€•Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œtranslations”Œ LanguagesNode”“”)”}”(hhh]”(hŒpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ(/translations/zh_CN/security/credentials”Œmodname”NŒ classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/zh_TW/security/credentials”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/it_IT/security/credentials”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/ja_JP/security/credentials”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/ko_KR/security/credentials”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ(/translations/sp_SP/security/credentials”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒCredentials in Linux”h]”hŒCredentials in Linux”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒB/var/lib/git/docbuild/linux/Documentation/security/credentials.rst”h KubhŒ paragraph”“”)”}”(hŒ'By: David Howells ”h]”(hŒBy: David Howells <”…””}”(hh¹hžhhŸNh NubhŒ reference”“”)”}”(hŒdhowells@redhat.com”h]”hŒdhowells@redhat.com”…””}”(hhÃhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:dhowells@redhat.com”uh1hÁhh¹ubhŒ>”…””}”(hh¹hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubhŒtopic”“”)”}”(hhh]”hŒbullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒOverview”…””}”(hhïhžhhŸNh Nubah}”(h]”Œid1”ah ]”h"]”h$]”h&]”Œrefid”Œoverview”uh1hÁhhìubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hhéubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhhäubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒTypes of Credentials”…””}”(hjhžhhŸNh Nubah}”(h]”Œid2”ah ]”h"]”h$]”h&]”Œrefid”Œtypes-of-credentials”uh1hÁhjubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhhäubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒ File Markings”…””}”(hj3hžhhŸNh Nubah}”(h]”Œid3”ah ]”h"]”h$]”h&]”Œrefid”Œ file-markings”uh1hÁhj0ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hj-ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhhäubhè)”}”(hhh]”(h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒTask Credentials”…””}”(hjUhžhhŸNh Nubah}”(h]”Œid4”ah ]”h"]”h$]”h&]”Œrefid”Œtask-credentials”uh1hÁhjRubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjOubhã)”}”(hhh]”(hè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒImmutable Credentials”…””}”(hjthžhhŸNh Nubah}”(h]”Œid5”ah ]”h"]”h$]”h&]”Œrefid”Œimmutable-credentials”uh1hÁhjqubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjnubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjkubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒAccessing Task Credentials”…””}”(hj–hžhhŸNh Nubah}”(h]”Œid6”ah ]”h"]”h$]”h&]”Œrefid”Œaccessing-task-credentials”uh1hÁhj“ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjkubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒ&Accessing Another Taskâ€™s Credentials”…””}”(hj¸hžhhŸNh Nubah}”(h]”Œid7”ah ]”h"]”h$]”h&]”Œrefid”Œ$accessing-another-task-s-credentials”uh1hÁhjµubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hj²ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjkubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒAltering Credentials”…””}”(hjÚhžhhŸNh Nubah}”(h]”Œid8”ah ]”h"]”h$]”h&]”Œrefid”Œaltering-credentials”uh1hÁhj×ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjÔubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjkubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒManaging Credentials”…””}”(hjühžhhŸNh Nubah}”(h]”Œid9”ah ]”h"]”h$]”h&]”Œrefid”Œmanaging-credentials”uh1hÁhjùubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjöubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjkubeh}”(h]”h ]”h"]”h$]”h&]”uh1hâhjOubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhhäubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒOpen File Credentials”…””}”(hj*hžhhŸNh Nubah}”(h]”Œid10”ah ]”h"]”h$]”h&]”Œrefid”Œopen-file-credentials”uh1hÁhj'ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hj$ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhhäubhè)”}”(hhh]”h¸)”}”(hhh]”hÂ)”}”(hhh]”hŒ)Overriding the VFSâ€™s Use of Credentials”…””}”(hjLhžhhŸNh Nubah}”(h]”Œid11”ah ]”h"]”h$]”h&]”Œrefid”Œ'overriding-the-vfs-s-use-of-credentials”uh1hÁhjIubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hjFubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhhäubeh}”(h]”h ]”h"]”h$]”h&]”uh1hâhhßhžhhŸNh Nubah}”(h]”Œcontents”ah ]”(Œcontents”Œlocal”eh"]”Œcontents”ah$]”h&]”uh1hÝhŸh¶h Khh£hžhubh¢)”}”(hhh]”(h§)”}”(hŒOverview”h]”hŒOverview”…””}”(hj{hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefid”høuh1h¦hjxhžhhŸh¶h K ubh¸)”}”(hŒcThere are several parts to the security check performed by Linux when one object acts upon another:”h]”hŒcThere are several parts to the security check performed by Linux when one object acts upon another:”…””}”(hjŠhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhjxhžhubhŒblock_quote”“”)”}”(hXS1. Objects. Objects are things in the system that may be acted upon directly by userspace programs. Linux has a variety of actionable objects, including: - Tasks - Files/inodes - Sockets - Message queues - Shared memory segments - Semaphores - Keys As a part of the description of all these objects there is a set of credentials. What's in the set depends on the type of object. 2. Object ownership. Amongst the credentials of most objects, there will be a subset that indicates the ownership of that object. This is used for resource accounting and limitation (disk quotas and task rlimits for example). In a standard UNIX filesystem, for instance, this will be defined by the UID marked on the inode. 3. The objective context. Also amongst the credentials of those objects, there will be a subset that indicates the 'objective context' of that object. This may or may not be the same set as in (2) - in standard UNIX files, for instance, this is the defined by the UID and the GID marked on the inode. The objective context is used as part of the security calculation that is carried out when an object is acted upon. 4. Subjects. A subject is an object that is acting upon another object. Most of the objects in the system are inactive: they don't act on other objects within the system. Processes/tasks are the obvious exception: they do stuff; they access and manipulate things. Objects other than tasks may under some circumstances also be subjects. For instance an open file may send SIGIO to a task using the UID and EUID given to it by a task that called ``fcntl(F_SETOWN)`` upon it. In this case, the file struct will have a subjective context too. 5. The subjective context. A subject has an additional interpretation of its credentials. A subset of its credentials forms the 'subjective context'. The subjective context is used as part of the security calculation that is carried out when a subject acts. A Linux task, for example, has the FSUID, FSGID and the supplementary group list for when it is acting upon a file - which are quite separate from the real UID and GID that normally form the objective context of the task. 6. Actions. Linux has a number of actions available that a subject may perform upon an object. The set of actions available depends on the nature of the subject and the object. Actions include reading, writing, creating and deleting files; forking or signalling and tracing tasks. 7. Rules, access control lists and security calculations. When a subject acts upon an object, a security calculation is made. This involves taking the subjective context, the objective context and the action, and searching one or more sets of rules to see whether the subject is granted or denied permission to act in the desired manner on the object, given those contexts. There are two main sources of rules: a. Discretionary access control (DAC): Sometimes the object will include sets of rules as part of its description. This is an 'Access Control List' or 'ACL'. A Linux file may supply more than one ACL. A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject ('user', 'group' and 'other'), each of which may be granted certain privileges ('read', 'write' and 'execute' - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use. A Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects. b. Mandatory access control (MAC): The system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this. In the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied. ”h]”hŒenumerated_list”“”)”}”(hhh]”(hè)”}”(hXObjects. Objects are things in the system that may be acted upon directly by userspace programs. Linux has a variety of actionable objects, including: - Tasks - Files/inodes - Sockets - Message queues - Shared memory segments - Semaphores - Keys As a part of the description of all these objects there is a set of credentials. What's in the set depends on the type of object. ”h]”(h¸)”}”(hŒObjects.”h]”hŒObjects.”…””}”(hj§hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj£ubj™)”}”(hXˆObjects are things in the system that may be acted upon directly by userspace programs. Linux has a variety of actionable objects, including: - Tasks - Files/inodes - Sockets - Message queues - Shared memory segments - Semaphores - Keys As a part of the description of all these objects there is a set of credentials. What's in the set depends on the type of object. ”h]”(h¸)”}”(hŒŽObjects are things in the system that may be acted upon directly by userspace programs. Linux has a variety of actionable objects, including:”h]”hŒŽObjects are things in the system that may be acted upon directly by userspace programs. Linux has a variety of actionable objects, including:”…””}”(hj¹hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjµubj™)”}”(hŒ_- Tasks - Files/inodes - Sockets - Message queues - Shared memory segments - Semaphores - Keys ”h]”hã)”}”(hhh]”(hè)”}”(hŒTasks”h]”h¸)”}”(hjÐh]”hŒTasks”…””}”(hjÒhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhjÎubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjËubhè)”}”(hŒFiles/inodes”h]”h¸)”}”(hjçh]”hŒFiles/inodes”…””}”(hjéhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjåubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjËubhè)”}”(hŒSockets”h]”h¸)”}”(hjþh]”hŒSockets”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjüubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjËubhè)”}”(hŒMessage queues”h]”h¸)”}”(hjh]”hŒMessage queues”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjËubhè)”}”(hŒShared memory segments”h]”h¸)”}”(hj,h]”hŒShared memory segments”…””}”(hj.hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj*ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjËubhè)”}”(hŒ Semaphores”h]”h¸)”}”(hjCh]”hŒ Semaphores”…””}”(hjEhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhjAubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjËubhè)”}”(hŒKeys ”h]”h¸)”}”(hŒKeys”h]”hŒKeys”…””}”(hj\hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhjXubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjËubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1hâhŸh¶h KhjÇubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Khjµubh¸)”}”(hŒ‚As a part of the description of all these objects there is a set of credentials. What's in the set depends on the type of object.”h]”hŒ„As a part of the description of all these objects there is a set of credentials. Whatâ€™s in the set depends on the type of object.”…””}”(hj~hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjµubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Khj£ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj ubhè)”}”(hXIObject ownership. Amongst the credentials of most objects, there will be a subset that indicates the ownership of that object. This is used for resource accounting and limitation (disk quotas and task rlimits for example). In a standard UNIX filesystem, for instance, this will be defined by the UID marked on the inode. ”h]”(h¸)”}”(hŒObject ownership.”h]”hŒObject ownership.”…””}”(hjœhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj˜ubj™)”}”(hX1Amongst the credentials of most objects, there will be a subset that indicates the ownership of that object. This is used for resource accounting and limitation (disk quotas and task rlimits for example). In a standard UNIX filesystem, for instance, this will be defined by the UID marked on the inode. ”h]”(h¸)”}”(hŒÍAmongst the credentials of most objects, there will be a subset that indicates the ownership of that object. This is used for resource accounting and limitation (disk quotas and task rlimits for example).”h]”hŒÍAmongst the credentials of most objects, there will be a subset that indicates the ownership of that object. This is used for resource accounting and limitation (disk quotas and task rlimits for example).”…””}”(hj®hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K!hjªubh¸)”}”(hŒaIn a standard UNIX filesystem, for instance, this will be defined by the UID marked on the inode.”h]”hŒaIn a standard UNIX filesystem, for instance, this will be defined by the UID marked on the inode.”…””}”(hj¼hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K%hjªubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K!hj˜ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj ubhè)”}”(hX§The objective context. Also amongst the credentials of those objects, there will be a subset that indicates the 'objective context' of that object. This may or may not be the same set as in (2) - in standard UNIX files, for instance, this is the defined by the UID and the GID marked on the inode. The objective context is used as part of the security calculation that is carried out when an object is acted upon. ”h]”(h¸)”}”(hŒThe objective context.”h]”hŒThe objective context.”…””}”(hjÚhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K(hjÖubj™)”}”(hX‰Also amongst the credentials of those objects, there will be a subset that indicates the 'objective context' of that object. This may or may not be the same set as in (2) - in standard UNIX files, for instance, this is the defined by the UID and the GID marked on the inode. The objective context is used as part of the security calculation that is carried out when an object is acted upon. ”h]”(h¸)”}”(hXAlso amongst the credentials of those objects, there will be a subset that indicates the 'objective context' of that object. This may or may not be the same set as in (2) - in standard UNIX files, for instance, this is the defined by the UID and the GID marked on the inode.”h]”hXAlso amongst the credentials of those objects, there will be a subset that indicates the â€˜objective contextâ€™ of that object. This may or may not be the same set as in (2) - in standard UNIX files, for instance, this is the defined by the UID and the GID marked on the inode.”…””}”(hjìhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K*hjèubh¸)”}”(hŒsThe objective context is used as part of the security calculation that is carried out when an object is acted upon.”h]”hŒsThe objective context is used as part of the security calculation that is carried out when an object is acted upon.”…””}”(hjúhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K/hjèubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K*hjÖubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj ubhè)”}”(hX%Subjects. A subject is an object that is acting upon another object. Most of the objects in the system are inactive: they don't act on other objects within the system. Processes/tasks are the obvious exception: they do stuff; they access and manipulate things. Objects other than tasks may under some circumstances also be subjects. For instance an open file may send SIGIO to a task using the UID and EUID given to it by a task that called ``fcntl(F_SETOWN)`` upon it. In this case, the file struct will have a subjective context too. ”h]”(h¸)”}”(hŒ Subjects.”h]”hŒ Subjects.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K2hjubj™)”}”(hXA subject is an object that is acting upon another object. Most of the objects in the system are inactive: they don't act on other objects within the system. Processes/tasks are the obvious exception: they do stuff; they access and manipulate things. Objects other than tasks may under some circumstances also be subjects. For instance an open file may send SIGIO to a task using the UID and EUID given to it by a task that called ``fcntl(F_SETOWN)`` upon it. In this case, the file struct will have a subjective context too. ”h]”(h¸)”}”(hŒ:A subject is an object that is acting upon another object.”h]”hŒ:A subject is an object that is acting upon another object.”…””}”(hj*hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K4hj&ubh¸)”}”(hŒÀMost of the objects in the system are inactive: they don't act on other objects within the system. Processes/tasks are the obvious exception: they do stuff; they access and manipulate things.”h]”hŒÂMost of the objects in the system are inactive: they donâ€™t act on other objects within the system. Processes/tasks are the obvious exception: they do stuff; they access and manipulate things.”…””}”(hj8hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K6hj&ubh¸)”}”(hXObjects other than tasks may under some circumstances also be subjects. For instance an open file may send SIGIO to a task using the UID and EUID given to it by a task that called ``fcntl(F_SETOWN)`` upon it. In this case, the file struct will have a subjective context too.”h]”(hŒ´Objects other than tasks may under some circumstances also be subjects. For instance an open file may send SIGIO to a task using the UID and EUID given to it by a task that called ”…””}”(hjFhžhhŸNh NubhŒliteral”“”)”}”(hŒ``fcntl(F_SETOWN)``”h]”hŒfcntl(F_SETOWN)”…””}”(hjPhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjFubhŒL upon it. In this case, the file struct will have a subjective context too.”…””}”(hjFhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K:hj&ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K4hjubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj ubhè)”}”(hXéThe subjective context. A subject has an additional interpretation of its credentials. A subset of its credentials forms the 'subjective context'. The subjective context is used as part of the security calculation that is carried out when a subject acts. A Linux task, for example, has the FSUID, FSGID and the supplementary group list for when it is acting upon a file - which are quite separate from the real UID and GID that normally form the objective context of the task. ”h]”(h¸)”}”(hŒThe subjective context.”h]”hŒThe subjective context.”…””}”(hjxhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K?hjtubj™)”}”(hXÈA subject has an additional interpretation of its credentials. A subset of its credentials forms the 'subjective context'. The subjective context is used as part of the security calculation that is carried out when a subject acts. A Linux task, for example, has the FSUID, FSGID and the supplementary group list for when it is acting upon a file - which are quite separate from the real UID and GID that normally form the objective context of the task. ”h]”(h¸)”}”(hŒèA subject has an additional interpretation of its credentials. A subset of its credentials forms the 'subjective context'. The subjective context is used as part of the security calculation that is carried out when a subject acts.”h]”hŒìA subject has an additional interpretation of its credentials. A subset of its credentials forms the â€˜subjective contextâ€™. The subjective context is used as part of the security calculation that is carried out when a subject acts.”…””}”(hjŠhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KAhj†ubh¸)”}”(hŒÝA Linux task, for example, has the FSUID, FSGID and the supplementary group list for when it is acting upon a file - which are quite separate from the real UID and GID that normally form the objective context of the task.”h]”hŒÝA Linux task, for example, has the FSUID, FSGID and the supplementary group list for when it is acting upon a file - which are quite separate from the real UID and GID that normally form the objective context of the task.”…””}”(hj˜hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KFhj†ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h KAhjtubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj ubhè)”}”(hXActions. Linux has a number of actions available that a subject may perform upon an object. The set of actions available depends on the nature of the subject and the object. Actions include reading, writing, creating and deleting files; forking or signalling and tracing tasks. ”h]”(h¸)”}”(hŒActions.”h]”hŒActions.”…””}”(hj¶hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KKhj²ubj™)”}”(hXLinux has a number of actions available that a subject may perform upon an object. The set of actions available depends on the nature of the subject and the object. Actions include reading, writing, creating and deleting files; forking or signalling and tracing tasks. ”h]”(h¸)”}”(hŒ¥Linux has a number of actions available that a subject may perform upon an object. The set of actions available depends on the nature of the subject and the object.”h]”hŒ¥Linux has a number of actions available that a subject may perform upon an object. The set of actions available depends on the nature of the subject and the object.”…””}”(hjÈhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KMhjÄubh¸)”}”(hŒgActions include reading, writing, creating and deleting files; forking or signalling and tracing tasks.”h]”hŒgActions include reading, writing, creating and deleting files; forking or signalling and tracing tasks.”…””}”(hjÖhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KQhjÄubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h KMhj²ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj ubhè)”}”(hX°Rules, access control lists and security calculations. When a subject acts upon an object, a security calculation is made. This involves taking the subjective context, the objective context and the action, and searching one or more sets of rules to see whether the subject is granted or denied permission to act in the desired manner on the object, given those contexts. There are two main sources of rules: a. Discretionary access control (DAC): Sometimes the object will include sets of rules as part of its description. This is an 'Access Control List' or 'ACL'. A Linux file may supply more than one ACL. A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject ('user', 'group' and 'other'), each of which may be granted certain privileges ('read', 'write' and 'execute' - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use. A Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects. b. Mandatory access control (MAC): The system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this. In the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied. ”h]”(h¸)”}”(hŒ6Rules, access control lists and security calculations.”h]”hŒ6Rules, access control lists and security calculations.”…””}”(hjôhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KThjðubj™)”}”(hX^When a subject acts upon an object, a security calculation is made. This involves taking the subjective context, the objective context and the action, and searching one or more sets of rules to see whether the subject is granted or denied permission to act in the desired manner on the object, given those contexts. There are two main sources of rules: a. Discretionary access control (DAC): Sometimes the object will include sets of rules as part of its description. This is an 'Access Control List' or 'ACL'. A Linux file may supply more than one ACL. A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject ('user', 'group' and 'other'), each of which may be granted certain privileges ('read', 'write' and 'execute' - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use. A Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects. b. Mandatory access control (MAC): The system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this. In the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied. ”h]”(h¸)”}”(hX<When a subject acts upon an object, a security calculation is made. This involves taking the subjective context, the objective context and the action, and searching one or more sets of rules to see whether the subject is granted or denied permission to act in the desired manner on the object, given those contexts.”h]”hX<When a subject acts upon an object, a security calculation is made. This involves taking the subjective context, the objective context and the action, and searching one or more sets of rules to see whether the subject is granted or denied permission to act in the desired manner on the object, given those contexts.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KVhjubh¸)”}”(hŒ$There are two main sources of rules:”h]”hŒ$There are two main sources of rules:”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K\hjubjŸ)”}”(hhh]”(hè)”}”(hXæDiscretionary access control (DAC): Sometimes the object will include sets of rules as part of its description. This is an 'Access Control List' or 'ACL'. A Linux file may supply more than one ACL. A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject ('user', 'group' and 'other'), each of which may be granted certain privileges ('read', 'write' and 'execute' - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use. A Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects. ”h]”(h¸)”}”(hŒ#Discretionary access control (DAC):”h]”hŒ#Discretionary access control (DAC):”…””}”(hj)hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K^hj%ubj™)”}”(hX¶Sometimes the object will include sets of rules as part of its description. This is an 'Access Control List' or 'ACL'. A Linux file may supply more than one ACL. A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject ('user', 'group' and 'other'), each of which may be granted certain privileges ('read', 'write' and 'execute' - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use. A Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects. ”h]”(h¸)”}”(hŒ£Sometimes the object will include sets of rules as part of its description. This is an 'Access Control List' or 'ACL'. A Linux file may supply more than one ACL.”h]”hŒ«Sometimes the object will include sets of rules as part of its description. This is an â€˜Access Control Listâ€™ or â€˜ACLâ€™. A Linux file may supply more than one ACL.”…””}”(hj;hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K`hj7ubh¸)”}”(hX”A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject ('user', 'group' and 'other'), each of which may be granted certain privileges ('read', 'write' and 'execute' - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use.”h]”hX¬A traditional UNIX file, for example, includes a permissions mask that is an abbreviated ACL with three fixed classes of subject (â€˜userâ€™, â€˜groupâ€™ and â€˜otherâ€™), each of which may be granted certain privileges (â€˜readâ€™, â€˜writeâ€™ and â€˜executeâ€™ - whatever those map to for the object in question). UNIX file permissions do not allow the arbitrary specification of subjects, however, and so are of limited use.”…””}”(hjIhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kdhj7ubh¸)”}”(hŒzA Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects.”h]”hŒzA Linux file might also sport a POSIX ACL. This is a list of rules that grants various permissions to arbitrary subjects.”…””}”(hjWhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kkhj7ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K`hj%ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj"ubhè)”}”(hX×Mandatory access control (MAC): The system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this. In the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied. ”h]”(h¸)”}”(hŒMandatory access control (MAC):”h]”hŒMandatory access control (MAC):”…””}”(hjuhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Knhjqubj™)”}”(hX¯The system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this. In the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied. ”h]”(h¸)”}”(hŒªThe system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this.”h]”hŒªThe system as a whole may have one or more sets of rules that get applied to all subjects and objects, regardless of their source. SELinux and Smack are examples of this.”…””}”(hj‡hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kphjƒubh¸)”}”(hXIn the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied.”h]”hXIn the case of SELinux and Smack, each object is given a label as part of its credentials. When an action is requested, they take the subject label, the object label and the action and look for a rule that says that this action is either granted or denied.”…””}”(hj•hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kthjƒubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Kphjqubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj"ubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œ loweralpha”Œprefix”hŒsuffix”Œ.”uh1jžhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h KVhjðubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhj ubeh}”(h]”h ]”h"]”h$]”h&]”jµŒarabic”j·hj¸j¹uh1jžhjšubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Khjxhžhubeh}”(h]”hþah ]”h"]”Œoverview”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K ubh¢)”}”(hhh]”(h§)”}”(hŒTypes of Credentials”h]”hŒTypes of Credentials”…””}”(hjÝhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰juh1h¦hjÚhžhhŸh¶h K{ubh¸)”}”(hŒ=The Linux kernel supports the following types of credentials:”h]”hŒ=The Linux kernel supports the following types of credentials:”…””}”(hjëhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K}hjÚhžhubj™)”}”(hXØ 1. Traditional UNIX credentials. - Real User ID - Real Group ID The UID and GID are carried by most, if not all, Linux objects, even if in some cases it has to be invented (FAT or CIFS files for example, which are derived from Windows). These (mostly) define the objective context of that object, with tasks being slightly different in some cases. - Effective, Saved and FS User ID - Effective, Saved and FS Group ID - Supplementary groups These are additional credentials used by tasks only. Usually, an EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID will be used as the objective. For tasks, it should be noted that this is not always true. 2. Capabilities. - Set of permitted capabilities - Set of inheritable capabilities - Set of effective capabilities - Capability bounding set These are only carried by tasks. They indicate superior capabilities granted piecemeal to a task that an ordinary task wouldn't otherwise have. These are manipulated implicitly by changes to the traditional UNIX credentials, but can also be manipulated directly by the ``capset()`` system call. The permitted capabilities are those caps that the process might grant itself to its effective or permitted sets through ``capset()``. This inheritable set might also be so constrained. The effective capabilities are the ones that a task is actually allowed to make use of itself. The inheritable capabilities are the ones that may get passed across ``execve()``. The bounding set limits the capabilities that may be inherited across ``execve()``, especially when a binary is executed that will execute as UID 0. 3. Secure management flags (securebits). These are only carried by tasks. These govern the way the above credentials are manipulated and inherited over certain operations such as execve(). They aren't used directly as objective or subjective credentials. 4. Keys and keyrings. These are only carried by tasks. They carry and cache security tokens that don't fit into the other standard UNIX credentials. They are for making such things as network filesystem keys available to the file accesses performed by processes, without the necessity of ordinary programs having to know about security details involved. Keyrings are a special type of key. They carry sets of other keys and can be searched for the desired key. Each process may subscribe to a number of keyrings: Per-thread keying Per-process keyring Per-session keyring When a process accesses a key, if not already present, it will normally be cached on one of these keyrings for future accesses to find. For more information on using keys, see ``Documentation/security/keys/*``. 5. LSM The Linux Security Module allows extra controls to be placed over the operations that a task may do. Currently Linux supports several LSM options. Some work by labelling the objects in a system and then applying sets of rules (policies) that say what operations a task with one label may do to an object with another label. 6. AF_KEY This is a socket-based approach to credential management for networking stacks [RFC 2367]. It isn't discussed by this document as it doesn't interact directly with task and file credentials; rather it keeps system level credentials. ”h]”jŸ)”}”(hhh]”(hè)”}”(hX¾Traditional UNIX credentials. - Real User ID - Real Group ID The UID and GID are carried by most, if not all, Linux objects, even if in some cases it has to be invented (FAT or CIFS files for example, which are derived from Windows). These (mostly) define the objective context of that object, with tasks being slightly different in some cases. - Effective, Saved and FS User ID - Effective, Saved and FS Group ID - Supplementary groups These are additional credentials used by tasks only. Usually, an EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID will be used as the objective. For tasks, it should be noted that this is not always true. ”h]”(h¸)”}”(hŒTraditional UNIX credentials.”h]”hŒTraditional UNIX credentials.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjubj™)”}”(hX’ - Real User ID - Real Group ID The UID and GID are carried by most, if not all, Linux objects, even if in some cases it has to be invented (FAT or CIFS files for example, which are derived from Windows). These (mostly) define the objective context of that object, with tasks being slightly different in some cases. - Effective, Saved and FS User ID - Effective, Saved and FS Group ID - Supplementary groups These are additional credentials used by tasks only. Usually, an EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID will be used as the objective. For tasks, it should be noted that this is not always true. ”h]”(j™)”}”(hŒ- Real User ID - Real Group ID ”h]”hã)”}”(hhh]”(hè)”}”(hŒReal User ID”h]”h¸)”}”(hjh]”hŒReal User ID”…””}”(hj!hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjubhè)”}”(hŒReal Group ID ”h]”h¸)”}”(hŒ Real Group ID”h]”hŒ Real Group ID”…””}”(hj8hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K‚hj4ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjubeh}”(h]”h ]”h"]”h$]”h&]”jvjwuh1hâhŸh¶h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Khjubh¸)”}”(hXThe UID and GID are carried by most, if not all, Linux objects, even if in some cases it has to be invented (FAT or CIFS files for example, which are derived from Windows). These (mostly) define the objective context of that object, with tasks being slightly different in some cases.”h]”hXThe UID and GID are carried by most, if not all, Linux objects, even if in some cases it has to be invented (FAT or CIFS files for example, which are derived from Windows). These (mostly) define the objective context of that object, with tasks being slightly different in some cases.”…””}”(hjXhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K„hjubj™)”}”(hŒ\- Effective, Saved and FS User ID - Effective, Saved and FS Group ID - Supplementary groups ”h]”hã)”}”(hhh]”(hè)”}”(hŒEffective, Saved and FS User ID”h]”h¸)”}”(hjoh]”hŒEffective, Saved and FS User ID”…””}”(hjqhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K‰hjmubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjjubhè)”}”(hŒ Effective, Saved and FS Group ID”h]”h¸)”}”(hj†h]”hŒ Effective, Saved and FS Group ID”…””}”(hjˆhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KŠhj„ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjjubhè)”}”(hŒSupplementary groups ”h]”h¸)”}”(hŒSupplementary groups”h]”hŒSupplementary groups”…””}”(hjŸhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K‹hj›ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjjubeh}”(h]”h ]”h"]”h$]”h&]”jvjwuh1hâhŸh¶h K‰hjfubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K‰hjubh¸)”}”(hŒçThese are additional credentials used by tasks only. Usually, an EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID will be used as the objective. For tasks, it should be noted that this is not always true.”h]”hŒçThese are additional credentials used by tasks only. Usually, an EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID will be used as the objective. For tasks, it should be noted that this is not always true.”…””}”(hj¿hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Khjubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjýubhè)”}”(hXÙCapabilities. - Set of permitted capabilities - Set of inheritable capabilities - Set of effective capabilities - Capability bounding set These are only carried by tasks. They indicate superior capabilities granted piecemeal to a task that an ordinary task wouldn't otherwise have. These are manipulated implicitly by changes to the traditional UNIX credentials, but can also be manipulated directly by the ``capset()`` system call. The permitted capabilities are those caps that the process might grant itself to its effective or permitted sets through ``capset()``. This inheritable set might also be so constrained. The effective capabilities are the ones that a task is actually allowed to make use of itself. The inheritable capabilities are the ones that may get passed across ``execve()``. The bounding set limits the capabilities that may be inherited across ``execve()``, especially when a binary is executed that will execute as UID 0. ”h]”(h¸)”}”(hŒ Capabilities.”h]”hŒ Capabilities.”…””}”(hjÝhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K’hjÙubj™)”}”(hX· - Set of permitted capabilities - Set of inheritable capabilities - Set of effective capabilities - Capability bounding set These are only carried by tasks. They indicate superior capabilities granted piecemeal to a task that an ordinary task wouldn't otherwise have. These are manipulated implicitly by changes to the traditional UNIX credentials, but can also be manipulated directly by the ``capset()`` system call. The permitted capabilities are those caps that the process might grant itself to its effective or permitted sets through ``capset()``. This inheritable set might also be so constrained. The effective capabilities are the ones that a task is actually allowed to make use of itself. The inheritable capabilities are the ones that may get passed across ``execve()``. The bounding set limits the capabilities that may be inherited across ``execve()``, especially when a binary is executed that will execute as UID 0. ”h]”(j™)”}”(hŒ|- Set of permitted capabilities - Set of inheritable capabilities - Set of effective capabilities - Capability bounding set ”h]”hã)”}”(hhh]”(hè)”}”(hŒSet of permitted capabilities”h]”h¸)”}”(hjøh]”hŒSet of permitted capabilities”…””}”(hjúhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K”hjöubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjóubhè)”}”(hŒSet of inheritable capabilities”h]”h¸)”}”(hjh]”hŒSet of inheritable capabilities”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K•hj ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjóubhè)”}”(hŒSet of effective capabilities”h]”h¸)”}”(hj&h]”hŒSet of effective capabilities”…””}”(hj(hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K–hj$ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjóubhè)”}”(hŒCapability bounding set ”h]”h¸)”}”(hŒCapability bounding set”h]”hŒCapability bounding set”…””}”(hj?hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K—hj;ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjóubeh}”(h]”h ]”h"]”h$]”h&]”jvjwuh1hâhŸh¶h K”hjïubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K”hjëubh¸)”}”(hX'These are only carried by tasks. They indicate superior capabilities granted piecemeal to a task that an ordinary task wouldn't otherwise have. These are manipulated implicitly by changes to the traditional UNIX credentials, but can also be manipulated directly by the ``capset()`` system call.”h]”(hXThese are only carried by tasks. They indicate superior capabilities granted piecemeal to a task that an ordinary task wouldnâ€™t otherwise have. These are manipulated implicitly by changes to the traditional UNIX credentials, but can also be manipulated directly by the ”…””}”(hj_hžhhŸNh NubjO)”}”(hŒ``capset()``”h]”hŒcapset()”…””}”(hjghžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj_ubhŒ system call.”…””}”(hj_hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K™hjëubh¸)”}”(hŒºThe permitted capabilities are those caps that the process might grant itself to its effective or permitted sets through ``capset()``. This inheritable set might also be so constrained.”h]”(hŒyThe permitted capabilities are those caps that the process might grant itself to its effective or permitted sets through ”…””}”(hjhžhhŸNh NubjO)”}”(hŒ``capset()``”h]”hŒcapset()”…””}”(hj‡hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjubhŒ5. This inheritable set might also be so constrained.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KŸhjëubh¸)”}”(hŒ^The effective capabilities are the ones that a task is actually allowed to make use of itself.”h]”hŒ^The effective capabilities are the ones that a task is actually allowed to make use of itself.”…””}”(hjŸhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K£hjëubh¸)”}”(hŒRThe inheritable capabilities are the ones that may get passed across ``execve()``.”h]”(hŒEThe inheritable capabilities are the ones that may get passed across ”…””}”(hjhžhhŸNh NubjO)”}”(hŒ``execve()``”h]”hŒexecve()”…””}”(hjµhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjubhŒ.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¦hjëubh¸)”}”(hŒ”The bounding set limits the capabilities that may be inherited across ``execve()``, especially when a binary is executed that will execute as UID 0.”h]”(hŒFThe bounding set limits the capabilities that may be inherited across ”…””}”(hjÍhžhhŸNh NubjO)”}”(hŒ``execve()``”h]”hŒexecve()”…””}”(hjÕhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjÍubhŒB, especially when a binary is executed that will execute as UID 0.”…””}”(hjÍhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K©hjëubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K”hjÙubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjýubhè)”}”(hXSecure management flags (securebits). These are only carried by tasks. These govern the way the above credentials are manipulated and inherited over certain operations such as execve(). They aren't used directly as objective or subjective credentials. ”h]”(h¸)”}”(hŒ%Secure management flags (securebits).”h]”hŒ%Secure management flags (securebits).”…””}”(hjýhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjùubj™)”}”(hŒØThese are only carried by tasks. These govern the way the above credentials are manipulated and inherited over certain operations such as execve(). They aren't used directly as objective or subjective credentials. ”h]”h¸)”}”(hŒ×These are only carried by tasks. These govern the way the above credentials are manipulated and inherited over certain operations such as execve(). They aren't used directly as objective or subjective credentials.”h]”hŒÙThese are only carried by tasks. These govern the way the above credentials are manipulated and inherited over certain operations such as execve(). They arenâ€™t used directly as objective or subjective credentials.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¯hjubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K¯hjùubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjýubhè)”}”(hX+Keys and keyrings. These are only carried by tasks. They carry and cache security tokens that don't fit into the other standard UNIX credentials. They are for making such things as network filesystem keys available to the file accesses performed by processes, without the necessity of ordinary programs having to know about security details involved. Keyrings are a special type of key. They carry sets of other keys and can be searched for the desired key. Each process may subscribe to a number of keyrings: Per-thread keying Per-process keyring Per-session keyring When a process accesses a key, if not already present, it will normally be cached on one of these keyrings for future accesses to find. For more information on using keys, see ``Documentation/security/keys/*``. ”h]”(h¸)”}”(hŒKeys and keyrings.”h]”hŒKeys and keyrings.”…””}”(hj-hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K´hj)ubj™)”}”(hX These are only carried by tasks. They carry and cache security tokens that don't fit into the other standard UNIX credentials. They are for making such things as network filesystem keys available to the file accesses performed by processes, without the necessity of ordinary programs having to know about security details involved. Keyrings are a special type of key. They carry sets of other keys and can be searched for the desired key. Each process may subscribe to a number of keyrings: Per-thread keying Per-process keyring Per-session keyring When a process accesses a key, if not already present, it will normally be cached on one of these keyrings for future accesses to find. For more information on using keys, see ``Documentation/security/keys/*``. ”h]”(h¸)”}”(hXMThese are only carried by tasks. They carry and cache security tokens that don't fit into the other standard UNIX credentials. They are for making such things as network filesystem keys available to the file accesses performed by processes, without the necessity of ordinary programs having to know about security details involved.”h]”hXOThese are only carried by tasks. They carry and cache security tokens that donâ€™t fit into the other standard UNIX credentials. They are for making such things as network filesystem keys available to the file accesses performed by processes, without the necessity of ordinary programs having to know about security details involved.”…””}”(hj?hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¶hj;ubh¸)”}”(hŒ Keyrings are a special type of key. They carry sets of other keys and can be searched for the desired key. Each process may subscribe to a number of keyrings:”h]”hŒ Keyrings are a special type of key. They carry sets of other keys and can be searched for the desired key. Each process may subscribe to a number of keyrings:”…””}”(hjMhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K¼hj;ubj™)”}”(hŒ:Per-thread keying Per-process keyring Per-session keyring ”h]”h¸)”}”(hŒ9Per-thread keying Per-process keyring Per-session keyring”h]”hŒ9Per-thread keying Per-process keyring Per-session keyring”…””}”(hj_hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÀhj[ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h KÀhj;ubh¸)”}”(hŒ‡When a process accesses a key, if not already present, it will normally be cached on one of these keyrings for future accesses to find.”h]”hŒ‡When a process accesses a key, if not already present, it will normally be cached on one of these keyrings for future accesses to find.”…””}”(hjshžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÄhj;ubh¸)”}”(hŒJFor more information on using keys, see ``Documentation/security/keys/*``.”h]”(hŒ(For more information on using keys, see ”…””}”(hjhžhhŸNh NubjO)”}”(hŒ!``Documentation/security/keys/*``”h]”hŒDocumentation/security/keys/*”…””}”(hj‰hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjubhŒ.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÇhj;ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h K¶hj)ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjýubhè)”}”(hXQLSM The Linux Security Module allows extra controls to be placed over the operations that a task may do. Currently Linux supports several LSM options. Some work by labelling the objects in a system and then applying sets of rules (policies) that say what operations a task with one label may do to an object with another label. ”h]”(h¸)”}”(hŒLSM”h]”hŒLSM”…””}”(hj±hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÉhjubj™)”}”(hXFThe Linux Security Module allows extra controls to be placed over the operations that a task may do. Currently Linux supports several LSM options. Some work by labelling the objects in a system and then applying sets of rules (policies) that say what operations a task with one label may do to an object with another label. ”h]”(h¸)”}”(hŒ“The Linux Security Module allows extra controls to be placed over the operations that a task may do. Currently Linux supports several LSM options.”h]”hŒ“The Linux Security Module allows extra controls to be placed over the operations that a task may do. Currently Linux supports several LSM options.”…””}”(hjÃhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KËhj¿ubh¸)”}”(hŒ°Some work by labelling the objects in a system and then applying sets of rules (policies) that say what operations a task with one label may do to an object with another label.”h]”hŒ°Some work by labelling the objects in a system and then applying sets of rules (policies) that say what operations a task with one label may do to an object with another label.”…””}”(hjÑhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÏhj¿ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h KËhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjýubhè)”}”(hŒ÷AF_KEY This is a socket-based approach to credential management for networking stacks [RFC 2367]. It isn't discussed by this document as it doesn't interact directly with task and file credentials; rather it keeps system level credentials. ”h]”(h¸)”}”(hŒAF_KEY”h]”hŒAF_KEY”…””}”(hjïhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÓhjëubj™)”}”(hŒëThis is a socket-based approach to credential management for networking stacks [RFC 2367]. It isn't discussed by this document as it doesn't interact directly with task and file credentials; rather it keeps system level credentials. ”h]”h¸)”}”(hŒéThis is a socket-based approach to credential management for networking stacks [RFC 2367]. It isn't discussed by this document as it doesn't interact directly with task and file credentials; rather it keeps system level credentials.”h]”hŒíThis is a socket-based approach to credential management for networking stacks [RFC 2367]. It isnâ€™t discussed by this document as it doesnâ€™t interact directly with task and file credentials; rather it keeps system level credentials.”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÕhjýubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h KÕhjëubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjýubeh}”(h]”h ]”h"]”h$]”h&]”jµjÌj·hj¸j¹uh1jžhjùubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h KhjÚhžhubh¸)”}”(hXËWhen a file is opened, part of the opening task's subjective context is recorded in the file struct created. This allows operations using that file struct to use those credentials instead of the subjective context of the task that issued the operation. An example of this would be a file opened on a network filesystem where the credentials of the opened file should be presented to the server, regardless of who is actually doing a read or a write upon it.”h]”hXÍWhen a file is opened, part of the opening taskâ€™s subjective context is recorded in the file struct created. This allows operations using that file struct to use those credentials instead of the subjective context of the task that issued the operation. An example of this would be a file opened on a network filesystem where the credentials of the opened file should be presented to the server, regardless of who is actually doing a read or a write upon it.”…””}”(hj' hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KÛhjÚhžhubeh}”(h]”j ah ]”h"]”Œtypes of credentials”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K{ubh¢)”}”(hhh]”(h§)”}”(hŒ File Markings”h]”hŒ File Markings”…””}”(hj? hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰j<uh1h¦hj< hžhhŸh¶h Käubh¸)”}”(hŒËFiles on disk or obtained over the network may have annotations that form the objective security context of that file. Depending on the type of filesystem, this may include one or more of the following:”h]”hŒËFiles on disk or obtained over the network may have annotations that form the objective security context of that file. Depending on the type of filesystem, this may include one or more of the following:”…””}”(hjM hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kæhj< hžhubj™)”}”(hŒ¾* UNIX UID, GID, mode; * Windows user ID; * Access control list; * LSM security label; * UNIX exec privilege escalation bits (SUID/SGID); * File capabilities exec privilege escalation bits. ”h]”hã)”}”(hhh]”(hè)”}”(hŒUNIX UID, GID, mode;”h]”h¸)”}”(hjd h]”hŒUNIX UID, GID, mode;”…””}”(hjf hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kêhjb ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj_ ubhè)”}”(hŒWindows user ID;”h]”h¸)”}”(hj{ h]”hŒWindows user ID;”…””}”(hj} hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Këhjy ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj_ ubhè)”}”(hŒAccess control list;”h]”h¸)”}”(hj’ h]”hŒAccess control list;”…””}”(hj” hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kìhj ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj_ ubhè)”}”(hŒLSM security label;”h]”h¸)”}”(hj© h]”hŒLSM security label;”…””}”(hj« hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kíhj§ ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj_ ubhè)”}”(hŒ0UNIX exec privilege escalation bits (SUID/SGID);”h]”h¸)”}”(hjÀ h]”hŒ0UNIX exec privilege escalation bits (SUID/SGID);”…””}”(hjÂ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kîhj¾ ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj_ ubhè)”}”(hŒ2File capabilities exec privilege escalation bits. ”h]”h¸)”}”(hŒ1File capabilities exec privilege escalation bits.”h]”hŒ1File capabilities exec privilege escalation bits.”…””}”(hjÙ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KïhjÕ ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj_ ubeh}”(h]”h ]”h"]”h$]”h&]”jvŒ*”uh1hâhŸh¶h Kêhj[ ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Kêhj< hžhubh¸)”}”(hX&These are compared to the task's subjective security context, and certain operations allowed or disallowed as a result. In the case of execve(), the privilege escalation bits come into play, and may allow the resulting process extra privileges, based on the annotations on the executable file.”h]”hX(These are compared to the taskâ€™s subjective security context, and certain operations allowed or disallowed as a result. In the case of execve(), the privilege escalation bits come into play, and may allow the resulting process extra privileges, based on the annotations on the executable file.”…””}”(hjú hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kñhj< hžhubeh}”(h]”jBah ]”h"]”Œ file markings”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Käubh¢)”}”(hhh]”(h§)”}”(hŒTask Credentials”h]”hŒTask Credentials”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰j^uh1h¦hj hžhhŸh¶h Køubh¸)”}”(hŒåIn Linux, all of a task's credentials are held in (uid, gid) or through (groups, keys, LSM security) a refcounted structure of type 'struct cred'. Each task points to its credentials by a pointer called 'cred' in its task_struct.”h]”hŒïIn Linux, all of a taskâ€™s credentials are held in (uid, gid) or through (groups, keys, LSM security) a refcounted structure of type â€˜struct credâ€™. Each task points to its credentials by a pointer called â€˜credâ€™ in its task_struct.”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kúhj hžhubh¸)”}”(hŒsOnce a set of credentials has been prepared and committed, it may not be changed, barring the following exceptions:”h]”hŒsOnce a set of credentials has been prepared and committed, it may not be changed, barring the following exceptions:”…””}”(hj. hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Kÿhj hžhubj™)”}”(hX$1. its reference count may be changed; 2. the reference count on the group_info struct it points to may be changed; 3. the reference count on the security data it points to may be changed; 4. the reference count on any keyrings it points to may be changed; 5. any keyrings it points to may be revoked, expired or have their security attributes changed; and 6. the contents of any keyrings to which it points may be changed (the whole point of keyrings being a shared set of credentials, modifiable by anyone with appropriate access). ”h]”jŸ)”}”(hhh]”(hè)”}”(hŒ$its reference count may be changed; ”h]”h¸)”}”(hŒ#its reference count may be changed;”h]”hŒ#its reference count may be changed;”…””}”(hjG hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MhjC ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj@ ubhè)”}”(hŒJthe reference count on the group_info struct it points to may be changed; ”h]”h¸)”}”(hŒIthe reference count on the group_info struct it points to may be changed;”h]”hŒIthe reference count on the group_info struct it points to may be changed;”…””}”(hj_ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj[ ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj@ ubhè)”}”(hŒFthe reference count on the security data it points to may be changed; ”h]”h¸)”}”(hŒEthe reference count on the security data it points to may be changed;”h]”hŒEthe reference count on the security data it points to may be changed;”…””}”(hjw hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhjs ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj@ ubhè)”}”(hŒAthe reference count on any keyrings it points to may be changed; ”h]”h¸)”}”(hŒ@the reference count on any keyrings it points to may be changed;”h]”hŒ@the reference count on any keyrings it points to may be changed;”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj‹ ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj@ ubhè)”}”(hŒaany keyrings it points to may be revoked, expired or have their security attributes changed; and ”h]”h¸)”}”(hŒ`any keyrings it points to may be revoked, expired or have their security attributes changed; and”h]”hŒ`any keyrings it points to may be revoked, expired or have their security attributes changed; and”…””}”(hj§ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M hj£ ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj@ ubhè)”}”(hŒ®the contents of any keyrings to which it points may be changed (the whole point of keyrings being a shared set of credentials, modifiable by anyone with appropriate access). ”h]”h¸)”}”(hŒthe contents of any keyrings to which it points may be changed (the whole point of keyrings being a shared set of credentials, modifiable by anyone with appropriate access).”h]”hŒthe contents of any keyrings to which it points may be changed (the whole point of keyrings being a shared set of credentials, modifiable by anyone with appropriate access).”…””•ãœ}”(hj¿ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M hj» ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj@ ubeh}”(h]”h ]”h"]”h$]”h&]”jµjÌj·hj¸j¹uh1jžhj< ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Mhj hžhubh¸)”}”(hXTo alter anything in the cred struct, the copy-and-replace principle must be adhered to. First take a copy, then alter the copy and then use RCU to change the task pointer to make it point to the new copy. There are wrappers to aid with this (see below).”h]”hXTo alter anything in the cred struct, the copy-and-replace principle must be adhered to. First take a copy, then alter the copy and then use RCU to change the task pointer to make it point to the new copy. There are wrappers to aid with this (see below).”…””}”(hjß hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj hžhubh¸)”}”(hXµA task may only alter its _own_ credentials; it is no longer permitted for a task to alter another's credentials. This means the ``capset()`` system call is no longer permitted to take any PID other than the one of the current process. Also ``keyctl_instantiate()`` and ``keyctl_negate()`` functions no longer permit attachment to process-specific keyrings in the requesting process as the instantiating process may need to create them.”h]”(hŒ„A task may only alter its _own_ credentials; it is no longer permitted for a task to alter anotherâ€™s credentials. This means the ”…””}”(hjí hžhhŸNh NubjO)”}”(hŒ``capset()``”h]”hŒcapset()”…””}”(hjõ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjí ubhŒd system call is no longer permitted to take any PID other than the one of the current process. Also ”…””}”(hjí hžhhŸNh NubjO)”}”(hŒ``keyctl_instantiate()``”h]”hŒkeyctl_instantiate()”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjí ubhŒ and ”…””}”(hjí hžhhŸNh NubjO)”}”(hŒ``keyctl_negate()``”h]”hŒkeyctl_negate()”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjí ubhŒ“ functions no longer permit attachment to process-specific keyrings in the requesting process as the instantiating process may need to create them.”…””}”(hjí hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj hžhubh¢)”}”(hhh]”(h§)”}”(hŒImmutable Credentials”h]”hŒImmutable Credentials”…””}”(hj4hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰j}uh1h¦hj1hžhhŸh¶h Mubh¸)”}”(hŒ”Once a set of credentials has been made public (by calling ``commit_creds()`` for example), it must be considered immutable, barring two exceptions:”h]”(hŒ;Once a set of credentials has been made public (by calling ”…””}”(hjBhžhhŸNh NubjO)”}”(hŒ``commit_creds()``”h]”hŒcommit_creds()”…””}”(hjJhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjBubhŒG for example), it must be considered immutable, barring two exceptions:”…””}”(hjBhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M!hj1hžhubj™)”}”(hŒ¶1. The reference count may be altered. 2. While the keyring subscriptions of a set of credentials may not be changed, the keyrings subscribed to may have their contents altered. ”h]”jŸ)”}”(hhh]”(hè)”}”(hŒ$The reference count may be altered. ”h]”h¸)”}”(hŒ#The reference count may be altered.”h]”hŒ#The reference count may be altered.”…””}”(hjmhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M$hjiubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjfubhè)”}”(hŒˆWhile the keyring subscriptions of a set of credentials may not be changed, the keyrings subscribed to may have their contents altered. ”h]”h¸)”}”(hŒ‡While the keyring subscriptions of a set of credentials may not be changed, the keyrings subscribed to may have their contents altered.”h]”hŒ‡While the keyring subscriptions of a set of credentials may not be changed, the keyrings subscribed to may have their contents altered.”…””}”(hj…hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M&hjubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhjfubeh}”(h]”h ]”h"]”h$]”h&]”jµjÌj·hj¸j¹uh1jžhjbubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h M$hj1hžhubh¸)”}”(hXxTo catch accidental credential alteration at compile time, struct task_struct has _const_ pointers to its credential sets, as does struct file. Furthermore, certain functions such as ``get_cred()`` and ``put_cred()`` operate on const pointers, thus rendering casts unnecessary, but require to temporarily ditch the const qualification to be able to alter the reference count.”h]”(hŒ¸To catch accidental credential alteration at compile time, struct task_struct has _const_ pointers to its credential sets, as does struct file. Furthermore, certain functions such as ”…””}”(hj¥hžhhŸNh NubjO)”}”(hŒ``get_cred()``”h]”hŒ get_cred()”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj¥ubhŒ and ”…””}”(hj¥hžhhŸNh NubjO)”}”(hŒ``put_cred()``”h]”hŒ put_cred()”…””}”(hj¿hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj¥ubhŒŸ operate on const pointers, thus rendering casts unnecessary, but require to temporarily ditch the const qualification to be able to alter the reference count.”…””}”(hj¥hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M)hj1hžhubeh}”(h]”jƒah ]”h"]”Œimmutable credentials”ah$]”h&]”uh1h¡hj hžhhŸh¶h Mubh¢)”}”(hhh]”(h§)”}”(hŒAccessing Task Credentials”h]”hŒAccessing Task Credentials”…””}”(hjáhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰jŸuh1h¦hjÞhžhhŸh¶h M1ubh¸)”}”(hŒ×A task being able to alter only its own credentials permits the current process to read or replace its own credentials without the need for any form of locking -- which simplifies things greatly. It can just call::”h]”hŒÖA task being able to alter only its own credentials permits the current process to read or replace its own credentials without the need for any form of locking -- which simplifies things greatly. It can just call:”…””}”(hjïhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M3hjÞhžhubhŒ literal_block”“”)”}”(hŒ!const struct cred *current_cred()”h]”hŒ!const struct cred *current_cred()”…””}”hjÿsbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1jýhŸh¶h M7hjÞhžhubh¸)”}”(hŒ\to get a pointer to its credentials structure, and it doesn't have to release it afterwards.”h]”hŒ^to get a pointer to its credentials structure, and it doesnâ€™t have to release it afterwards.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M9hjÞhžhubh¸)”}”(hŒ„There are convenience wrappers for retrieving specific aspects of a task's credentials (the value is simply returned in each case)::”h]”hŒ…There are convenience wrappers for retrieving specific aspects of a taskâ€™s credentials (the value is simply returned in each case):”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Muid = tcred->uid; f->gid = tcred->gid; f->groups = get_group_info(tcred->groups); rcu_read_unlock(); ... }”h]”hX2void foo(struct task_struct *t, struct foo_data *f) { const struct cred *tcred; ... rcu_read_lock(); tcred = __task_cred(t); f->uid = tcred->uid; f->gid = tcred->gid; f->groups = get_group_info(tcred->groups); rcu_read_unlock(); ... }”…””}”hja sbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h Mrhjôhžhubh¸)”}”(hŒ±Should it be necessary to hold another task's credentials for a long period of time, and possibly to sleep while doing so, then the caller should get a reference on them using::”h]”hŒ²Should it be necessary to hold another taskâ€™s credentials for a long period of time, and possibly to sleep while doing so, then the caller should get a reference on them using:”…””}”(hjo hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhjôhžhubjþ)”}”(hŒ;const struct cred *get_task_cred(struct task_struct *task);”h]”hŒ;const struct cred *get_task_cred(struct task_struct *task);”…””}”hj} sbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h Mƒhjôhžhubh¸)”}”(hŒ…This does all the RCU magic inside of it. The caller must call put_cred() on the credentials so obtained when they're finished with.”h]”hŒ‡This does all the RCU magic inside of it. The caller must call put_cred() on the credentials so obtained when theyâ€™re finished with.”…””}”(hj‹ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M…hjôhžhubhŒnote”“”)”}”(hŒxThe result of ``__task_cred()`` should not be passed directly to ``get_cred()`` as this may race with ``commit_cred()``.”h]”h¸)”}”(hŒxThe result of ``__task_cred()`` should not be passed directly to ``get_cred()`` as this may race with ``commit_cred()``.”h]”(hŒThe result of ”…””}”(hjŸ hžhhŸNh NubjO)”}”(hŒ``__task_cred()``”h]”hŒ __task_cred()”…””}”(hj§ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjŸ ubhŒ" should not be passed directly to ”…””}”(hjŸ hžhhŸNh NubjO)”}”(hŒ``get_cred()``”h]”hŒ get_cred()”…””}”(hj¹ hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjŸ ubhŒ as this may race with ”…””}”(hjŸ hžhhŸNh NubjO)”}”(hŒ``commit_cred()``”h]”hŒ commit_cred()”…””}”(hjË hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjŸ ubhŒ.”…””}”(hjŸ hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M‰hj› ubah}”(h]”h ]”h"]”h$]”h&]”uh1j™ hjôhžhhŸh¶h Nubh¸)”}”(hŒ€There are a couple of convenience functions to access bits of another task's credentials, hiding the RCU magic from the caller::”h]”hŒThere are a couple of convenience functions to access bits of another taskâ€™s credentials, hiding the RCU magic from the caller:”…””}”(hjé hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MŒhjôhžhubjþ)”}”(hŒduid_t task_uid(task) Task's real UID uid_t task_euid(task) Task's effective UID”h]”hŒduid_t task_uid(task) Task's real UID uid_t task_euid(task) Task's effective UID”…””}”hj÷ sbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h Mhjôhžhubh¸)”}”(hŒEIf the caller is holding the RCU read lock at the time anyway, then::”h]”hŒDIf the caller is holding the RCU read lock at the time anyway, then:”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M’hjôhžhubjþ)”}”(hŒ.__task_cred(task)->uid __task_cred(task)->euid”h]”hŒ.__task_cred(task)->uid __task_cred(task)->euid”…””}”hjsbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h M”hjôhžhubh¸)”}”(hXfshould be used instead. Similarly, if multiple aspects of a task's credentials need to be accessed, RCU read lock should be used, ``__task_cred()`` called, the result stored in a temporary pointer and then the credential aspects called from that before dropping the lock. This prevents the potentially expensive RCU magic from being invoked multiple times.”h]”(hŒ…should be used instead. Similarly, if multiple aspects of a taskâ€™s credentials need to be accessed, RCU read lock should be used, ”…””}”(hj!hžhhŸNh NubjO)”}”(hŒ``__task_cred()``”h]”hŒ __task_cred()”…””}”(hj)hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj!ubhŒÒ called, the result stored in a temporary pointer and then the credential aspects called from that before dropping the lock. This prevents the potentially expensive RCU magic from being invoked multiple times.”…””}”(hj!hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M—hjôhžhubh¸)”}”(hŒjShould some other single aspect of another task's credentials need to be accessed, then this can be used::”h]”hŒkShould some other single aspect of another taskâ€™s credentials need to be accessed, then this can be used:”…””}”(hjAhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhjôhžhubjþ)”}”(hŒtask_cred_xxx(task, member)”h]”hŒtask_cred_xxx(task, member)”…””}”hjOsbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h M hjôhžhubh¸)”}”(hŒJwhere 'member' is a non-pointer member of the cred struct. For instance::”h]”hŒMwhere â€˜memberâ€™ is a non-pointer member of the cred struct. For instance:”…””}”(hj]hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M¢hjôhžhubjþ)”}”(hŒ uid_t task_cred_xxx(task, suid);”h]”hŒ uid_t task_cred_xxx(task, suid);”…””}”hjksbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h M¤hjôhžhubh¸)”}”(hŒÈwill retrieve 'struct cred::suid' from the task, doing the appropriate RCU magic. This may not be used for pointer members as what they point to may disappear the moment the RCU read lock is dropped.”h]”hŒÌwill retrieve â€˜struct cred::suidâ€™ from the task, doing the appropriate RCU magic. This may not be used for pointer members as what they point to may disappear the moment the RCU read lock is dropped.”…””}”(hjyhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M¦hjôhžhubeh}”(h]”jÇah ]”h"]”Œ$accessing another task's credentials”ah$]”h&]”uh1h¡hj hžhhŸh¶h Mfubh¢)”}”(hhh]”(h§)”}”(hŒAltering Credentials”h]”hŒAltering Credentials”…””}”(hj‘hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰jãuh1h¦hjŽhžhhŸh¶h M¬ubh¸)”}”(hŒ¾As previously mentioned, a task may only alter its own credentials, and may not alter those of another task. This means that it doesn't need to use any locking to alter its own credentials.”h]”hŒÀAs previously mentioned, a task may only alter its own credentials, and may not alter those of another task. This means that it doesnâ€™t need to use any locking to alter its own credentials.”…””}”(hjŸhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M®hjŽhžhubh¸)”}”(hŒqTo alter the current process's credentials, a function should first prepare a new set of credentials by calling::”h]”hŒrTo alter the current processâ€™s credentials, a function should first prepare a new set of credentials by calling:”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M²hjŽhžhubjþ)”}”(hŒ!struct cred *prepare_creds(void);”h]”hŒ!struct cred *prepare_creds(void);”…””}”hj»sbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h MµhjŽhžhubh¸)”}”(hŒáthis locks current->cred_replace_mutex and then allocates and constructs a duplicate of the current process's credentials, returning with the mutex still held if successful. It returns NULL if not successful (out of memory).”h]”hŒãthis locks current->cred_replace_mutex and then allocates and constructs a duplicate of the current processâ€™s credentials, returning with the mutex still held if successful. It returns NULL if not successful (out of memory).”…””}”(hjÉhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M·hjŽhžhubh¸)”}”(hŒïThe mutex prevents ``ptrace()`` from altering the ptrace state of a process while security checks on credentials construction and changing is taking place as the ptrace state may alter the outcome, particularly in the case of ``execve()``.”h]”(hŒThe mutex prevents ”…””}”(hj×hžhhŸNh NubjO)”}”(hŒ``ptrace()``”h]”hŒptrace()”…””}”(hjßhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj×ubhŒÃ from altering the ptrace state of a process while security checks on credentials construction and changing is taking place as the ptrace state may alter the outcome, particularly in the case of ”…””}”(hj×hžhhŸNh NubjO)”}”(hŒ``execve()``”h]”hŒexecve()”…””}”(hjñhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj×ubhŒ.”…””}”(hj×hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M»hjŽhžhubh¸)”}”(hŒùThe new credentials set should be altered appropriately, and any security checks and hooks done. Both the current and the proposed sets of credentials are available for this purpose as current_cred() will return the current set still at this point.”h]”hŒùThe new credentials set should be altered appropriately, and any security checks and hooks done. Both the current and the proposed sets of credentials are available for this purpose as current_cred() will return the current set still at this point.”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MÀhjŽhžhubh¸)”}”(hX£When replacing the group list, the new list must be sorted before it is added to the credential, as a binary search is used to test for membership. In practice, this means groups_sort() should be called before set_groups() or set_current_groups(). groups_sort() must not be called on a ``struct group_list`` which is shared as it may permute elements as part of the sorting process even if the array is already sorted.”h]”(hXWhen replacing the group list, the new list must be sorted before it is added to the credential, as a binary search is used to test for membership. In practice, this means groups_sort() should be called before set_groups() or set_current_groups(). groups_sort() must not be called on a ”…””}”(hjhžhhŸNh NubjO)”}”(hŒ``struct group_list``”h]”hŒstruct group_list”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjubhŒo which is shared as it may permute elements as part of the sorting process even if the array is already sorted.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MÅhjŽhžhubh¸)”}”(hŒ\When the credential set is ready, it should be committed to the current process by calling::”h]”hŒ[When the credential set is ready, it should be committed to the current process by calling:”…””}”(hj7hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MÍhjŽhžhubjþ)”}”(hŒ#int commit_creds(struct cred *new);”h]”hŒ#int commit_creds(struct cred *new);”…””}”hjEsbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h MÐhjŽhžhubh¸)”}”(hXcThis will alter various aspects of the credentials and the process, giving the LSM a chance to do likewise, then it will use ``rcu_assign_pointer()`` to actually commit the new credentials to ``current->cred``, it will release ``current->cred_replace_mutex`` to allow ``ptrace()`` to take place, and it will notify the scheduler and others of the changes.”h]”(hŒ}This will alter various aspects of the credentials and the process, giving the LSM a chance to do likewise, then it will use ”…””}”(hjShžhhŸNh NubjO)”}”(hŒ``rcu_assign_pointer()``”h]”hŒrcu_assign_pointer()”…””}”(hj[hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjSubhŒ+ to actually commit the new credentials to ”…””}”(hjShžhhŸNh NubjO)”}”(hŒ``current->cred``”h]”hŒ current->cred”…””}”(hjmhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjSubhŒ, it will release ”…””}”(hjShžhhŸNh NubjO)”}”(hŒ``current->cred_replace_mutex``”h]”hŒcurrent->cred_replace_mutex”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjSubhŒ to allow ”…””}”(hjShžhhŸNh NubjO)”}”(hŒ``ptrace()``”h]”hŒptrace()”…””}”(hj‘hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjSubhŒK to take place, and it will notify the scheduler and others of the changes.”…””}”(hjShžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MÒhjŽhžhubh¸)”}”(hŒ{This function is guaranteed to return 0, so that it can be tail-called at the end of such functions as ``sys_setresuid()``.”h]”(hŒgThis function is guaranteed to return 0, so that it can be tail-called at the end of such functions as ”…””}”(hj©hžhhŸNh NubjO)”}”(hŒ``sys_setresuid()``”h]”hŒsys_setresuid()”…””}”(hj±hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj©ubhŒ.”…””}”(hj©hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MØhjŽhžhubh¸)”}”(hŒžNote that this function consumes the caller's reference to the new credentials. The caller should _not_ call ``put_cred()`` on the new credentials afterwards.”h]”(hŒoNote that this function consumes the callerâ€™s reference to the new credentials. The caller should _not_ call ”…””}”(hjÉhžhhŸNh NubjO)”}”(hŒ``put_cred()``”h]”hŒ put_cred()”…””}”(hjÑhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjÉubhŒ# on the new credentials afterwards.”…””}”(hjÉhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MÛhjŽhžhubh¸)”}”(hŒ|Furthermore, once this function has been called on a new set of credentials, those credentials may _not_ be changed further.”h]”hŒ|Furthermore, once this function has been called on a new set of credentials, those credentials may _not_ be changed further.”…””}”(hjéhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MÞhjŽhžhubh¸)”}”(hŒ”Should the security checks fail or some other error occur after ``prepare_creds()`` has been called, then the following function should be invoked::”h]”(hŒ@Should the security checks fail or some other error occur after ”…””}”(hj÷hžhhŸNh NubjO)”}”(hŒ``prepare_creds()``”h]”hŒprepare_creds()”…””}”(hjÿhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj÷ubhŒ@ has been called, then the following function should be invoked:”…””}”(hj÷hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MâhjŽhžhubjþ)”}”(hŒ#void abort_creds(struct cred *new);”h]”hŒ#void abort_creds(struct cred *new);”…””}”hjsbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h MæhjŽhžhubh¸)”}”(hŒ}This releases the lock on ``current->cred_replace_mutex`` that ``prepare_creds()`` got and then releases the new credentials.”h]”(hŒThis releases the lock on ”…””}”(hj%hžhhŸNh NubjO)”}”(hŒ``current->cred_replace_mutex``”h]”hŒcurrent->cred_replace_mutex”…””}”(hj-hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj%ubhŒ that ”…””}”(hj%hžhhŸNh NubjO)”}”(hŒ``prepare_creds()``”h]”hŒprepare_creds()”…””}”(hj?hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj%ubhŒ+ got and then releases the new credentials.”…””}”(hj%hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MèhjŽhžhubh¸)”}”(hŒJA typical credentials alteration function would look something like this::”h]”hŒIA typical credentials alteration function would look something like this:”…””}”(hjWhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h MìhjŽhžhubjþ)”}”(hX`int alter_suid(uid_t suid) { struct cred *new; int ret; new = prepare_creds(); if (!new) return -ENOMEM; new->suid = suid; ret = security_alter_suid(new); if (ret < 0) { abort_creds(new); return ret; } return commit_creds(new); }”h]”hX`int alter_suid(uid_t suid) { struct cred *new; int ret; new = prepare_creds(); if (!new) return -ENOMEM; new->suid = suid; ret = security_alter_suid(new); if (ret < 0) { abort_creds(new); return ret; } return commit_creds(new); }”…””}”hjesbah}”(h]”h ]”h"]”h$]”h&]”j juh1jýhŸh¶h MîhjŽhžhubeh}”(h]”jéah ]”h"]”Œaltering credentials”ah$]”h&]”uh1h¡hj hžhhŸh¶h M¬ubh¢)”}”(hhh]”(h§)”}”(hŒManaging Credentials”h]”hŒManaging Credentials”…””}”(hj}hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰juh1h¦hjzhžhhŸh¶h Mubh¸)”}”(hŒ4There are some functions to help manage credentials:”h]”hŒ4There are some functions to help manage credentials:”…””}”(hj‹hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhjzhžhubj™)”}”(hXŒ- ``void put_cred(const struct cred *cred);`` This releases a reference to the given set of credentials. If the reference count reaches zero, the credentials will be scheduled for destruction by the RCU system. - ``const struct cred *get_cred(const struct cred *cred);`` This gets a reference on a live set of credentials, returning a pointer to that set of credentials. ”h]”hã)”}”(hhh]”(hè)”}”(hŒÙ``void put_cred(const struct cred *cred);`` This releases a reference to the given set of credentials. If the reference count reaches zero, the credentials will be scheduled for destruction by the RCU system. ”h]”(h¸)”}”(hŒ+``void put_cred(const struct cred *cred);``”h]”jO)”}”(hj¦h]”hŒ'void put_cred(const struct cred *cred);”…””}”(hj¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj¤ubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj ubj™)”}”(hŒ¦This releases a reference to the given set of credentials. If the reference count reaches zero, the credentials will be scheduled for destruction by the RCU system. ”h]”h¸)”}”(hŒ¥This releases a reference to the given set of credentials. If the reference count reaches zero, the credentials will be scheduled for destruction by the RCU system.”h]”hŒ¥This releases a reference to the given set of credentials. If the reference count reaches zero, the credentials will be scheduled for destruction by the RCU system.”…””}”(hj¿hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M hj»ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h M hj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjubhè)”}”(hŒ¤``const struct cred *get_cred(const struct cred *cred);`` This gets a reference on a live set of credentials, returning a pointer to that set of credentials. ”h]”(h¸)”}”(hŒ9``const struct cred *get_cred(const struct cred *cred);``”h]”jO)”}”(hjßh]”hŒ5const struct cred *get_cred(const struct cred *cred);”…””}”(hjáhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjÝubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M hjÙubj™)”}”(hŒeThis gets a reference on a live set of credentials, returning a pointer to that set of credentials. ”h]”h¸)”}”(hŒcThis gets a reference on a live set of credentials, returning a pointer to that set of credentials.”h]”hŒcThis gets a reference on a live set of credentials, returning a pointer to that set of credentials.”…””}”(hjøhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhjôubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h MhjÙubeh}”(h]”h ]”h"]”h$]”h&]”uh1hçhjubeh}”(h]”h ]”h"]”h$]”h&]”jvjwuh1hâhŸh¶h Mhj™ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h Mhjzhžhubeh}”(h]”jah ]”h"]”Œmanaging credentials”ah$]”h&]”uh1h¡hj hžhhŸh¶h Mubeh}”(h]”jdah ]”h"]”Œtask credentials”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Køubh¢)”}”(hhh]”(h§)”}”(hŒOpen File Credentials”h]”hŒOpen File Credentials”…””}”(hj/hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰j3uh1h¦hj,hžhhŸh¶h Mubh¸)”}”(hX4When a new file is opened, a reference is obtained on the opening task's credentials and this is attached to the file struct as ``f_cred`` in place of ``f_uid`` and ``f_gid``. Code that used to access ``file->f_uid`` and ``file->f_gid`` should now access ``file->f_cred->fsuid`` and ``file->f_cred->fsgid``.”h]”(hŒ‚When a new file is opened, a reference is obtained on the opening taskâ€™s credentials and this is attached to the file struct as ”…””}”(hj=hžhhŸNh NubjO)”}”(hŒ ``f_cred``”h]”hŒf_cred”…””}”(hjEhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj=ubhŒ in place of ”…””}”(hj=hžhhŸNh NubjO)”}”(hŒ ``f_uid``”h]”hŒf_uid”…””}”(hjWhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj=ubhŒ and ”…””}”(hj=hžhhŸNh NubjO)”}”(hŒ ``f_gid``”h]”hŒf_gid”…””}”(hjihžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj=ubhŒ. Code that used to access ”…””}”(hj=hžhhŸNh NubjO)”}”(hŒ``file->f_uid``”h]”hŒfile->f_uid”…””}”(hj{hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj=ubhŒ and ”…””}”(hj=hžhhŸNh NubjO)”}”(hŒ``file->f_gid``”h]”hŒfile->f_gid”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj=ubhŒ should now access ”…””}”(hj=hžhhŸNh NubjO)”}”(hŒ``file->f_cred->fsuid``”h]”hŒfile->f_cred->fsuid”…””}”(hjŸhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj=ubhŒ and ”…””}”hj=sbjO)”}”(hŒ``file->f_cred->fsgid``”h]”hŒfile->f_cred->fsgid”…””}”(hj±hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj=ubhŒ.”…””}”(hj=hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj,hžhubh¸)”}”(hXIt is safe to access ``f_cred`` without the use of RCU or locking because the pointer will not change over the lifetime of the file struct, and nor will the contents of the cred struct pointed to, barring the exceptions listed above (see the Task Credentials section).”h]”(hŒIt is safe to access ”…””}”(hjÉhžhhŸNh NubjO)”}”(hŒ ``f_cred``”h]”hŒf_cred”…””}”(hjÑhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjÉubhŒí without the use of RCU or locking because the pointer will not change over the lifetime of the file struct, and nor will the contents of the cred struct pointed to, barring the exceptions listed above (see the Task Credentials section).”…””}”(hjÉhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Mhj,hžhubh¸)”}”(hŒýTo avoid "confused deputy" privilege escalation attacks, access control checks during subsequent operations on an opened file should use these credentials instead of "current"'s credentials, as the file may have been passed to a more privileged process.”h]”hXTo avoid â€œconfused deputyâ€ privilege escalation attacks, access control checks during subsequent operations on an opened file should use these credentials instead of â€œcurrentâ€œâ€˜s credentials, as the file may have been passed to a more privileged process.”…””}”(hjéhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M!hj,hžhubeh}”(h]”j9ah ]”h"]”Œopen file credentials”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Mubh¢)”}”(hhh]”(h§)”}”(hŒ'Overriding the VFS's Use of Credentials”h]”hŒ)Overriding the VFSâ€™s Use of Credentials”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”j‰jUuh1h¦hjþhžhhŸh¶h M'ubh¸)”}”(hŒÞUnder some circumstances it is desirable to override the credentials used by the VFS, and that can be done by calling into such as ``vfs_mkdir()`` with a different set of credentials. This is done in the following places:”h]”(hŒƒUnder some circumstances it is desirable to override the credentials used by the VFS, and that can be done by calling into such as ”…””}”(hjhžhhŸNh NubjO)”}”(hŒ``vfs_mkdir()``”h]”hŒvfs_mkdir()”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhjubhŒL with a different set of credentials. This is done in the following places:”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M)hjþhžhubj™)”}”(hŒ<* ``sys_faccessat()``. * ``do_coredump()``. * nfs4recover.c.”h]”hã)”}”(hhh]”(hè)”}”(hŒ``sys_faccessat()``.”h]”h¸)”}”(hj8h]”(jO)”}”(hŒ``sys_faccessat()``”h]”hŒsys_faccessat()”…””}”(hj=hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj:ubhŒ.”…””}”(hj:hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M-hj6ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj3ubhè)”}”(hŒ``do_coredump()``.”h]”h¸)”}”(hj]h]”(jO)”}”(hŒ``do_coredump()``”h]”hŒ do_coredump()”…””}”(hjbhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jNhj_ubhŒ.”…””}”(hj_hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M.hj[ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj3ubhè)”}”(hŒnfs4recover.c.”h]”h¸)”}”(hj‚h]”hŒnfs4recover.c.”…””}”(hj„hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h M/hj€ubah}”(h]”h ]”h"]”h$]”h&]”uh1hçhj3ubeh}”(h]”h ]”h"]”h$]”h&]”jvjó uh1hâhŸh¶h M-hj/ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜hŸh¶h M-hjþhžhubeh}”(h]”j[ah ]”h"]”Œ'overriding the vfs's use of credentials”ah$]”h&]”uh1h¡hh£hžhhŸh¶h M'ubeh}”(h]”Œcredentials-in-linux”ah ]”h"]”Œcredentials in linux”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒsource_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒreport_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jÕŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ_destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j¯j¬jujpj×hþj9 j j jBj)jdjÛjƒjñj¥j‹jÇjwjéj"jjûj9j§j[uŒ nametypes”}”(j¯‰ju‰j×‰j9 ‰j ‰j)‰jÛ‰jñ‰j‹‰jw‰j"‰jû‰j§‰uh}”(j¬h£jphßhþjxj jÚjBj< jdj jƒj1j¥jÞjÇjôjéjŽjjzj9j,j[jþhøhïjjj<j3j^jUj}jtjŸj–jÁj¸jãjÚjjüj3j*jUjLuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œcollections”ŒCounter”“”}”jãKs…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ decoration”Nhžhub.