Figure 5-23: Memory subsystem and its interaction with other subsystems

This section highlights the implementation of the System Architecture requirements of a) allowing the kernel software to protect its own memory resources and b) isolating memory resources of one process from those of another, while allowing controlled sharing of memory resources between user processes.

This section is divided into five subsections. The first subsection, Four-Level Page Tables discuss recent changes to the Linux page table implementation. The second subsection, Memory Addressing, illustrates the SLES kernel’s memory addressing scheme and highlights how segmentation and paging are used to prevent unauthorized access to a memory address. The third subsection, Kernel Memory Management, describes how the kernel allocates dynamic memory for its own use, and highlights how the kernel takes care of object reuse while allocating new page frames. The fourth subsection, Process Address Space, describes how a process views dynamic memory and what the different components of a process’s address space are. The forth subsection also highlights how the kernel enforces access control with memory regions and handles object reuse with demand paging. The final subsection, Symmetric Multiprocessing and Synchronization, describes various SMP synchronization techniques used by the SLES kernel.

Because implementations of a portion of the memory management subsystem are dependent on the underlying hardware architecture, the following subsections identify and describe, where appropriate, how the hardware-dependent part of the memory management subsystem is implemented for the System x, System p, System z, and eServer 326 line of servers, which are all part of the TOE.

83

Image 95

IBM 10 SP1 EAL4 manual

Contents

Page EJR Table of Contents 2.1 DAC AppArmor Programs with software privilege Permission bits Access Control Lists 100 142 175 207 250 252 269 Terminology Purpose of this documentDocument overview Conventions used in this document System Overview High-level product overview Product historySuse Linux Enterprise Server EServer systems Overall structure of the TOE EServer host computer structurePage EServer system structure TOE services Security policy Local and network services provided by Sles TSF interfaces Operation and administration Approach to TSF identification Page Page System x hardware overview System x hardware architecture System System p hardware architecture System pSystem p hardware overview System z hardware overview System z hardware architecture System z EServer 326 hardware architecture EServerEServer 326 hardware overview AMD x86-64 architecture in compatibility mode Page Privilege level Hardware and software privilegeHardware privilege Levels of Privilege Software privilege AppArmor 2.1 DAC Programs with software privilege TOE Security Functions software structure Kernel TSF software Logical kernel subsystems and their interactions Logical components Kernel threads Execution componentsBase kernel Kernel modules and device drivers Non-kernel TSF softwarePage Definition of subsystems for the CC evaluation TSF databases Trusted process subsystems HardwareFirmware Kernel subsystems User-level audit subsystem Page File and I/O management Functional descriptions Ext3 and CD-ROM file systems before mounting Virtual File System Ext3 and CD-ROM file systems after mounting Pathname translation VFS pathname translation and access control checks Open Shared subtrees WriteMount Extended Attributes Disk-based file systems2.1 Ext3 file system Data structures Page Page Data structures and algorithms ISO 9660 file system for CD-ROM Tmpfs Pseudo file systemsProcfs Rootfs SysfsDevpts Binfmtmisc Discretionary Access Control DACConfigfs Inotify Indicates read Permission bits ACL qualifier Access Control ListsTypes of ACL tags Aclmask Default ACLs and ACL inheritanceACL permissions Relationship to file permission bits ACL enforcement 7 I/O scheduler Asynchronous I/O Completely Fair Queuing scheduler Deadline I/O schedulerAnticipatory I/O scheduler Bottom halves 8 I/O interruptsNoop I/O scheduler Top halves Work queue Processor interruptsMachine check Tasklets Data structures Process control and managementPage DAC controls Process creation and destructionControl of child processes Execve Process switchKernel threads Setresuidand setresgid Hyperthreading scheduler Scheduling 14 Hyperthreaded scheduling Kernel preemption Inter-process communication Data structures and algorithms Pipes Fifo creation First-In First-Out Named pipes Common data structures System V IPCFifo open Message queues Common functions Semaphores Shared memory regions Algorithms SignalsSockets Data structures 16 Object reuse handling in socket allocation Network subsystem Overview of the network protocol stack 18 How data travels through the Network protocol stack Network layer protocols Transport layer protocols 3.2.2 IPv6 Header Addressing IP Security IPsec Flow LabelsSecurity Transition between IPv4 and IPv6 AH Header Functional Description of IPsec An IP Packet with tunnel mode AH An IP Packet with tunnel mode ESP Link layer protocols Internet Control Message Protocol Icmp Address Resolution Protocol ARP Network services interface Bind Socket Connect ListenAccept Generic calls Access controlMemory management Page 24 Previous three-level page-tables architecture Four-Level Page Tables System Memory addressing 26 System x virtual addressing space Segmentation 28 Access control through segmentation Paging 30 Regular paging 32 Access control through paging For more information about call gates, refer to System p 33 Paging data structures 34 Logical partitions Privilege State 36 Determination of processor mode in Lpar Hypervisor Real mode addressingAddress Translation on LPARs Direct Memory Access addressing Virtual mode addressingAccess to I/O address space System p native mode Run-Time Abstraction ServicesPreventing denial of service 39 Effective address Machine State Register 41 Block address Block descriptor DescriptorSegment descriptor Address translation mechanisms 45 Block Address Translation entry Address Translation and access control 47 Block Address Translation access controlPage 48 Page Address Translation and access control System z Native hardware modeLpar mode 2.4.3 z/VM Guest mode Address translations Address sizesAddress spaces 49 System z address types and their translation 51 Address translation modes 52 64-bit or 31-bit Dynamic Address Translation 53 Low-address protection on effective address Memory protection mechanisms Table protection 113 114 56 Key match logic for key-controlled protection Logical address EServer Physical address Effective addressLinear address 59 Data access privilege checks Access control through type check Page 121 63 Page map level four entry Translation Lookaside Buffers Kernel memory management Reverse map Virtual Memory Support for Numa servers Huge Translation Lookaside Buffers 65 Rmap VM 66 TLB Operation Frame management Remapfilepages Noncontiguous memory area management Process address spaceMemory area management 68 Object reuse handling while allocating new linear address Memory barriers Symmetric multiprocessing and synchronizationAtomic operations Kernel semaphores Audit subsystemAudit components Spin locks Kernel-userspace interface Audit kernel components Task structure Syscall auditingFilesystem watches Audit context fields 71 Task Structure File system audit components User space audit components Configuration Audit operation and configuration options Option Description Possible values Operation Kernel record generation Audit recordsAudit record generation Syscall audit record generation 73 Audit Record Generation File system audit record generation 74 Extension to system calls interface Audit record format Socket call and IPC audit record generationRecord generation by trusted programs Page Event Description LAF audit events Auditctl Login uid associationAudit tools Kernel modules Linux Security Module framework Structure AppArmor LSM capabilities moduleLSM AppArmor module Var/log/boot.msg Rwl Var/run/klogd.pid AppArmor administrative utilities Securityfs AppArmor access control functions Interpretive-execution facility Device drivers1 I/O virtualization on System z State description Hardware virtualization and simulation Character device driver Block device driver Init System initialization System Boot process Boot methodsBoot loader Linuxrc 79 System x Sles boot sequence System p Page System p in Lpar 80 System p Sles boot sequence Etc/sysconfig/init script 81 System p Lpar Sles boot sequence Control program System z 82describes the boot process for Sles as a z/VM guest EServer 82 System z Sles boot sequence 169 83schematically describes the boot process of eServer 170 83 eServer 326 Sles boot sequence Identification and authentication Overview Pluggable Authentication Module Modules Configuration terminology Etc/security/pamenv.conf Protected databases Agetty Trusted commands and trusted processesAccess control rules 11.2.1.1 DAC Gpasswd Login Newgrp Mingetty 11.3.7 su Passwd OpenSSL Secure socket-layer interface Interaction with auditNetwork applications 84 SSL location in the network stack Encryption Concepts 87 Encryption Algorithm and Key 88 Asymmetric keys SSL architecture Message Authentication Code MACMessage digest Digital certificates and certificate authority SSL handshake protocol 90 SSL Protocol 187 Symmetric ciphers OpenSSL algorithms Hash functions Asymmetric ciphersCertificates Secure Shell SSH server daemon SSH client Cups Very Secure File Transfer Protocol daemon Cupsd Openssl PingPing6 Stunnel Chage System managementAccount Management Xinetd Chsh Chfn Usermod User managementUseradd Userdel Groupadd Group management Groupdel Groupmod 202 Hwclock System Time managementOther System Management Date 13.5.1.3 I/O controller and network Supervisor mode instructionsMemory Memory separation System p Star Amtu output 207 Batch processing Batch processing user commands13.6 I&A support 14.1.2 at 14.2.2 atd Batch processing daemonsCron Aureport User-level audit subsystemAudit daemon Audit utilities Autrace Audit configuration filesAudit logs TSF libraries Supporting functions LibraryDescription System call linking mechanism Library linking mechanism System call argument verification Pageoffset Audit Security management Discretionary Access ControlObject reuse TSF protection Secure communications Internal TOE protection mechanisms TP.6 Testing the TOE protection mechanisms TP.7Trusted processes TP.4 TSF Databases TP.5 External Interfaces Summary of kernel subsystem interfacesKernel subsystem file and I/O Internal function Interfaces defined Internal Interfaces 1.1.3 External interfaces system calls Kernel subsystem process control and management Kernel subsystem inter-process communication Internal Interfaces Dopipe Kernel subsystem memory management Kernel subsystem networking Internal interfaces Kernel subsystem audit Kernel subsystem device drivers Other functions Kernel subsystems kernel modules Summary of trusted processes interfaces References RSA 234