Linux kernel kontrollib tegevusi: erinevus redaktsioonide vahel
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
| 15. rida: | 15. rida: | ||
* üldiselt tahab protsess kasutada mingit ressurssi ja seda on vaja kontrollida (nt peab süsteem otsustama, kas seda kasutamist lubada) |
* üldiselt tahab protsess kasutada mingit ressurssi ja seda on vaja kontrollida (nt peab süsteem otsustama, kas seda kasutamist lubada) |
||
| + | * privileegid (st õigus midagi teha, midagi kasutada) pole mitte niivõrd kasutajal, aga privileegid on protsessil |
||
| ⚫ | |||
| + | * protsessi privileegid tulenevad muu hulgast kolmest asjaolust: 1. seccomp syscall tulemüür, 2. capabilities, 3. lsm |
||
| ⚫ | |||
| + | |||
| + | Syscallisid on üldiselt kahesuguseid |
||
| + | |||
| + | * |
||
Joonis |
Joonis |
||
| 34. rida: | 40. rida: | ||
* systemd - tegeleb seccomp ja capabilities rakendamisega |
* systemd - tegeleb seccomp ja capabilities rakendamisega |
||
* apparmor - tegeleb lsm rakendamisega |
* apparmor - tegeleb lsm rakendamisega |
||
| + | |||
| + | ===gemini joonis=== |
||
| + | |||
| + | <pre> |
||
| + | [ PROCESS ] |
||
| + | | |
||
| + | | 1. SECCOMP GATE (The Vocabulary Check) |
||
| + | | "Is this syscall even allowed to be uttered?" |
||
| + | | [ Filter: 23 active ] ---------------------> [ REJECT / SIGSYS ] |
||
| + | | |
||
| + | v |
||
| + | | 2. CAPABILITIES GATE (The Authority Check) |
||
| + | | "Does this process hold the specific bit for this action?" |
||
| + | | [ e.g., CAP_SYS_TIME ] --------------------> [ REJECT / EPERM ] |
||
| + | | |
||
| + | v |
||
| + | | 3. DAC / ACL GATE (The Identity Check) |
||
| + | | "Is the process UID/GID on the list for this file/device?" |
||
| + | | [ Feature: +ACL ] -------------------------> [ REJECT / EACCES ] |
||
| + | | |
||
| + | v |
||
| + | | 4. LSM / MAC GATE (The Policy "Horizon") |
||
| + | | "Does the overall security policy permit this role this access?" |
||
| + | | [ AppArmor / SELINUX ] --------------------> [ REJECT / DENIED ] |
||
| + | | |
||
| + | v |
||
| + | [ RESOURCE ] (e.g., /dev/sda, System Clock, Network Socket) |
||
| + | </pre> |
||
===Kasulikud lisamaterjalid=== |
===Kasulikud lisamaterjalid=== |
||
Redaktsioon: 4. mai 2026, kell 01:40
Sissejuhatus
TODO
Mõisted
- seccomp
- capabilities
- dac/acl
- lsm
Tööpõhimõte
Väited
- üldiselt tahab protsess kasutada mingit ressurssi ja seda on vaja kontrollida (nt peab süsteem otsustama, kas seda kasutamist lubada)
- privileegid (st õigus midagi teha, midagi kasutada) pole mitte niivõrd kasutajal, aga privileegid on protsessil
- protsessi privileegid tulenevad muu hulgast kolmest asjaolust: 1. seccomp syscall tulemüür, 2. capabilities, 3. lsm
- system call (syscall, 'make system call') - xxx
Syscallisid on üldiselt kahesuguseid
Joonis
töötav protsess -> syscall liides -> kernel -> ressurss
^ ^ ^
| | |
| | |
seccomp tulemüür capabilities lsm (apparmor)
dac
kus
- systemd - tegeleb seccomp ja capabilities rakendamisega
- apparmor - tegeleb lsm rakendamisega
gemini joonis
[ PROCESS ]
|
| 1. SECCOMP GATE (The Vocabulary Check)
| "Is this syscall even allowed to be uttered?"
| [ Filter: 23 active ] ---------------------> [ REJECT / SIGSYS ]
|
v
| 2. CAPABILITIES GATE (The Authority Check)
| "Does this process hold the specific bit for this action?"
| [ e.g., CAP_SYS_TIME ] --------------------> [ REJECT / EPERM ]
|
v
| 3. DAC / ACL GATE (The Identity Check)
| "Is the process UID/GID on the list for this file/device?"
| [ Feature: +ACL ] -------------------------> [ REJECT / EACCES ]
|
v
| 4. LSM / MAC GATE (The Policy "Horizon")
| "Does the overall security policy permit this role this access?"
| [ AppArmor / SELINUX ] --------------------> [ REJECT / DENIED ]
|
v
[ RESOURCE ] (e.g., /dev/sda, System Clock, Network Socket)
Kasulikud lisamaterjalid
- TODO
