PERFORCE change 41752 for review
Ken Smith
kensmith at FreeBSD.org
Sat Nov 8 19:54:26 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=41752
Change 41752 by kensmith at kensmith_oliver.cse.buffalo.edu on 2003/11/08 11:53:51
Working with rwatson to finish this document.
- Cleaned up minor nits in existing "finished" content.
- Added a few extra notes.
Affected files ...
.. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/arch-handbook/secarch/chapter.sgml#6 edit
Differences ...
==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/arch-handbook/secarch/chapter.sgml#6 (text+ko) ====
@@ -185,7 +185,7 @@
execution in isolated address spaces.
Processes each carry a process credential, managed by the kernel,
describing user and group information for the process, which will
- be used to authorized access to other kernel objects.
+ be used to authorize access to other kernel objects.
Based on the credential and various object properties, several
mandatory and discretionary protection models control the
interactions between processes, and access by the processes to
@@ -381,7 +381,7 @@
arithmetic traps in the instruction stream, exceptional memory
accesses such as page faults, or system calls via call gates.
Kernel code interacting with user processes is written carefully
- so as to provide only support only the desired interactions
+ so as to provide only support for the desired interactions
between the kernel and user processes.</para>
<para>Within the kernel, direct manipulation of user memory contents
@@ -429,7 +429,7 @@
platform, opening the <filename>/dev/io</filename> device enables
direct I/O access.
Other platforms provide similar functionality.
- Many platforms also offer hardware-specific via the
+ Many platforms also offer hardware-specific access via the
&man.sysarch.2; system call; some of the functions provided by the
system call are process-local, but others may provide privileged
services.
@@ -502,7 +502,7 @@
limits inappropriate interference between processes, preventing
accidental or intentional leakage of data, damage to data or
operational integrity, and leakage of system privilege.
- System debugging interfaces break down these barries, and must
+ System debugging interfaces break down these barriers, and must
be carefully controlled.</para>
<sect2 id="secarch-process-credentials">
@@ -554,7 +554,7 @@
kernel data structures, generally at the point at which
initial access to the object occurs.
This caching permits "time of open" UNIX security semantics to
- be implemented for a several objects, including file descriptors
+ be implemented for several objects, including file descriptors
and mountpoints.
These credential references are then used to authorize
asynchronous write-behind, such as found in NFS.</para>
@@ -580,10 +580,10 @@
When a process receives upgraded privileges, such as on execution
of a setuid binary, the system must revoke access to debug
the process by other processes that may already have had
- debugging sessions opon.</para>
+ debugging sessions open.</para>
<para>These protections are introduced in three ways: first,
- disallowing of operations that may upgrade of process credentials
+ disallowing of operations that may cause upgrade of process credentials
if access to the process cannot be revoked.
Second, storage of a "credential change flag", named P_SUGID for
historical reasons, which will be used to modify the
@@ -599,7 +599,7 @@
However, under some circumstances, additional process information
may also be used in the decision to exempt closely related
processes from certain protections--for example, participation in
- the same sesion is sufficient to authorize delivery of the
+ the same session is sufficient to authorize delivery of the
"continue" signal between processes, regardless of credentials.
</para>
</sect2>
@@ -617,7 +617,7 @@
Because of this concentration of privilege, required to
perform a number of system activities, system services
running with root privilege are popular targets for attack,
- as gain access to uid 0 grants access to most other
+ as gaining access to uid 0 grants access to most other
privileges in the system.</para>
<para>FreeBSD ships with the securelevel protection mechanism,
@@ -637,7 +637,7 @@
combination with the jail() security extension, described
later in this chapter.</para>
- <para>The TrustedBSD MAC Framework is also capability of
+ <para>The TrustedBSD MAC Framework is also capable of
limiting certain root privileges, such as the cability to
read files based on system labels.
The MAC Framework and policies are described later in this
@@ -653,7 +653,7 @@
consistent and appropriate use.
As UNIX-derived systems are frequently deployed in environments
in which users or processes contend for resources, a variety of
- approaches are taken to preventing inappropriate exclusion of
+ approaches are taken to prevent inappropriate exclusion of
other users or processes.
This includes scheduler behavior to provide for "fair"
distribution of CPU resources between independent processes
@@ -866,12 +866,12 @@
<para>Object sessions are initially referred to by one file
descriptor, but references may be duplicated to additional file
- descriptors, as well as inheritted across fork() operations, and
+ descriptors, as well as inherited across fork() operations, and
passed to other processes using UNIX Domain Socket ancillary right
transfer.
In FreeBSD 5.1, objects referenced by file descriptors are: IPC
pipes, IPC sockets, vnodes (files, directories, device nodes,
- POSIX fifos, etc), kqueues (kernel event notification queues).
+ POSIX fifos, etc), and kqueues (kernel event notification queues).
References to object sessions remain until the the descriptor is
explicitly closed via the close() or rfork() system calls, or
implicitly closed on process exec() or exit().
@@ -880,7 +880,7 @@
modified, as may the underlying objects.
File descriptor properties, such as offset and active access
flags, may be explicitly modified using system calls such as
- seek() or fcntl(), or implicitly as a result of operations making
+ lseek() or fcntl(), or implicitly as a result of operations making
use of the file descriptor, such as read() or write().</para>
<para>In most cases, accesses made using a file descriptor are
@@ -934,10 +934,22 @@
caution must be applied when relying on namespace-based
protections to limit access to an object.</para>
+ <para>There is another way to protect an object used by some
+ programs. If an object is completely removed from the
+ namespace but there is one or more process on the
+ system that has the object open it will not be removed from
+ the underlying file system until all references to the object
+ are closed. The process(es) that have the object open can still
+ access it but no other process can gain access to it through
+ the file system namespace. The object could be accessed using
+ fhopen() (which is restricted to the superuser) or by passing
+ its descriptor to another process through a UNIX domain socket
+ but is otherwise inaccessible.</para>
+
<para>Modifications to the namespace may be performed by
adding or removing file system mounts, attaching, overlaying,
or detaching parts of the namespace, or by modifying elements
- in the namespace by perform operations on objects in the
+ in the namespace by performing operations on objects in the
namespace.
Mount and unmount operations require privilege in FreeBSD
by default; however, the system policy may be configured to
@@ -972,7 +984,7 @@
<para>The FreeBSD VFS defines several classes of objects, and
operations that apply to one or more of those objects.
The following operations may be supported on a virtual file
- node:</para>
+ node (vnode):</para>
<variablelist>
<varlistentry>
@@ -1339,6 +1351,13 @@
</listitem>
</varlistentry>
</variablelist>
+ <para>Note that there is one more file node type called VBLK
+ which is a Block Device. FreeBSD no longer uses Block Devices
+ for anything, and attempting to open a Block Device will result
+ in an error. But for compatibility with other UNIX's,
+ particularly in an NFS environment where file systems are
+ shared, Block Devices can be created and their existence is
+ "tolerated".</para>
</sect3>
<sect3 id="secarch-fsobjectprotections">
@@ -1592,7 +1611,7 @@
</sect3>
</sect2>
- <sect2 id="secarch-fs-quotes">
+ <sect2 id="secarch-fs-quotas">
<title>File System Quotas</title>
<para>UFS file system quotas permit administrators to place soft
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list