Next: Overload
Up: Algorithms
Previous: fork system call
  Contents
There will be two new fields in the task_struct : lids_perm_s *perm and lids_caps_s *caps.
Each time the execve system call is invoked,
- we check that parent16.1 have the permission to read and
execute the program.
- child inherit of parent->caps chained list. (Duplicated if forked)
- child inherit of parent->lfs_master
- parent->lfs_master->lfs is updated with the inherited overloaded capabilites of
child
- we search for rules in the configuration about this program, or a
parent directory
- we search for the lids_prog_s structure of the program
- if none are found, we search the one of its parent directory, and
so on until one is found.
If no lids_prog_s is found, task_struct.perm will be NULL and the caps/masks will
be taken empty. Else, task_struct.perm will point on lids_prog_s.perm and caps/masks will be taken in the lids_caps_s whose uid field is -1 or equal to parent->uid. If both are found, the second will be chosen. If none are found, we'll take empty sets.
- Now for each element of the child->caps chained list, we do
elt->caps = found_caps | (elt->caps & elt->mask)
elt->mask |= found_mask
This is the inheritance rule for capabilities.
This suppose that the very first process is born with its caps field pointing to a lids_caps_s
whose caps/mask are empty and whose tag field is -1.
Its perm field should point to a rule that allow it to read and execute what will be the init process. So that it will allow it to read and execute everything.
Next: Overload
Up: Algorithms
Previous: fork system call
  Contents
Biondi Philippe
2000-12-15