€•uÇŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œtranslations”Œ LanguagesNode”“”)”}”(hhh]”(hŒpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ(/translations/zh_CN/process/threat-model”Œmodname”NŒ classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/zh_TW/process/threat-model”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/it_IT/process/threat-model”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/ja_JP/process/threat-model”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/ko_KR/process/threat-model”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/pt_BR/process/threat-model”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/sp_SP/process/threat-model”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒThe Linux Kernel threat model”h]”hŒThe Linux Kernel threat model”…””}”(hh¼h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhh·h²hh³ŒB/var/lib/git/docbuild/linux/Documentation/process/threat-model.rst”h´KubhŒ paragraph”“”)”}”(hXThere are a lot of assumptions regarding what the kernel does and does not protect against. These assumptions tend to cause confusion for bug reports (:doc:`security-related ones ` vs :doc:`non-security ones <../admin-guide/reporting-issues>`), and can complicate security enforcement when the responsibilities for some boundaries is not clear between the kernel, distros, administrators and users.”h]”(hŒ—There are a lot of assumptions regarding what the kernel does and does not protect against. These assumptions tend to cause confusion for bug reports (”…””}”(hhÍh²hh³Nh´Nubh)”}”(hŒ,:doc:`security-related ones `”h]”hŒinline”“”)”}”(hh×h]”hŒsecurity-related ones”…””}”(hhÛh²hh³Nh´Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-doc”eh"]”h$]”h&]”uh1hÙhhÕubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œprocess/threat-model”Œ refdomain”hæŒreftype”Œdoc”Œrefexplicit”ˆŒrefwarn”ˆŒ reftarget”Œ security-bugs”uh1hh³hÊh´KhhÍubhŒ vs ”…””}”(hhÍh²hh³Nh´Nubh)”}”(hŒ::doc:`non-security ones <../admin-guide/reporting-issues>`”h]”hÚ)”}”(hjh]”hŒnon-security ones”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”(håŒstd”Œstd-doc”eh"]”h$]”h&]”uh1hÙhhþubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”hòŒ refdomain”jŒreftype”Œdoc”Œrefexplicit”ˆŒrefwarn”ˆhøŒ../admin-guide/reporting-issues”uh1hh³hÊh´KhhÍubhŒœ), and can complicate security enforcement when the responsibilities for some boundaries is not clear between the kernel, distros, administrators and users.”…””}”(hhÍh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khh·h²hubhÌ)”}”(hŒQThis document tries to clarify the responsibilities of the kernel in this domain.”h]”hŒQThis document tries to clarify the responsibilities of the kernel in this domain.”…””}”(hj(h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khh·h²hubh¶)”}”(hhh]”(h»)”}”(hŒThe kernel's responsibilities”h]”hŒThe kernelâ€™s responsibilities”…””}”(hj9h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhj6h²hh³hÊh´KubhÌ)”}”(hXOThe kernel abstracts access to local hardware resources and to remote systems in a way that allows multiple local users to get a fair share of the available resources granted to them, and, when the underlying hardware permits, to assign a level of confidentiality to their communications and to the data they are processing or storing.”h]”hXOThe kernel abstracts access to local hardware resources and to remote systems in a way that allows multiple local users to get a fair share of the available resources granted to them, and, when the underlying hardware permits, to assign a level of confidentiality to their communications and to the data they are processing or storing.”…””}”(hjGh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khj6h²hubhÌ)”}”(hXÄThe kernel assumes that the underlying hardware behaves according to its specifications. This includes the integrity of the CPU's instruction set, the transparency of the branch prediction unit and the cache units, the consistency of the Memory Management Unit (MMU), the isolation of DMA-capable peripherals (e.g., via IOMMU), state transitions in controllers, ranges of values read from registers, the respect of documented hardware limitations, etc.”h]”hXÆThe kernel assumes that the underlying hardware behaves according to its specifications. This includes the integrity of the CPUâ€™s instruction set, the transparency of the branch prediction unit and the cache units, the consistency of the Memory Management Unit (MMU), the isolation of DMA-capable peripherals (e.g., via IOMMU), state transitions in controllers, ranges of values read from registers, the respect of documented hardware limitations, etc.”…””}”(hjUh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khj6h²hubhÌ)”}”(hX–When hardware fails to maintain its specified isolation (e.g., CPU bugs, side-channels, hardware response to unexpected inputs), the kernel will usually attempt to implement reasonable mitigations. These are best-effort measures intended to reduce the attack surface or elevate the cost of an attack within the limits of the hardware's facilities; they do not constitute a kernel-provided safety guarantee.”h]”hX˜When hardware fails to maintain its specified isolation (e.g., CPU bugs, side-channels, hardware response to unexpected inputs), the kernel will usually attempt to implement reasonable mitigations. These are best-effort measures intended to reduce the attack surface or elevate the cost of an attack within the limits of the hardwareâ€™s facilities; they do not constitute a kernel-provided safety guarantee.”…””}”(hjch²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khj6h²hubhÌ)”}”(hXÈUsers always perform their activities under the authority of an administrator who is able to grant or deny various types of permissions that may affect how users benefit from available resources, or the level of confidentiality of their activities. Administrators may also delegate all or part of their own permissions to some users, particularly via capabilities but not only. All this is performed via configuration (sysctl, file-system permissions etc).”h]”hXÈUsers always perform their activities under the authority of an administrator who is able to grant or deny various types of permissions that may affect how users benefit from available resources, or the level of confidentiality of their activities. Administrators may also delegate all or part of their own permissions to some users, particularly via capabilities but not only. All this is performed via configuration (sysctl, file-system permissions etc).”…””}”(hjqh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K%hj6h²hubhÌ)”}”(hXThe Linux Kernel applies a certain collection of default settings that match its threat model. Distros have their own threat model and will come with their own configuration presets, that the administrator may have to adjust to better suit their expectations (relax or restrict).”h]”hXThe Linux Kernel applies a certain collection of default settings that match its threat model. Distros have their own threat model and will come with their own configuration presets, that the administrator may have to adjust to better suit their expectations (relax or restrict).”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K,hj6h²hubhÌ)”}”(hŒ›By default, the Linux Kernel guarantees the following protections when running on common processors featuring privilege levels and memory management units:”h]”hŒ›By default, the Linux Kernel guarantees the following protections when running on common processors featuring privilege levels and memory management units:”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K1hj6h²hubhŒbullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hX **User-based isolation**: an unprivileged user may restrict access to their own data from other unprivileged users running on the same system. This includes: * stored data, via file system permissions * in-memory data (pages are not accessible by default to other users) * process activity (ptrace is not permitted to other users) * inter-process communication (other users may not observe data exchanged via UNIX domain sockets or other IPC mechanisms). * network communications within the same or with other systems ”h]”(hÌ)”}”(hŒ**User-based isolation**: an unprivileged user may restrict access to their own data from other unprivileged users running on the same system. This includes:”h]”(hŒstrong”“”)”}”(hŒ**User-based isolation**”h]”hŒUser-based isolation”…””}”(hj¬h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jªhj¦ubhŒ…: an unprivileged user may restrict access to their own data from other unprivileged users running on the same system. This includes:”…””}”(hj¦h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K4hj¢ubjœ)”}”(hhh]”(j¡)”}”(hŒ(stored data, via file system permissions”h]”hÌ)”}”(hjÉh]”hŒ(stored data, via file system permissions”…””}”(hjËh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K8hjÇubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjÄubj¡)”}”(hŒCin-memory data (pages are not accessible by default to other users)”h]”hÌ)”}”(hjàh]”hŒCin-memory data (pages are not accessible by default to other users)”…””}”(hjâh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K9hjÞubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjÄubj¡)”}”(hŒ9process activity (ptrace is not permitted to other users)”h]”hÌ)”}”(hj÷h]”hŒ9process activity (ptrace is not permitted to other users)”…””}”(hjùh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K:hjõubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjÄubj¡)”}”(hŒyinter-process communication (other users may not observe data exchanged via UNIX domain sockets or other IPC mechanisms).”h]”hÌ)”}”(hŒyinter-process communication (other users may not observe data exchanged via UNIX domain sockets or other IPC mechanisms).”h]”hŒyinter-process communication (other users may not observe data exchanged via UNIX domain sockets or other IPC mechanisms).”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K;hjubah}”(h]”h ]”h"]”h$]”h&]”uh1j hjÄubj¡)”}”(hŒ=network communications within the same or with other systems ”h]”hÌ)”}”(hŒ