Requests Types

Before access to a target (i.e. an object) is granted, a request call to the Access Control Decision facility (ADF) is performed. Based on the request type and the target, the access will be granted or denied.

So, what is a request ? Well, each time a process (i.e. a subject) wants to get access to a target (i.e. an object), to change it, modify it, delete it, run it, or do anything else with it, it issues a call to the system. There are many of these system calls (called syscalls) for many different operations that your operating system needs. Every access goes through it.

To simplify it, RSBAC groups syscalls into request names. Every time a system call is made by a process, RSBAC sends the associated request and target (as well as the subject) to the ADF.

The different requests, associated targets and their descriptions are listed below.

Note: some requests are only issued under certain conditions, e.g. EXECUTE from mmap() only, if mapping request is for EXEC mode. Also, some calls depend on the kernel configuration settings, e.g. RSBAC net support.

Note: some calls are done from common helper functions, e.g. do_fork(). Functions that also perform the rsbac_adf_set_attr() notification call for the request are marked with an *.

Request Description Valid Target Types System calls and functions
ADD_TO_KERNEL Add a kernel module DEV
FILE
NONE
swapon(DEV,FILE)
create_module(NONE)
init_module(NONE)
ALTER Change IPC control information IPC msgctl(IPC)
shmctl(IPC)
APPEND_OPEN Open to append FILE
DEV
IPC
open(FILE,DEV)*
msgsnd(IPC)*\ sendto(IPC)*
sendmsg(IPC)*
CHANGE_GROUP Change active group IPC
PROCESS
NONE
setgid(PROC)
setregid(PROC)
setresgid(PROC)
setgroups(PROC)
setfsgid(NONE) (for DAC only)
shmctl(IPC)
msgctl(IPC)
CHANGE_OWNER Change owner FILE
DIR
FIFO
IPC
PROCESS
NONE
chown(FILE, DIR, FIFO)
lchown(FILE, DIR, FIFO)
fchown(FILE, DIR, FIFO)
setuid(PROC)*
setreuid(PROC)*
setresuid(PROC)*
setfsuid(NONE) (for DAC only)
shmctl(IPC)
msgctl(IPC)
CHANGE_DAC_EFF_OWNER Change effective owner PROCESS sys_setreuid(PROCESS)
sys_setuid(PROCESS)
sys_setresuid(PROCESS)
CHANGE_DAC_FS_OWNER Change file system userid PROCESS sys_setreuid(PROCESS)
sys_setuid(PROCESS)
sys_setresuid(PROCESS)
sys_setfsuid(PROCESS)
CHDIR Change working directory DIR chdir(DIR)
fchdir(DIR)
chroot(DIR)
CLONE Fork/clone a process PROCESS fork(PROC)*
vfork(PROC)*
clone(PROC)*
CLOSE Close opened file etc. Should always be granted.FILE
DIR
FIFO
DEV
IPC, NETOBJ(local)
close(FILE, DIR, FIFO, DEV, IPC, NETOBJ)*
shmdt(IPC)*
msgrcv(IPC)*
msgsnd(IPC)*
send(IPC)*
sendto(IPC)*
sendmsg(IPC)*
recv(IPC)*
recvfrom(IPC)*
recvmsg(IPC)*
CREATE Create object DIR (where)
IPC
USER
GROUP
NETTEMP
NETOBJ(local)
creat(DIR, IPC)*
open(DIR, IPC)*
mknod(DIR)*
mkdir(DIR)*
symlink(DIR)*
shmget(IPC)*
msgget(IPC)*
socket(IPC)*
accept(IPC)*
rsbac_um_add_user(USER)
rsbac_um_add_group(GROUP)
rsbac_net_temp(NETTEMP)
socket(NETOBJ)
DELETE Delete object FILE
DIR
FIFO
IPC
USER
NETTEMP
unlink(FILE, DIR, FIFO)*
rmdir(DIR)*
msgctl(IPC)*
shmctl(IPC)*
shutdown(IPC)*. close(IPC)*
rsbac_um_remove_user(USER)
rsbac_um_remove_group(GROUP)
rsbac_net_temp(NETTEMP)
EXECUTE Execute a file FILE exec()*
GET_PERMISSIONS_DATA Read Unix permissions (mode) or password, ioctl on ttys FILE
DIR
FIFO
DEV
USER
GROUP
access(FILE, DIR, FIFO)
ioctl (DEV:tty)
rsbac_um_get_user_item(USER)
rsbac_um_get_group_item(GROUP)
GET_STATUS_DATA Get status (stat() etc.) FILE
DIR
FIFO
DEV
IPC
SCD
NETDEV
NETOBJ(local)
PROCESS
open_port(SCD) (/dev/kmem etc.)
open_kcore(SCD) (/proc/kcore)
stat(FILE, DIR, FIFO, IPC)
newstat(FILE, DIR, FIFO, IPC)
lstat(FILE, DIR, FIFO, IPC)
newlstat(FILE, DIR, FIFO, IPC)
fstat(FILE, DIR, FIFO, IPC)
newfstat(FILE, DIR, FIFO, IPC)
stat64(FILE, DIR, FIFO, IPC)
lstat64(FILE, DIR, FIFO, IPC)
fstat64(FILE, DIR, FIFO, IPC)
statfs(FILE, DIR, FIFO)
fstatfs(FILE, DIR, FIFO)
rsbac_stats(SCD)
rsbac_check(SCD)
rsbac_stats_pm(SCD)
rsbac_stats_rc(SCD)
rsbac_stats_acl(SCD)
rsbac_log(SCD)
(access to RSBAC proc-files(SCD))
dev_ioctl(NETDEV)
arp_ioctl(NETDEV)
ip_mroute_setsockopt(SCD network)
firewalling code (SCD firewall)
quotactl(SCD quota)
ioctl (DEV: ide, scsi, etc.)
sys_getpgid(PROCESS)
sys_getsid(PROCESS)
sys_capget(PROCESS)
LINK_HARD Hard link FILE
DIR
FIFO
link(FILE, DIR, FIFO)
MODIFY_ACCESS_DATA Change access information, e.g. time, dateFILE
DIR
FIFO
utimes(FILE, DIR, FIFO)
MODIFY_ATTRIBUTE Change an RSBAC attribute value All target types (specific request needed for various security models)
MODIFY_PERMISSIONS_DATA Change Unix permissions or passwordFILE
DIR
FIFO
DEV
SCD
USER
GROUP
ioperm(SCD)
iopl(SCD)
chmod(FILE, DIR, FIFO)
fchmod(FILE, DIR, FIFO)
ioctl (DEV:tty)
MODIFY_SYSTEM_DATA Change system settings SCD
DEV
NETDEV
PROCESS
NETOBJ(local)
stime(SCD)
settimeofday(SCD)
adjtimex(SCD)
sethostname(SCD)
setdomainname(SCD)
setrlimit(SCD)
syslog(SCD)
sysctl(SCD)
swapon(SCD)
swapoff(SCD)
rsbac_log(SCD)
dev_ioctl(NETDEV)
arp_ioctl(NETDEV)
ip_mroute_setsockopt(SCD network)
firewalling code (SCD firewall)
quotactl(SCD quota)
ioctl (ide, scsi, etc.)
sched_setscheduler(PROCESS)
sched_setaffinity(PROCESS)
sys_setpriority(PROCESS)
sys_setpgid(PROCESS)
sys_setsockopt(NETOBJ)
kexec_load(SCD)
MOUNT Mount a filesystem DIR
DEV
mount(DIR, DEV) (separate mount notification for data structures)
READ Read from DIR or NETTEMP. Optional: read from otherDIR
USER
GROUP
NETTEMP (optional: FILE
FIFO
DEV
IPC
NETOBJ(remote))
read(FILE, FIFO, DEV, IPC, NETOBJ)*
readv(FILE, FIFO, DEV, IPC)*
pread(FILE, DEV, IPC)*
readdir(DIR)
open(DIR)
rsbac_net_temp(NETTEMP)
READ_ATTRIBUTE Read RSBAC attribute value All target types (specific request needed for various security models)
READ_OPEN Open for read FILE
FIFO
DEV
IPC
open(FILE, FIFO, DEV, IPC)*
shmat(IPC)*
msgrcv(IPC)*
recv(IPC)*
recvfrom(IPC)*
recvmsg(IPC)
READ_WRITE_OPEN Open for read and write FILE
FIFO
DEV
IPC
open(FILE, FIFO, DEV, IPC)*
shmat(IPC)*
bind(IPC)*
connect(IPC)*
listen(IPC)*
REMOVE_FROM_KERNEL Remove kernel module DEV
FILE
NONE
swapoff(DEV,FILE)
delete_module(NONE)
RENAME Rename FILE
DIR
FIFO
rename(FILE, DIR, FIFO) (RSBAC identification not changed by rename!)
SEARCH Lookup in dir or symlink from inside kernel for access with full path, map name to id DIR
SYMLINK
USER
GROUP
(internal functions lookup_dentry(DIR)
path_walk(DIR)
lookup_hash(DIR)
follow_symlink(SYMLINK))
SEND_SIGNAL Send a signal PROCESSkill(PROC)
SHUTDOWN Shutdown/reboot system NONEreboot(NONE)
SWITCH_LOG Change RSBAC log settings NONErsbac_adf_log_switch(NONE)
SWITCH_MODULE Switch decision module on/off NONErsbac_switch(NONE)
TERMINATE End of calling process, for attribute cleanup. Should always be granted.PROCESSexit(PROC)
TRACE Trace a process PROCESSptrace(PROC) (architecture dependent)
TRUNCATE Truncate FILEopen(FILE)*
truncate(FILE)*
ftruncate(FILE)*
truncate64(FILE)*
ftruncate64(FILE)*
UMOUNT Umount a filesystem DIR, DEVumount(DIR, DEV) (separate umount notification for data structures)
WRITE Write to a DIR, SCD or NETTEMP. Object moving to target dir. Optional: write to file etc. DIR
SCD
USER
GROUP (optional: FILE, FIFO, DEV, IPC-sock, NETOBJ(remote))
write(FILE, FIFO, IPC, DEV, NETTEMP)*
writev(FILE, FIFO, IPC, DEV)*
pwrite(FILE, IPC, DEV)*
rename(DIR)
rsbac_write(SCD)
rsbac_net_temp(NETTEMP)
WRITE_OPEN Open for write FILE
FIFO
DEV
IPC
open(FILE, FIFO, DEV, IPC)*
MAP_EXEC Map a library from a file (target FILE) or other code (target NONE) for execution.FILE
NONE
mmap(FILE) (EXEC mode)
mprotect(FILE, NONE) (EXEC mode)
uselib(FILE)
BIND Bind network address and port (if applicable) to local socket, bind to network deviceNETDEV, NETOBJ(local)dev_ioctl(NETDEV), bind()*
LISTEN Listen on a local socket NETOBJ(local)listen()*
ACCEPT Accept a connection from a remote network endpointNETOBJ(remote)accept()*
CONNECT Connect to remote network endpointNETOBJ(remote)connect()*
SEND Fake tty input, send to remote network endpointDEV
NETOBJ(remote)
ioctl(DEV:TIOCSTI)
send()*
sendmsg()*
sendto()*
RECEIVE Receive from remote network endpointNETOBJ (remote)recv()*
recvmsg()*
recvfrom()*
NET_SHUTDOWN Shutdown channel of local socket NETOBJ(local)shutdown()
IOCTL Sets various parameters to devicesDEV, NETOBJ(local)sys_ioctl()
sock_ioctl()
LOCK Lock filesystem objects FILE, DIR, FIFO, SYMLINKsys_fcntl(), sys_lock
AUTHENTICATE Check a user password USERsys_rsbac_um_auth_name, sys_rsbac_um_auth_uid

Note: some models (RC, ACL) internally change NONE targets to SCD target other for access control.



Table of Contents: RSBAC Handbook
Previous: Subjects and Objects
Next: Framework Components