Linux kernel kontrollib tegevusi

Allikas: Imre kasutab arvutit
Redaktsioon seisuga 4. mai 2026, kell 01:42 kasutajalt Imre (arutelu | kaastöö)
Mine navigeerimisribaleMine otsikasti

Sissejuhatus

TODO

Mõisted

  • seccomp
  • capabilities
  • dac/acl
  • lsm

Tööpõhimõte

Väited

  • üldiselt tahab protsess kasutada mingit ressurssi ja seda on vaja kontrollida (nt peab süsteem otsustama, kas seda kasutamist lubada)
  • privileegid (st õigus midagi teha, midagi kasutada) pole mitte niivõrd kasutajal, aga privileegid on protsessil
  • protsessi privileegid tulenevad muu hulgast kolmest asjaolust: 1. seccomp syscall tulemüür, 2. capabilities, 3. lsm
  • system call (syscall, 'make system call') - xxx

Syscallisid on üldiselt kahesuguseid

  • Automatic Syscalls: Actions like mmap(), read(), or brk() are considered "safe." The kernel assumes that if you have the memory or the file handle, you can perform these actions. No special "permission" is needed beyond standard file permissions.
  • Restricted Syscalls: Actions like clock_adjtime(), reboot(), or mount() are "dangerous." Historically, the kernel had a simple rule: if (uid == 0) (Root), allow; else, deny.

Joonis 

   töötav protsess  ->  syscall liides        -> kernel               ->    ressurss
 
                    ^                              ^                  ^
                    |                              |                  |
                    |                              |                  |
 
            seccomp tulemüür                  capabilities      lsm (apparmor)
                                                  dac

kus

  • systemd - tegeleb seccomp ja capabilities rakendamisega
  • apparmor - tegeleb lsm rakendamisega

gemini joonis

[ PROCESS ]
      |
      | 1. SECCOMP GATE (The Vocabulary Check)
      |    "Is this syscall even allowed to be uttered?"
      |    [ Filter: 23 active ] ---------------------> [ REJECT / SIGSYS ]
      |
      v
      | 2. CAPABILITIES GATE (The Authority Check)
      |    "Does this process hold the specific bit for this action?"
      |    [ e.g., CAP_SYS_TIME ] --------------------> [ REJECT / EPERM ]
      |
      v
      | 3. DAC / ACL GATE (The Identity Check)
      |    "Is the process UID/GID on the list for this file/device?"
      |    [ Feature: +ACL ] -------------------------> [ REJECT / EACCES ]
      |
      v
      | 4. LSM / MAC GATE (The Policy "Horizon")
      |    "Does the overall security policy permit this role this access?"
      |    [ AppArmor / SELINUX ] --------------------> [ REJECT / DENIED ]
      |
      v
  [ RESOURCE ] (e.g., /dev/sda, System Clock, Network Socket)

Kasulikud lisamaterjalid

  • TODO
Pärit leheküljelt "https://www.auul.pri.ee/wiki/index.php?title=Linux_kernel_kontrollib_tegevusi&oldid=3425"