%!PS %%Version: 3.3.1 %%DocumentFonts: (atend) %%Pages: (atend) %%EndComments % % Version 3.3.1 prologue for troff files. % /#copies 1 store /aspectratio 1 def /formsperpage 1 def /landscape false def /linewidth .3 def /magnification 1 def /margin 0 def /orientation 0 def /resolution 720 def /rotation 1 def /xoffset 0 def /yoffset 0 def /roundpage true def /useclippath true def /pagebbox [0 0 612 792] def /R /Times-Roman def /I /Times-Italic def /B /Times-Bold def /BI /Times-BoldItalic def /H /Helvetica def /HI /Helvetica-Oblique def /HB /Helvetica-Bold def /HX /Helvetica-BoldOblique def /CW /Courier def /CO /Courier def /CI /Courier-Oblique def /CB /Courier-Bold def /CX /Courier-BoldOblique def /PA /Palatino-Roman def /PI /Palatino-Italic def /PB /Palatino-Bold def /PX /Palatino-BoldItalic def /Hr /Helvetica-Narrow def /Hi /Helvetica-Narrow-Oblique def /Hb /Helvetica-Narrow-Bold def /Hx /Helvetica-Narrow-BoldOblique def /KR /Bookman-Light def /KI /Bookman-LightItalic def /KB /Bookman-Demi def /KX /Bookman-DemiItalic def /AR /AvantGarde-Book def /AI /AvantGarde-BookOblique def /AB /AvantGarde-Demi def /AX /AvantGarde-DemiOblique def /NR /NewCenturySchlbk-Roman def /NI /NewCenturySchlbk-Italic def /NB /NewCenturySchlbk-Bold def /NX /NewCenturySchlbk-BoldItalic def /ZD /ZapfDingbats def /ZI /ZapfChancery-MediumItalic def /S /S def /S1 /S1 def /GR /Symbol def /inch {72 mul} bind def /min {2 copy gt {exch} if pop} bind def /setup { counttomark 2 idiv {def} repeat pop landscape {/orientation 90 orientation add def} if /scaling 72 resolution div def linewidth setlinewidth 1 setlinecap pagedimensions xcenter ycenter translate orientation rotation mul rotate width 2 div neg height 2 div translate xoffset inch yoffset inch neg translate margin 2 div dup neg translate magnification dup aspectratio mul scale scaling scaling scale addmetrics 0 0 moveto } def /pagedimensions { useclippath userdict /gotpagebbox known not and { /pagebbox [clippath pathbbox newpath] def roundpage currentdict /roundpagebbox known and {roundpagebbox} if } if pagebbox aload pop 4 -1 roll exch 4 1 roll 4 copy landscape {4 2 roll} if sub /width exch def sub /height exch def add 2 div /xcenter exch def add 2 div /ycenter exch def userdict /gotpagebbox true put } def /addmetrics { /Symbol /S null Sdefs cf /Times-Roman /S1 StandardEncoding dup length array copy S1defs cf } def /pagesetup { /page exch def currentdict /pagedict known currentdict page known and { page load pagedict exch get cvx exec } if } def /decodingdefs [ {counttomark 2 idiv {y moveto show} repeat} {neg /y exch def counttomark 2 idiv {y moveto show} repeat} {neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat} {neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat} {counttomark 2 idiv {y moveto show} repeat} {neg setfunnytext} ] def /setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def /w {neg moveto show} bind def /m {neg dup /y exch def moveto} bind def /done {/lastpage where {pop lastpage} if} def /f { dup /font exch def findfont exch dup /ptsize exch def scaling div dup /size exch def scalefont setfont linewidth ptsize mul scaling 10 mul div setlinewidth /spacewidth ( ) stringwidth pop def } bind def /changefont { /fontheight exch def /fontslant exch def currentfont [ 1 0 fontheight ptsize div fontslant sin mul fontslant cos div fontheight ptsize div 0 0 ] makefont setfont } bind def /sf {f} bind def /cf { dup length 2 idiv /entries exch def /chtab exch def /newencoding exch def /newfont exch def findfont dup length 1 add dict /newdict exch def {1 index /FID ne {newdict 3 1 roll put}{pop pop} ifelse} forall newencoding type /arraytype eq {newdict /Encoding newencoding put} if newdict /Metrics entries dict put newdict /Metrics get begin chtab aload pop 1 1 entries {pop def} for newfont newdict definefont pop end } bind def % % A few arrays used to adjust reference points and character widths in some % of the printer resident fonts. If square roots are too high try changing % the lines describing /radical and /radicalex to, % % /radical [0 -75 550 0] % /radicalex [-50 -75 500 0] % % Move braceleftbt a bit - default PostScript character is off a bit. % /Sdefs [ /bracketlefttp [201 500] /bracketleftbt [201 500] /bracketrighttp [-81 380] /bracketrightbt [-83 380] /braceleftbt [203 490] /bracketrightex [220 -125 500 0] /radical [0 0 550 0] /radicalex [-50 0 500 0] /parenleftex [-20 -170 0 0] /integral [100 -50 500 0] /infinity [10 -75 730 0] ] def /S1defs [ /underscore [0 80 500 0] /endash [7 90 650 0] ] def % % Tries to round clipping path dimensions, as stored in array pagebbox, so they % match one of the known sizes in the papersizes array. Lower left coordinates % are always set to 0. % /roundpagebbox { 7 dict begin /papersizes [8.5 inch 11 inch 14 inch 17 inch] def /mappapersize { /val exch def /slop .5 inch def /diff slop def /j 0 def 0 1 papersizes length 1 sub { /i exch def papersizes i get val sub abs dup diff le {/diff exch def /j i def} {pop} ifelse } for diff slop lt {papersizes j get} {val} ifelse } def pagebbox 0 0 put pagebbox 1 0 put pagebbox dup 2 get mappapersize 2 exch put pagebbox dup 3 get mappapersize 3 exch put end } bind def %%EndProlog %%BeginSetup mark /linewidth 0.5 def /xoffset 0 def /yoffset 0 def /#copies 1 store /magnification 1 def %%FormsPerPage: 1 /formsperpage 1 def /landscape false def /resolution 720 def setup 2 setdecoding %%EndSetup %%Page: 1 1 /saveobj save def mark 1 pagesetup 12 B f (The Design of IX)3 870 1 2445 1230 t 10 I f (M. D. McIlroy)2 576 1 2592 1470 t (J. A. Reeds)2 443 1 2658 1650 t (ABSTRACT)2643 2090 w 10 R f ( The)1 215( kernel is specified semiformally.)4 1374(The mandatory security behavior of the IX)6 1761 3 1330 2350 t ( the policy are given,)4 844(security policy and the label mechanisms and checks that implement)9 2756 2 1080 2470 t ( security behavior of)3 856( The)1 216( auditing.)1 389(as are arrangements for privilege, private paths, and)7 2139 4 1080 2590 t ( channels are illus-)3 760( Covert)1 325( old, is described.)3 711(special files and of all system calls, new and)8 1804 4 1080 2710 t (trated.)1080 2830 w 10 B f (1. Introduction)1 670 1 720 3190 t 10 R f (In a)1 160 1 970 3346 t 10 I f (multilevel secure)1 687 1 1163 3346 t 10 R f (operating system all data files have security classification labels.)8 2654 1 1883 3346 t 10 I f (Mandatory)4596 3346 w (controls)720 3466 w 10 R f ( with a)2 288(assure that no combination of computer programs may copy data from a file into another)14 3670 2 1082 3466 t ( normal flow of data is)5 937( the)1 152( Thus)1 255(lesser label.)1 476 4 720 3586 t 10 I f (up)2571 3586 w 10 R f (: as data move from place to place, the classification label)10 2369 1 2671 3586 t ( certain)1 297( However,)1 441(must not decrease as a result of negligent or unauthorized action.)10 2602 3 720 3706 t 10 I f (privileged)4086 3706 w 10 R f (programs are)1 523 1 4517 3706 t (allowed to copy data)3 829 1 720 3826 t 10 I f (down)1574 3826 w 10 R f (, that is, to declassify or)5 952 1 1791 3826 t 10 I f (downgrade)2768 3826 w 10 R f (data.)3243 3826 w ( to add mandatory controls to a)6 1309(We describe a simple, but thorough, way)6 1696 2 970 3982 t 9 R f (UNIX)4009 3982 w 10 S f (\322)4234 3982 w 10 R f (operating system)1 691 1 4349 3982 t ( paper recounts the modifica-)4 1169( This)1 228( the basic nature and usefulness of the system.)8 1844(without severely impairing)2 1079 4 720 4102 t ( this kernel, we have built a multilevel secure sys-)9 2033( Using)1 293( the system kernel.)3 761(tions to the calling interface to)5 1233 4 720 4222 t ( tools for authentication, administration of privilege, safe networking to)9 3041(tem called IX, which includes)4 1279 2 720 4342 t ( secure networking)2 797( Multilevel)1 486( and management of multilevel windowed terminals.)6 2220(untrusted machines,)1 817 4 720 4462 t (should fit well within the model.)5 1306 1 720 4582 t ( system are described in the accompanying paper, ``Multilevel security)9 2860(Higher-level aspects of the IX)4 1210 2 970 4738 t (in the)1 230 1 720 4858 t 9 R f (UNIX)978 4858 w 10 R f ( on the Tenth Edition)4 870(tradition.'' Based)1 729 2 1233 4858 t 9 R f (UNIX)2860 4858 w 10 R f (research system, commonly known as v10,)5 1742 1 3115 4858 t 8 R f (1)4865 4826 w 10 R f (IX)4935 4858 w ( no direct relationship to security features)6 1700( bears)1 241( It)1 117(was built to experiment with new security mechanisms.)7 2262 4 720 4978 t (in production systems from AT&T.)4 1419 1 720 5098 t 8 R f (2, 3)1 120 1 2147 5066 t 10 R f ( expected to be fully familiar with)6 1401( reader is)2 377( The)1 211(Section \2472 covers the ideas, \2473 gives details.)7 1826 4 970 5254 t 9 R f (UNIX)4815 5254 w 10 R f ( ref-)1 172( technical details are deliberately concise, as they are intended as an implementation)12 3422( The)1 210(system calls.)1 516 4 720 5374 t ( expository material is relegated to fine print.)7 1803(erence. Additional)1 762 2 720 5494 t 10 B f ( model)1 286(2. The)1 292 2 720 5734 t 10 R f (Each file or process has a)5 1046 1 970 5890 t 10 I f (label,)2047 5890 w 10 R f ( technical reasons given in \2473.5.10 and)6 1595( For)1 196(shared by all data in it.)5 945 3 2304 5890 t ( form a \(slightly)3 671( labels)1 267( The)1 214(\2473.6.7, seek pointers and ceilings, which are defined below, also have labels.)11 3168 4 720 6010 t ( multilevel and categorical, or)4 1267(augmented\) mathematical lattice, a structure rich enough to express both)9 3053 2 720 6130 t ( a system call causes a transfer of data, the labels are)11 2253( Whenever)1 473( systems.)1 381(compartmented, classification)1 1213 4 720 6250 t (checked to ensure that data only flows up the lattice.)9 2096 1 720 6370 t ( of data explicitly passed between labeled entities, in particular from process to file and)14 3569(The security)1 501 2 970 6526 t ( of such data are bytes transmitted by)7 1510( Examples)1 447(vice versa, is safeguarded.)3 1058 3 720 6646 t 10 I f (read)3763 6646 w 10 R f (and)3974 6646 w 10 I f (write)4146 6646 w 10 R f ( and)1 171(system calls)1 489 2 4380 6646 t (bits set by)2 406 1 720 6766 t 10 I f (chmod)1151 6766 w 10 R f ( set inode data, such as modification times and link counts, are protected as far)14 3153(. Implicitly)1 470 2 1417 6766 t ( consideration is given to external media such as)8 1984( Special)1 350( the system unusable.)3 873(as possible without making)3 1113 4 720 6886 t ( authentication protocols may be required in order to determine proper)10 3011(terminals or tape drives, where)4 1309 2 720 7006 t ( of label checks involved with file)6 1479( reduce overhead in label checking we cache the results)9 2401(labels. To)1 440 3 720 7126 t (descriptors.)720 7246 w cleartomark showpage saveobj restore %%EndPage: 1 1 %%Page: 2 2 /saveobj save def mark 2 pagesetup 10 R f (- 2 -)2 166 1 2797 480 t ( error returns from system)4 1098(Other ways of communicating information, including but not limited to)9 2972 2 970 840 t ( inferred knowledge \(e.g. the Denning)5 1601(calls, file change times, the identity of open files, and otherwise)10 2719 2 720 960 t (example in \2473.2.6\) we declare to be)6 1484 1 720 1080 t 10 I f (covert channels.)1 664 1 2239 1080 t 10 R f (Just which covert channels to leave unplugged we)7 2076 1 2964 1080 t ( of nontrivial)2 548( worst, covert channels)3 962( At)1 164(have decided by balancing risk versus utility and compatibility.)8 2646 4 720 1200 t ( extremely abnormal behavior is required to)6 1860( As)1 179( for burglaries.)2 626(bandwidth provide routes for leaks, not)5 1655 4 720 1320 t (exploit them \(see notes in \2473.5.9\), systematic use of covert channels should be easy to detect by auditing.)17 4203 1 720 1440 t ( divided information transfers into ``lawful'' transfers, which honor the Department)10 3376(In effect we have)3 694 2 970 1596 t (of Defense ``Orange Book'' criteria,)4 1458 1 720 1716 t 8 R f (4)2186 1684 w 10 R f (and covert channels.)2 817 1 2251 1716 t ( and files at their minimum allowable)6 1511(We attempt to minimize label inflation by keeping all processes)9 2559 2 970 1872 t ( necessary to a maximum value)5 1276( program's label may start low and drift up as)9 1867( A)1 127(labels as long as possible.)4 1050 4 720 1992 t ( a running)2 437( When)1 304( label rises only when needed to allow reading of inputs.)10 2415( The)1 221(authorized for its user.)3 943 5 720 2112 t (program's label rises, the labels of its output files may also rise correspondingly.)12 3224 1 720 2232 t ( pro-)1 199( Such)1 258( system programs must be exempt from the usual label checking described above.)12 3360(A few)1 253 4 970 2388 t (grams are trusted with special)4 1244 1 720 2508 t 10 I f (privileges,)2002 2508 w 10 R f ( them the ability, for instance, to set the label on a)11 2127(which give)1 454 2 2459 2508 t ( privileges)1 425( These)1 294( time, read foreign tapes, perform backups\320and assign privilege.)8 2662(user's terminal at login)3 939 4 720 2628 t ( its privileges to another and privileged programs cannot be)9 2449(are zealously guarded: a program cannot pass)6 1871 2 720 2748 t (modified.)720 2868 w ( to break the rules, must know that they are doing so safely)12 2379(Privileged processes, which have the right)5 1691 2 970 3024 t ( example, the login program,)4 1182( For)1 196( on the privilege.)3 698(and are not allowing unwashed programs to piggyback)7 2244 4 720 3144 t ( sets security labels accordingly, needs to receive the user's)9 2453(which authenticates a user's identity and then)6 1867 2 720 3264 t ( clearance is not at issue; no)6 1156( \(Security)1 422( agents.)1 311(password via a path immune to eavesdropping by untrusted)8 2431 4 720 3384 t ( privacy can be established before the user has been)9 2189(distinguishing security label to guarantee the user's)6 2131 2 720 3504 t (identified.\))720 3624 w ( as that necessary for logging in, a process may assert process exclu-)12 2843(To obtain a private path, such)5 1227 2 970 3780 t (sive, or)1 302 1 720 3900 t 10 I f (pex,)1054 3900 w 10 R f ( a pipe, the processes at both ends are apprised of each other's)12 2563( On)1 179(access to any file or pipe.)5 1049 3 1249 3900 t ( an external connection, an associated)5 1582(trustedness. On)1 655 2 720 4020 t 10 I f (stream identifier)1 679 1 2997 4020 t 10 R f (may be queried for other assur-)5 1324 1 3716 4020 t (ances, such as whether it is understood to be physically secure.)10 2512 1 720 4140 t ( records are collected mandatorily, to an)6 1652( Audit)1 286( security-related events.)2 966(An audit mechanism records)3 1166 4 970 4296 t ( be volunteered, typically by privileged)5 1575( audit records may)3 746( Extra)1 268(administratively determined level of detail.)4 1731 4 720 4416 t (programs, to capture data \(e.g. password rejections\) that happen outside the kernel.)11 3312 1 720 4536 t (In summary, IX has five major security mechanisms:)7 2119 1 720 4692 t ( usual)1 239(1. The)1 405 2 720 4848 t 9 R f (UNIX)1390 4848 w 10 R f ( can override per-)3 717( superuser)1 410( The)1 208(permission scheme provides discretionary controls.)4 2062 4 1643 4848 t (missions other than write permission.)4 1497 1 970 4968 t ( maintained regardless of user-)4 1246( inequalities are)2 638( Label)1 280( label scheme provides mandatory controls.)5 1751(2. The)1 405 5 720 5124 t (or group-ids.)1 516 1 970 5244 t ( privilege scheme guards the administration of the label scheme \(and of itself\).)12 3136(3. The)1 405 2 720 5400 t ( exclusive streams allow private transmission of data among privileged processes and files.)12 3636(4. Process)1 555 2 720 5556 t ( auditing allows security surveillance and furnishes post-mortems in case of trouble.)11 3362(5. Detailed)1 588 2 720 5712 t (Each process has a)3 756 1 970 5868 t 10 I f (ceiling,)1753 5868 w 10 R f ( set when the user logs in.)6 1053(a maximum label that it may read or write, first)9 1910 2 2077 5868 t ( also prevent lowly users from)5 1232( Ceilings)1 389(Ceilings prevent lowly users from injecting noise into high places.)9 2699 3 720 5988 t ( with the)2 352( Only)1 251( secrets.)1 322(raising their processes to high levels where they might use covert channels to pry out)14 3395 4 720 6108 t ( covert channels be used to see above)7 1528(\(possibly unwitting\) collusion of a \(possibly duped\) cleared user can)9 2792 2 720 6228 t (the ceiling.)1 444 1 720 6348 t (Each system call is identified as a)6 1372 1 970 6504 t 10 I f (read action,)1 487 1 2371 6504 t 10 R f (a)2887 6504 w 10 I f (write action,)1 510 1 2960 6504 t 10 R f ( depending on the direction of)5 1226(or both,)1 315 2 3499 6504 t ( A)1 133( of a read action is a process; the destination of a write action is a file.)16 2962( destination)1 476( The)1 217(data transfer.)1 532 5 720 6624 t ( a check is violated, the violation may sometimes be pre-)10 2302( When)1 291( is made at each system call.)6 1152(security check)1 575 4 720 6744 t ( in the absence of privilege, the system)7 1581( Thus,)1 279( label, otherwise the system call aborts.)6 1594(vented by changing a)3 866 4 720 6864 t (obeys two golden rules, which are elaborated in \2472.5.)8 2132 1 720 6984 t 10 B f (Upward flow.)1 594 1 970 7140 t 10 R f ( the label of the destination of an)7 1396( possible,)1 389( If)1 127(Only upward data flow is permitted.)5 1503 4 1625 7140 t (action is raised to allow the action to proceed.)8 1833 1 970 7260 t cleartomark showpage saveobj restore %%EndPage: 2 2 %%Page: 3 3 /saveobj save def mark 3 pagesetup 10 R f (- 3 -)2 166 1 2797 480 t 10 B f (Impenetrable ceilings.)1 944 1 970 840 t 10 R f (A process label must stay under the process ceiling.)8 2066 1 1964 840 t ( information with a)3 787( No)1 178( system has a ceiling label, distinct from the labels of any file in it.)14 2743(Each file)1 362 4 970 996 t ( ceiling, which may be understood)5 1386( The)1 207( the ceiling can be transferred to or from the file system.)11 2267(label above)1 460 4 720 1116 t ( virtual file manager, may be used to prevent import or export of sensitive labels via)15 3416(as a process label on a)5 904 2 720 1236 t ( addition, the file system ceiling may be used to deny privilege)11 2542( In)1 136( or removable media.)3 857(remote file systems)2 785 4 720 1356 t (to executable files obtained from such sources.)6 1871 1 720 1476 t (We understand the system call)4 1248 1 970 1632 t 10 I f (exec)2250 1632 w 10 R f ( new)1 199(to extinguish a process and make in its place a)9 1913 2 2458 1632 t 10 I f (empty)4603 1632 w 10 R f (pro-)4874 1632 w ( an empty process)3 727( If)1 119( empty process begins with a bottom label.)7 1731( keep labels as low as possible, an)7 1387(cess. To)1 356 5 720 1752 t ( cover the label of its parent, the source of the argu-)11 2072(has arguments, its label may have to rise immediately to)9 2248 2 720 1872 t ( to cover the label of the initializing text file, and perhaps again to cover)14 2937( may have to rise further)5 1003(ments. It)1 380 3 720 1992 t (data that it reads.)3 682 1 720 2112 t 10 B f (2.1. Terminology)1 750 1 720 2352 t 10 R f (A)970 2508 w 10 I f (file)1077 2508 w 10 R f ( an in-core)2 448(is anything that can have a file descriptor, or equivalently anything that can have)13 3352 2 1240 2508 t ( open)1 227( An)1 180( inode is deemed to be part of its file.)9 1559( An)1 180( and process images.)3 850(inode: file system entries, pipes,)4 1324 6 720 2628 t ( stream has a)3 530(file that is not a)4 634 2 720 2748 t 10 I f (seek pointer.)1 514 1 1913 2748 t 10 R f (A file descriptor)2 662 1 2481 2748 t 10 I f (d)3172 2748 w 10 R f (names an association \()3 913 1 3251 2748 t 10 I f (p)4172 2748 w 10 R f (,)4230 2748 w 10 I f (s)4287 2748 w 10 R f (,)4334 2748 w 10 I f (f)4399 2748 w 10 R f (\) between pro-)2 589 1 4451 2748 t ( Given)1 298(cess, seek pointer, and file.)4 1094 2 720 2868 t 10 I f (d)2140 2868 w 10 R f (, the corresponding process is denoted)5 1540 1 2190 2868 t 10 I f (p)3758 2868 w 10 R f (\()3816 2868 w 10 I f (d)3857 2868 w 10 R f (\), the file)2 369 1 3915 2868 t 10 I f (f)4312 2868 w 10 R f (\()4356 2868 w 10 I f (d)4397 2868 w 10 R f (\), and the seek)3 585 1 4455 2868 t (pointer)720 2988 w 10 I f (s)1029 2988 w 10 R f (\()1076 2988 w 10 I f (d)1117 2988 w 10 R f ( file system that file)4 798(\). The)1 264 2 1175 2988 t 10 I f (f)2263 2988 w 10 R f (resides in is denoted)3 816 1 2317 2988 t 10 I f (FS)3159 2988 w 10 R f (\()3278 2988 w 10 I f (f)3335 2988 w 10 R f (\). If)1 175 1 3387 2988 t 10 I f (f)3588 2988 w 10 R f ( end of a pipe,)4 576(is one)1 237 2 3642 2988 t 10 I f (f)4482 2988 w 10 S f (\242)4532 2983 w 10 R f (is the other)2 448 1 4592 2988 t (end.)720 3108 w 10 I f (L)952 3108 w 10 R f (\()1016 3108 w 10 I f (f)1073 3108 w 10 R f (,)1125 3108 w 10 I f (t)1158 3108 w 10 R f (\),)1194 3108 w 10 I f (L)1290 3108 w 10 R f (\()1354 3108 w 10 I f (p)1395 3108 w 10 R f (,)1453 3108 w 10 I f (t)1486 3108 w 10 R f (\),)1522 3108 w 10 I f (L)1618 3108 w 10 R f (\()1682 3108 w 10 I f (s)1723 3108 w 10 R f (,)1770 3108 w 10 I f (t)1803 3108 w 10 R f ( pointer respectively at time)4 1163(\) are the labels of a file, a process, and a seek)11 1945 2 1839 3108 t 10 I f (t)4984 3108 w 10 R f (;)5012 3108 w 10 I f (C)720 3228 w 10 R f (\()795 3228 w 10 I f (p)836 3228 w 10 R f (,)894 3228 w 10 I f (t)927 3228 w 10 R f (\) and)1 206 1 963 3228 t 10 I f (C)1198 3228 w 10 R f (\()1273 3228 w 10 I f (FS)1314 3228 w 10 R f (,)1433 3228 w 10 I f (t)1466 3228 w 10 R f ( only one time is under considera-)6 1389( When)1 293( file system.)2 496(\) are the ceilings of a process and)7 1360 4 1502 3228 t (tion,)720 3348 w 10 I f (t)926 3348 w 10 R f (may be elided:)2 588 1 979 3348 t 10 I f (L)1592 3348 w 10 R f (\()1656 3348 w 10 I f (f)1713 3348 w 10 R f (\),)1765 3348 w 10 I f (L)1848 3348 w 10 R f (\()1912 3348 w 10 I f (p)1953 3348 w 10 R f (\),)2011 3348 w 10 I f (C)2094 3348 w 10 R f (\()2169 3348 w 10 I f (p)2210 3348 w 10 R f (\), etc.)1 224 1 2268 3348 t (A)970 3504 w 10 I f (data flow)1 377 1 1067 3504 t 10 R f (occurs when bits are copied from one place \(process, file, seek pointer, uarea\) to another.)14 3570 1 1470 3504 t ( transfer)1 334( nonatomic data)2 650( A)1 128(Such flows, caused by system calls, are effectively atomic and are serializable.)11 3208 4 720 3624 t (in a very long)3 561 1 720 3744 t 10 I f (read)1309 3744 w 10 R f (or)1520 3744 w 10 I f (write)1631 3744 w 10 R f ( residence of data in an entity \(usu-)7 1433( The)1 208(is considered to be several data flows.)6 1534 3 1865 3744 t ( called a)2 342(ally a process or file\) also constitutes data flow,)8 1953 2 720 3864 t 10 I f (persistent flow,)1 617 1 3045 3864 t 10 R f (from the entity at one time to the)7 1348 1 3692 3864 t (entity at another time.)3 877 1 720 3984 t ( such)1 209( Most)1 257( flow.)1 234(Transfer of information without direct replication of bits is not considered to be data)13 3370 4 970 4140 t ( sys-)1 186( are sensed by reading quantities that the)7 1629( Others)1 317(transfers are sensed by error returns from system calls.)8 2188 4 720 4260 t (tem calculates: link counts, process numbers, resource levels, file access times, clock values, and so on.)15 4134 1 720 4380 t (Data flow from source)3 900 1 970 4536 t 10 I f (x)1895 4536 w 10 R f (to destination)1 542 1 1964 4536 t 10 I f (y)2531 4536 w 10 R f (is symbolized)1 553 1 2600 4536 t 10 I f (x)3178 4536 w 10 S f (\256)3263 4536 w 10 I f (y)3403 4536 w 10 R f (.)3447 4536 w (The symbols := and = mean assignment and the equality predicate respectively.)11 3174 1 970 4692 t 10 S1 f ()720 4848 w cleartomark saveobj restore %%BeginGlobal /build_rh { pop gsave size .0022 mul dup scale currentpoint translate 15 66 moveto 15 86 lineto 16 131 lineto 17 146 lineto 18 158 lineto 19 167 lineto 21 181 lineto 24 190 lineto 34 193 lineto 49 189 lineto 58 182 lineto 60 177 lineto 60 166 lineto 59 156 lineto 58 143 lineto 57 130 lineto 56 117 lineto 55 102 lineto 54 42 lineto 53 39 lineto 49 35 lineto 34 34 lineto 19 39 lineto 16 47 lineto 15 66 lineto stroke 65 60 moveto 65 111 lineto 66 127 lineto 67 139 lineto 69 153 lineto 72 163 lineto 83 171 lineto 98 177 lineto 113 182 lineto 128 187 lineto 143 190 lineto 158 194 lineto 173 196 lineto 188 199 lineto 203 201 lineto 218 203 lineto 233 205 lineto 248 205 lineto 263 206 lineto 278 206 lineto 293 206 lineto 308 206 lineto 323 206 lineto 338 205 lineto 353 203 lineto 368 202 lineto 383 200 lineto 394 197 lineto 389 190 lineto 389 180 lineto 391 176 lineto 391 173 lineto 380 173 lineto 365 173 lineto 350 174 lineto 335 175 lineto 320 176 lineto 305 176 lineto 290 176 lineto 275 177 lineto 260 177 lineto 245 177 lineto 240 173 lineto 240 170 lineto 245 165 lineto 260 164 lineto 275 164 lineto 290 164 lineto 305 163 lineto 320 160 lineto 327 155 lineto 330 149 lineto 330 134 lineto 328 129 lineto 323 124 lineto 309 121 lineto 294 121 lineto 279 121 lineto 264 121 lineto 249 121 lineto 234 121 lineto 228 118 lineto 228 112 lineto 234 109 lineto 249 109 lineto 264 109 lineto 279 108 lineto 294 108 lineto 306 104 lineto 311 97 lineto 312 91 lineto 312 88 lineto 311 82 lineto 305 74 lineto 290 72 lineto 275 72 lineto 260 72 lineto 245 73 lineto 230 73 lineto 215 73 lineto 205 70 lineto 205 63 lineto 217 60 lineto 232 60 lineto 247 60 lineto 262 60 lineto 277 57 lineto 283 52 lineto 285 44 lineto 285 41 lineto 284 35 lineto 280 30 lineto 268 26 lineto 253 25 lineto 238 26 lineto 223 28 lineto 208 31 lineto 193 33 lineto 178 34 lineto 163 33 lineto 148 31 lineto 133 28 lineto 118 27 lineto 103 28 lineto 88 34 lineto 73 43 lineto 67 52 lineto 65 60 lineto stroke 396 180 moveto 396 188 lineto 399 194 lineto 410 196 lineto 416 190 lineto 416 180 lineto 415 177 lineto 411 173 lineto 400 173 lineto 396 180 lineto stroke grestore } def %%EndGlobal /saveobj save def mark 10 S1 f 720 4848 m 100 build_rh 820 4848 m 10 R f ( parts of the paper fact is distinguished from supporting commentary, which looks)12 3313(In the more formal)3 757 2 970 4848 t (like this.)1 345 1 970 4968 t 10 B f ( of notations)2 528(2.1.1. Summary)1 697 2 720 5208 t 10 R f ( Reference)1 1064(Notation Meaning)1 1346 2 1639 5424 t 10 I f (f)1639 5544 w 10 R f (,)1691 5544 w 10 I f (r)1748 5544 w 10 R f (,)1795 5544 w 10 I f (w)1852 5544 w 10 R f (file)2630 5544 w 10 I f (d)1639 5664 w 10 R f ( \2472.1)1 634(file descriptor)1 557 2 2630 5664 t 10 I f (p)1639 5784 w 10 R f (current process)1 606 1 2630 5784 t 10 I f (q)1639 5904 w 10 R f (process)2630 5904 w 10 I f (t)1639 6024 w 10 R f (time)2630 6024 w 10 I f (s)1639 6144 w 10 R f ( \2472.1)1 706(seek pointer)1 485 2 2630 6144 t 10 I f (FS)1639 6264 w 10 R f ( \2472.1)1 755(file system)1 436 2 2630 6264 t 10 I f (x)1639 6384 w 10 R f (,)1691 6384 w 10 I f (y)1748 6384 w 10 R f (labelable entity)1 613 1 2630 6384 t 10 B f (y)1639 6504 w 10 R f ( \2472.2)1 839(label yes)1 352 2 2630 6504 t 10 B f (n)1639 6624 w 10 R f ( \2472.2)1 872(label no)1 319 2 2630 6624 t 10 I f (L)1639 6744 w 10 R f (\()1703 6744 w 10 I f (x)1744 6744 w 10 R f (,)1796 6744 w 10 I f (t)1829 6744 w 10 R f (\) ,)1 74 1 1865 6744 t 10 I f (L)1980 6744 w 10 R f (\()2044 6744 w 10 I f (x)2085 6744 w 10 R f ( \2472.2)1 997(\) label)1 687 2 2137 6744 t 10 I f (C)1639 6864 w 10 R f (\()1714 6864 w 10 I f (x)1755 6864 w 10 R f (,)1807 6864 w 10 I f (t)1840 6864 w 10 R f (\) ,)1 74 1 1876 6864 t 10 I f (C)1991 6864 w 10 R f (\()2066 6864 w 10 I f (x)2107 6864 w 10 R f ( \2472.2)1 919(\) ceiling)1 743 2 2159 6864 t (Cap)1639 6984 w 7 I f (k)1811 7004 w 10 R f (\()1858 6984 w 10 I f (x)1899 6984 w 10 R f (,)1951 6984 w 10 I f (t)1984 6984 w 10 R f ( Cap)1 202(\) ,)1 74 2 2020 6984 t 7 I f (k)2307 7004 w 10 R f (\()2354 6984 w 10 I f (x)2395 6984 w 10 R f ( \2472.4.2)1 872(\) capability)1 577 2 2447 6984 t (Lic)1639 7104 w 7 I f (k)1783 7124 w 10 R f (\()1830 7104 w 10 I f (x)1871 7104 w 10 R f (,)1923 7104 w 10 I f (t)1956 7104 w 10 R f ( Lic)1 174(\) ,)1 74 2 1992 7104 t 7 I f (k)2251 7124 w 10 R f (\()2298 7104 w 10 I f (x)2339 7104 w 10 R f ( \2472.4.2)1 989(\) license)1 516 2 2391 7104 t (Cap \()1 202 1 1639 7224 t 10 I f (x)1849 7224 w 10 R f (,)1901 7224 w 10 I f (t)1934 7224 w 10 R f ( \()1 41( Cap)1 202(\) ,)1 74 3 1970 7224 t 10 I f (x)2295 7224 w 10 R f ( \2472.4.2)1 598( vector)1 274(\) capability)1 677 3 2347 7224 t cleartomark showpage saveobj restore %%EndPage: 3 3 %%Page: 4 4 /saveobj save def mark 4 pagesetup 10 R f (- 4 -)2 166 1 2797 480 t (Lic \()1 174 1 1639 840 t 10 I f (x)1821 840 w 10 R f (,)1873 840 w 10 I f (t)1906 840 w 10 R f ( \()1 41( Lic)1 174(\) ,)1 74 3 1942 840 t 10 I f (x)2239 840 w 10 R f ( \2472.4.2)1 715( vector)1 274(\) license)1 616 3 2291 840 t (Lic)1639 960 w 7 R f (0)1777 920 w 10 R f (\()1828 960 w 10 I f (x)1869 960 w 10 R f (,)1921 960 w 10 I f (t)1954 960 w 10 R f ( Lic)1 174(\) ,)1 74 2 1990 960 t 7 R f (0)2243 920 w 10 R f (\()2294 960 w 10 I f (x)2335 960 w 10 R f ( \2472.4.2)1 275( \2472.3,)1 350( file license)2 460(\) maximum)1 649 4 2387 960 t (Priv \()1 208 1 1639 1080 t 10 I f (x)1855 1080 w 10 R f (,)1907 1080 w 10 I f (t)1940 1080 w 10 R f ( \()1 41( Priv)1 208(\) ,)1 74 3 1976 1080 t 10 I f (x)2307 1080 w 10 R f ( \2472.4.2)1 637( vector)1 274(\) privilege)1 626 3 2359 1080 t 10 I f (H)1639 1200 w 10 R f (\()1719 1200 w 10 I f (f)1776 1200 w 10 R f ( \2472.4.3)1 459( process)1 324(\) pex-holding)1 1285 3 1828 1200 t 10 I f (APX)1639 1320 w 10 R f (\()1830 1320 w 10 I f (f)1887 1320 w 10 R f ( \2472.4.3)1 463( pex indicator)2 549(\) accept)1 945 3 1939 1320 t 10 I f (X)1639 1440 w 10 R f (\()1708 1440 w 10 I f (f)1765 1440 w 10 R f ( \2472.4.3)1 636( indicator)1 380(\) pexity)1 1063 3 1817 1440 t 10 I f (AM)1639 1560 w 10 R f (\()1791 1560 w 10 I f (p)1832 1560 w 10 R f ( \2472.4.4)1 506( audit mask)2 461(\) process)1 1039 3 1890 1560 t 10 I f (SAM)1639 1680 w 10 R f ( \2472.4.4)1 527(system audit mask)2 739 2 2630 1680 t 10 I f (PC)1639 1800 w 10 R f (\()1775 1800 w 10 I f (f)1832 1800 w 10 R f ( \2472.4.4)1 780( class)1 219(\) poison)1 1013 3 1884 1800 t 10 I f (PM)1639 1920 w 10 R f ([)1791 1920 w 10 I f (i)1832 1920 w 10 R f ( \2472.4.4)1 763( mask)1 236(] poison)1 1029 3 1868 1920 t 10 B f (2.2. Labels)1 484 1 720 2220 t 10 R f ( given finite lattice)3 767(A label can be any element of a)7 1288 2 970 2376 t 10 HB f (L)3055 2376 w 10 R f (, or the special symbol)4 922 1 3116 2376 t 10 B f (y)4068 2376 w 10 R f (, or the special symbol)4 922 1 4118 2376 t 10 B f (n)720 2496 w 10 R f (. Let)1 216 1 776 2496 t 10 HB f (L)1025 2496 w 10 I f (*)1094 2496 w 10 S f (=)1193 2496 w 10 HB f (L)1297 2496 w 10 S f (\310)1366 2496 w 10 R f ({)1451 2496 w 10 B f (y)1507 2496 w 10 R f (,)1565 2496 w 10 B f (n)1622 2496 w 10 R f ( lattice)1 276( The)1 212( possible labels.)2 650(} denote this set of)4 785 4 1686 2496 t 10 HB f (L)3641 2496 w 10 R f ( have)1 220( We)1 195(is a design parameter.)3 891 3 3734 2496 t (chosen the lattice of subsets of 480 elements, represented as vectors of 480 bits.)13 3186 1 720 2616 t 10 S1 f ()720 2772 w 720 2772 m 100 build_rh 820 2772 m 10 R f (The bit vectors 000)3 876 1 970 2772 t 10 S f (<)1895 2772 w 10 R f (001)1999 2772 w 10 S f (<)2198 2772 w 10 R f (011)2302 2772 w 10 S f (<)2501 2772 w 10 R f (111 might represent the customary classification levels:)6 2435 1 2605 2772 t ( bits might represent compartments: 000 100 for)7 1957( Further)1 348( secret.)1 286(unclassified, confidential, secret, top)3 1479 4 970 2892 t ( North was cleared at least for)6 1214( Oliver)1 308( traffic, etc.)2 465(Iran, 000 010 for Nicaragua, 000 001 for submarine)8 2083 4 970 3012 t (111 110.)1 350 1 970 3132 t (Let the ordering relation on)4 1134 1 970 3288 t 10 HB f (L)2138 3288 w 10 R f (be denoted)1 445 1 2233 3288 t 10 S f (\243)2713 3288 w 10 R f (, the meet operation inf, the join operation sup, bottom)9 2272 1 2768 3288 t (element)720 3408 w 10 S f (^)1071 3408 w 10 R f (and top element)2 658 1 1172 3408 t cleartomark saveobj restore %%BeginGlobal /UnivMath6 /Universal-MathSix def %%EndGlobal /saveobj save def mark 10 UnivMath6 f (\301)1865 3408 w 10 R f ( only comparison predicates we use are)6 1628(. The)1 240 2 1948 3408 t 10 S f (=)3851 3408 w 10 R f (,)3906 3408 w 10 S f (\243)3966 3408 w 10 R f (, and)1 203 1 4021 3408 t 10 S f (\243)4258 3408 w 10 I f (/)4272 3408 w 10 R f ( predicate)1 399(. The)1 239 2 4313 3408 t 10 S f (\243)4985 3408 w 10 I f (/)4999 3408 w 10 R f (means ``not)1 474 1 720 3528 t 10 S f (\243)1219 3528 w 10 R f ('' or ``is not dominated by''; it should not be thought of as)12 2343 1 1274 3528 t 10 S f (>)3642 3528 w 10 R f (.)3697 3528 w (A data flow)2 471 1 970 3684 t 10 I f (x)1466 3684 w 10 S f (\256)1551 3684 w 10 I f (y)1691 3684 w 10 R f (is said to be)3 475 1 1760 3684 t 10 I f (up)2260 3684 w 10 R f (if)2385 3684 w 10 I f (L)2471 3684 w 10 R f (\()2535 3684 w 10 I f (x)2576 3684 w 10 R f (\))2628 3684 w 10 S f (\243)2710 3684 w 10 I f (L)2806 3684 w 10 R f (\()2870 3684 w 10 I f (y)2911 3684 w 10 R f ( the flow is)3 447(\). Otherwise)1 518 2 2963 3684 t 10 I f (down)3953 3684 w 10 R f (.)4170 3684 w 10 S1 f ()720 3840 w 720 3840 m 100 build_rh 820 3840 m 10 R f (Up describes a)2 609 1 970 3840 t 10 S f (\243)1616 3840 w 10 R f (relation and down describes)3 1153 1 1708 3840 t 10 S f (\243)2898 3840 w 10 I f (/)2912 3840 w 10 R f ( always referring to the direction of flow, we)8 1883(. By)1 204 2 2953 3840 t ( ``write up'' and ``read down,'' both of which describe)9 2310(avoid the common, but confusing, phrases)5 1760 2 970 3960 t (upward flow.)1 532 1 970 4080 t (We extend the meaning of)4 1153 1 720 4236 t 10 S f (\243)1923 4236 w 10 R f (to)2028 4236 w 10 HB f (L)2157 4236 w 10 I f (*)2226 4236 w 10 R f (: for all)2 346 1 2276 4236 t 10 I f (x)2673 4236 w 10 R f (in)2768 4236 w 10 HB f (L)2897 4236 w 10 I f (*)2966 4236 w 10 R f (,)3016 4236 w 10 I f (x)3092 4236 w 10 S f (\243)3177 4236 w 10 B f (y)3273 4236 w 10 R f (,)3323 4236 w 10 B f (y)3399 4236 w 10 S f (\243)3490 4236 w 10 I f (x)3586 4236 w 10 R f ( \()1 41(, sup)1 215 2 3630 4236 t 10 I f (x)3894 4236 w 10 R f (,)3946 4236 w 10 B f (y)4003 4236 w 10 R f (\))4061 4236 w 10 S f (=)4151 4236 w 10 R f (inf \()1 152 1 4255 4236 t 10 I f (x)4415 4236 w 10 R f (,)4467 4236 w 10 B f (y)4524 4236 w 10 R f (\))4582 4236 w 10 S f (=)4672 4236 w 10 I f (x)4776 4236 w 10 R f (, and)1 220 1 4820 4236 t (sup \()1 180 1 720 4356 t 10 I f (x)908 4356 w 10 R f (,)960 4356 w 10 B f (n)1017 4356 w 10 R f (\))1081 4356 w 10 S f (=)1171 4356 w 10 R f (inf \()1 152 1 1275 4356 t 10 I f (x)1435 4356 w 10 R f (,)1487 4356 w 10 B f (n)1544 4356 w 10 R f (\))1608 4356 w 10 S f (=)1698 4356 w 10 B f (n)1802 4356 w 10 R f ( all)1 131(. For)1 220 2 1858 4356 t 10 I f (x)2240 4356 w 10 R f (in)2315 4356 w 10 HB f (L)2424 4356 w 10 R f (,)2485 4356 w 10 I f (x)2541 4356 w 10 S f (\243)2626 4356 w 10 I f (/)2640 4356 w 10 B f (n)2722 4356 w 10 R f (and)2808 4356 w 10 B f (n)2982 4356 w 10 S f (\243)3079 4356 w 10 I f (/ x)1 126 1 3093 4356 t 10 R f (. Also)1 269 1 3219 4356 t 10 B f (n)3518 4356 w 10 S f (\243)3615 4356 w 10 I f (/)3629 4356 w 10 B f (n)3711 4356 w 10 R f ( that \()2 243(. Note)1 274 2 3767 4356 t 10 HB f (L)4292 4356 w 10 I f (*)4361 4356 w 10 R f (,)4419 4356 w 10 S f (\243)4452 4356 w 10 R f (\) is not a lat-)4 525 1 4515 4356 t (tice, and that)2 541 1 720 4476 t 10 S f (\243)1300 4476 w 10 R f (is only partially transitive on)4 1210 1 1395 4476 t 10 HB f (L)2645 4476 w 10 I f (*)2714 4476 w 10 R f (in that)1 268 1 2804 4476 t 10 I f (L)3112 4476 w 7 R f (1)3179 4496 w 10 S f (\243)3263 4476 w 10 I f (L)3359 4476 w 7 R f (2)3426 4496 w 10 R f (and)3509 4476 w 10 I f (L)3693 4476 w 7 R f (2)3760 4496 w 10 S f (\243)3844 4476 w 10 I f (L)3940 4476 w 7 R f (3)4007 4496 w 10 R f (imply)4090 4476 w 10 I f (L)4364 4476 w 7 R f (1)4431 4496 w 10 S f (\243)4515 4476 w 10 I f (L)4611 4476 w 7 R f (3)4678 4496 w 10 R f (only if)1 279 1 4761 4476 t 10 I f (L)720 4596 w 7 R f (2)787 4616 w 10 S f (\316)871 4596 w 10 HB f (L)983 4596 w 10 R f (.)1044 4596 w 10 S1 f ()720 4752 w 720 4752 m 100 build_rh 820 4752 m 10 R f (Label)970 4752 w 10 B f (y)1226 4752 w 10 R f (\(yes\) is intended for files such as)6 1338 1 1305 4752 t 10 CW f (/dev/null)2672 4752 w 10 R f ( place)1 240( A)1 127( read or written.)3 652(that may always be)3 780 4 3241 4752 t (labeled)970 4872 w 10 B f (y)1286 4872 w 10 R f ( Label)1 279( unrelated to what goes in.)5 1064(is amnesiac; what comes out is)5 1250 3 1364 4872 t 10 B f (n)3984 4872 w 10 R f (\(no\) is intended for files)4 973 1 4067 4872 t (that may never be read or written except by trusted processes.)10 2463 1 970 4992 t 10 B f ( and superuser)2 634(2.3. Privileges)1 616 2 720 5232 t 10 R f ( status does not automatically confer write)6 1746(File permissions behave as always, except that superuser)7 2324 2 970 5388 t ( are still)2 342( restricted operations such as mounting a file system or changing userid)11 2981(permission. Historically)1 997 3 720 5508 t ( most such operations require privilege in addition to superuser status.)10 2800( However,)1 440(reserved to the superuser.)3 1019 3 720 5628 t ( stored with labels;)3 767( are)1 148( Privileges)1 452(There are two classes of privileges, called capabilities and licenses.)9 2703 4 970 5784 t (system calls that set and retrieve labels handle privileges at the same time.)12 2965 1 720 5904 t ( be given)2 376(Users may)1 428 2 970 6060 t 10 I f (licenses)1804 6060 w 10 R f ( may persist across)3 772( Licenses)1 404(to perform security-related tasks.)3 1334 3 2150 6060 t 10 I f (exec)4690 6060 w 10 R f (and)4896 6060 w ( must be run-)3 530( exercise a privilege, a process with a license for that privilege)11 2499( To)1 162(can be given up at any time.)6 1129 4 720 6180 t ( program marked with a corresponding)5 1615(ning a)1 258 2 720 6300 t 10 I f (capability.)2630 6300 w 10 R f (Thus, in general, sensitive actions can only be)7 1923 1 3117 6300 t (performed by trusted users using trusted software.)6 1999 1 720 6420 t ( the inherited licenses of)4 1024( licenses of an executable file augment)6 1612( The)1 216(Files, too, may have licenses.)4 1218 4 970 6576 t ( limited by a permanent maximum file license Lic)8 2094( licensing is)2 504( File)1 219(processes that execute the file.)4 1268 4 720 6696 t 7 R f (0)4810 6656 w 10 R f (; the)1 187 1 4853 6696 t (effective set of licenses for file)5 1232 1 720 6816 t 10 I f (f)1977 6816 w 10 R f ( \()1 41(is Lic)1 225 2 2030 6816 t 10 I f (f)2320 6816 w 10 R f (\))2372 6816 w 10 S f (\331)2421 6816 w 10 R f (Lic)2489 6816 w 7 R f (0)2627 6776 w 10 R f (.)2670 6816 w 10 S1 f ()720 6972 w 720 6972 m 100 build_rh 820 6972 m 10 R f ( user who can execute a licensed)6 1355( Any)1 231(File licensing is much like the classic set-userid mechanism.)8 2484 3 970 6972 t ( the effective userid, however, a)5 1301( Unlike)1 327( the program.)2 545(program automatically enjoys the privileges of)5 1897 4 970 7092 t (license obtained from a file on)5 1217 1 970 7212 t 10 I f (exec)2212 7212 w 10 R f (is not inherited by child processes.)5 1382 1 2413 7212 t cleartomark showpage saveobj restore %%EndPage: 4 4 %%Page: 5 5 /saveobj save def mark 5 pagesetup 10 R f (- 5 -)2 166 1 2797 480 t ( parent \(ultimately from)3 990(Capabilities of a process are computed from the licenses inherited from its)11 3080 2 970 840 t (the initialization process\) and from the capabilities and licenses of the program it is executing; see \2473.3.)16 4320 1 720 960 t (The capabilities express the powers the process can acutally exercise.)9 2770 1 720 1080 t 10 S1 f ()720 1236 w 720 1236 m 100 build_rh 820 1236 m 10 R f ( to set userid, a superuser process must have capability Cap)10 2501(For example,)1 539 2 970 1236 t 7 R f (uarea)4021 1256 w 10 R f (\(\2473.3\); to initiate or)3 822 1 4218 1236 t ( have capability Cap)3 845(change accounting, it must)3 1101 2 970 1356 t 7 R f (log)2927 1376 w 10 R f (; and to mount a file system or make an external)10 2015 1 3025 1356 t (medium accessible, it must have capability Cap)6 1901 1 970 1476 t 7 R f (extern)2882 1496 w 10 R f (.)3065 1476 w 10 B f (2.4. Ingredients)1 689 1 720 1716 t 10 R f (The following notions are added to the usual)7 1784 1 970 1872 t 9 R f (UNIX)2777 1872 w 10 R f (model.)3027 1872 w 10 B f ( and ceilings)2 529(2.4.1. Labels)1 559 2 720 2112 t 10 R f (Each participant)1 661 1 720 2268 t 10 I f (x)1416 2268 w 10 R f (in data flow has a time-varying)5 1300 1 1496 2268 t 10 HB f (L)2832 2268 w 10 I f (*)2901 2268 w 10 R f (-valued label,)1 554 1 2951 2268 t 10 I f (L)3541 2268 w 10 R f (\()3605 2268 w 10 I f (x)3646 2268 w 10 R f (,)3698 2268 w 10 I f (t)3755 2268 w 10 R f (\), written)1 377 1 3791 2268 t 10 I f (L)4204 2268 w 10 R f (\()4268 2268 w 10 I f (x)4309 2268 w 10 R f (\) when)1 285 1 4361 2268 t 10 I f (t)4682 2268 w 10 R f (doesn't)4746 2268 w ( of processes and seek pointers are restricted to)8 1878(matter. Labels)1 596 2 720 2388 t 10 HB f (L)3219 2388 w 10 R f (.)3280 2388 w (Each participant)1 653 1 720 2544 t 10 I f (x)1400 2544 w 10 R f (in data flow has a time-varying)5 1260 1 1471 2544 t 10 HB f (L)2759 2544 w 10 I f (*)2828 2544 w 10 R f (-valued ceiling,)1 624 1 2878 2544 t 10 I f (C)3530 2544 w 10 R f (\()3605 2544 w 10 I f (x)3646 2544 w 10 R f (,)3698 2544 w 10 I f (t)3755 2544 w 10 R f (\), sometimes written)2 825 1 3791 2544 t 10 I f (C)4644 2544 w 10 R f (\()4719 2544 w 10 I f (x)4760 2544 w 10 R f (\). By)1 228 1 4812 2544 t (convention all files in file system)5 1390 1 720 2664 t 10 I f (FS)2147 2664 w 10 R f (share the same ceiling, called)4 1220 1 2295 2664 t 10 I f (C)3552 2664 w 10 R f (\()3627 2664 w 10 I f (FS)3668 2664 w 10 R f (\), i.e.)1 217 1 3787 2664 t 10 I f (C)4041 2664 w 10 R f (\()4116 2664 w 10 I f (f)4173 2664 w 10 R f (\))4225 2664 w 10 S f (=)4315 2664 w 10 I f (C)4419 2664 w 10 R f (\()4494 2664 w 10 I f (FS)4535 2664 w 10 R f (\()4654 2664 w 10 I f (f)4711 2664 w 10 R f ( By)1 178(\) \).)1 99 2 4763 2664 t (convention, any entity)2 891 1 720 2784 t 10 I f (x)1636 2784 w 10 R f (that lacks a specific ceiling has)5 1239 1 1705 2784 t 10 I f (C)2969 2784 w 10 R f (\()3044 2784 w 10 I f (x)3085 2784 w 10 R f (\))3137 2784 w 10 S f (=)3227 2784 w 10 UnivMath6 f (\301)3331 2784 w 10 R f (.)3414 2784 w (Each file system type has a default ceiling value.)8 1949 1 720 2940 t (Each file or process has a time-varying)6 1569 1 720 3096 t 10 I f (fixity)2316 3096 w 10 R f (attribute,)2543 3096 w 10 I f (F)2928 3096 w 10 R f (\()2997 3096 w 10 I f (f)3054 3096 w 10 R f (\) or)1 143 1 3106 3096 t 10 I f (F)3276 3096 w 10 R f (\()3345 3096 w 10 I f (p)3386 3096 w 10 R f ( governs the mutability of label)5 1267(\), which)1 329 2 3444 3096 t 10 I f (L)720 3216 w 10 R f (\()784 3216 w 10 I f (f)841 3216 w 10 R f (\) or)1 141 1 893 3216 t 10 I f (L)1059 3216 w 10 R f (\()1123 3216 w 10 I f (p)1164 3216 w 10 R f (\), and takes on values)4 862 1 1222 3216 t 10 B f (loose)970 3372 w 10 R f (: Label or fixity may change.)5 1159 1 1181 3372 t 10 B f (frozen)970 3492 w 10 R f (: Label may not change; fixity may change.)7 1736 1 1241 3492 t 10 B f (rigid)970 3612 w 10 R f (: Fixity may not change; label may change only with privilege.)10 2512 1 1176 3612 t 10 B f (constant)970 3732 w 10 R f (: Neither label nor fixity may change.)6 1500 1 1331 3732 t (New system calls,)2 730 1 720 3888 t 10 I f (setflab)1478 3888 w 10 R f (,)1745 3888 w 10 I f (fsetflab)1798 3888 w 10 R f (,)2093 3888 w 10 I f (getflab, fgetflab, setplab)2 979 1 2146 3888 t 10 R f (,)3125 3888 w 10 I f (getplab)3178 3888 w 10 R f ( query labels and privileges of)5 1226(, set and)2 336 2 3478 3888 t (files and processes; see \2473.1.1.)4 1228 1 720 4008 t 10 B f ( and licenses)2 534(2.4.2. Capabilities)1 787 2 720 4248 t 10 R f ( set of time-varying boolean capabilities, further described in \2473.3:)9 3079(Each process or file has a)5 1241 2 720 4404 t (Cap)720 4524 w 7 R f (setpriv)892 4544 w 10 R f (\()1099 4524 w 10 I f (x)1140 4524 w 10 R f (,)1192 4524 w 10 I f (t)1249 4524 w 10 R f (\), Cap)1 253 1 1285 4524 t 7 R f (setlic)1549 4544 w 10 R f (\()1714 4524 w 10 I f (x)1755 4524 w 10 R f (,)1807 4524 w 10 I f (t)1864 4524 w 10 R f (\), Cap)1 253 1 1900 4524 t 7 R f (nochk)2164 4544 w 10 R f (\()2351 4524 w 10 I f (x)2392 4524 w 10 R f (,)2444 4524 w 10 I f (t)2501 4524 w 10 R f (\), Cap)1 252 1 2537 4524 t 7 R f (extern)2800 4544 w 10 R f (\()2991 4524 w 10 I f (x)3032 4524 w 10 R f (,)3084 4524 w 10 I f (t)3141 4524 w 10 R f (\), Cap)1 252 1 3177 4524 t 7 R f (uarea)3440 4544 w 10 R f (\()3607 4524 w 10 I f (x)3648 4524 w 10 R f (,)3700 4524 w 10 I f (t)3757 4524 w 10 R f (\), Cap)1 252 1 3793 4524 t 7 R f (log)4056 4544 w 10 R f (\()4162 4524 w 10 I f (x)4203 4524 w 10 R f (,)4255 4524 w 10 I f (t)4312 4524 w 10 R f ( six predi-)2 421(\). The)1 271 2 4348 4524 t ( \()1 41(cates together constitute a bit vector Cap)6 1643 2 720 4644 t 10 I f (x)2412 4644 w 10 R f (,)2464 4644 w 10 I f (t)2521 4644 w 10 R f ( may be written Cap)4 822(\). Predicates)1 521 2 2557 4644 t 7 R f (nochk)3911 4664 w 10 R f (\()4098 4644 w 10 I f (x)4139 4644 w 10 R f ( \()1 41(\), Cap)1 247 2 4191 4644 t 10 I f (x)4487 4644 w 10 R f ( on,)1 154(\), and so)2 347 2 4539 4644 t (when time is unimportant.)3 1050 1 720 4764 t 10 S1 f ()720 4920 w 720 4920 m 100 build_rh 820 4920 m 10 R f ( \()1 41(Capabilities Cap)1 669 2 970 4920 t 10 I f (p)1688 4920 w 10 R f ( capabilities of a process)4 1005( The)1 210(\) are rights of a process to override security policy.)9 2079 3 1746 4920 t ( \()1 41(are limited by the capabilities Cap)5 1368 2 970 5040 t 10 I f (f)2403 5040 w 10 R f (\) of the currently executing file)5 1244 1 2455 5040 t 10 I f (f)3724 5040 w 10 R f (and are not inherited.)3 848 1 3777 5040 t (Each process or file has a set of boolean licenses)9 1951 1 720 5196 t 10 I f (Uk)2697 5196 w 10 R f (\()2821 5196 w 10 I f (x)2862 5196 w 10 R f ( and together constitut-)3 930(\), subscripted like capabilities)3 1196 2 2914 5196 t ( \()1 41(ing a bit vector Lic)4 760 2 720 5316 t 10 I f (x)1529 5316 w 10 R f (\).)1581 5316 w ( file or process are collectively known as privileges and are denoted)11 2740(The set of capabilities and licenses of a)7 1580 2 720 5472 t (Priv \()1 208 1 720 5592 t 10 I f (f)952 5592 w 10 R f ( \()1 41(\) or Priv)2 333 2 1004 5592 t 10 I f (p)1386 5592 w 10 R f (\). A)1 180 1 1444 5592 t 10 I f (trusted)1649 5592 w 10 R f (predicate,)1952 5592 w 10 I f (T)2367 5592 w 10 R f (\()2431 5592 w 10 I f (x)2472 5592 w 10 R f (\), is defined on files as the logical OR of all the privileges,)12 2336 1 2524 5592 t 10 I f (T)2170 5772 w 10 R f (\()2234 5772 w 10 I f (f)2291 5772 w 10 R f (\))2343 5772 w 10 S f (=)2433 5772 w 7 I f (k)2557 5842 w 12 S f (\332)2537 5772 w 10 R f (\( Cap)1 202 1 2641 5772 t 7 I f (k)2854 5792 w 10 R f (\()2901 5772 w 10 I f (f)2958 5772 w 10 R f (\))3010 5772 w 10 S f (\332)3083 5772 w 10 R f (Lic)3175 5772 w 7 I f (k)3319 5792 w 10 R f (\()3366 5772 w 10 I f (f)3423 5772 w 10 R f ( ,)1 41(\) \))1 74 2 3475 5772 t (and on processes as the OR of the capabilities,)8 1855 1 720 6002 t 10 I f (T)2461 6182 w 10 R f (\()2525 6182 w 10 I f (p)2566 6182 w 10 R f (\))2624 6182 w 10 S f (=)2714 6182 w 7 I f (k)2838 6252 w 12 S f (\332)2818 6182 w 10 R f (Cap)2922 6182 w 7 I f (k)3094 6202 w 10 R f (\()3141 6182 w 10 I f (p)3182 6182 w 10 R f (\).)3240 6182 w 10 I f (maximum licenses Ux)2 870 1 720 6412 t 7 R f (0)1601 6372 w 10 R f (with collective vector Lic)3 1023 1 1669 6412 t 7 R f (0)2697 6372 w 10 R f (.)2740 6412 w ( of boolean)2 467(Each file system has a set)5 1063 2 720 6568 t 10 I f (privilege masks)1 633 1 2284 6568 t 10 R f (Cap)2951 6568 w 7 I f (k)3123 6588 w 10 R f (\()3170 6568 w 10 I f (FS)3211 6568 w 10 R f (\) and Lic)2 378 1 3330 6568 t 7 I f (k)3719 6588 w 10 R f (\()3766 6568 w 10 I f (FS)3807 6568 w 10 R f (\), subscripted like capabili-)3 1114 1 3926 6568 t ( \()1 41(ties, with collective vectors Cap)4 1279 2 720 6688 t 10 I f (FS)2048 6688 w 10 R f ( \()1 41(\), Lic)1 216 2 2167 6688 t 10 I f (FS)2432 6688 w 10 R f ( \()1 41(\), and Priv)2 419 2 2551 6688 t 10 I f (FS)3019 6688 w 10 R f (\).)3138 6688 w (Each file system type has a default privilege mask.)8 2027 1 720 6844 t cleartomark showpage saveobj restore %%EndPage: 5 5 %%Page: 6 6 /saveobj save def mark 6 pagesetup 10 R f (- 6 -)2 166 1 2797 480 t 10 B f ( paths)1 259(2.4.3. Private)1 585 2 720 840 t 10 R f (Each open inode)2 695 1 720 996 t 10 I f (f)1455 996 w 10 R f (has a)1 217 1 1523 996 t 10 I f (pex state,)1 392 1 1780 996 t 10 R f (comprising a)1 534 1 2212 996 t 10 I f (holding process H)2 763 1 2786 996 t 10 R f (\()3557 996 w 10 I f (f)3614 996 w 10 R f (\), a boolean)2 498 1 3666 996 t 10 I f (accept pex)1 439 1 4205 996 t 10 R f (indicator)4685 996 w 10 I f (APX)720 1116 w 10 R f (\()911 1116 w 10 I f (f)968 1116 w 10 R f (\), and a)2 296 1 1020 1116 t 10 I f (pexity)1341 1116 w 10 R f (indicator)1604 1116 w 10 I f (X)1984 1116 w 10 R f (\()2053 1116 w 10 I f (f)2110 1116 w 10 R f (\), which can take on three values:)6 1338 1 2162 1116 t 10 B f (unpexed)970 1272 w 10 R f (:)1332 1272 w 10 I f (H)1385 1272 w 10 R f (\()1465 1272 w 10 I f (f)1522 1272 w 10 R f (\) is irrelevant.)2 557 1 1574 1272 t 10 B f (pexed)970 1392 w 10 R f (: Process)1 358 1 1220 1392 t 10 I f (H)1603 1392 w 10 R f (\()1683 1392 w 10 I f (f)1740 1392 w 10 R f (\) has exclusive access to)4 975 1 1792 1392 t 10 I f (f)2792 1392 w 10 R f (.)2820 1392 w 10 B f (unpexing)970 1512 w 10 R f (:)1366 1512 w 10 I f (f)1419 1512 w 10 R f (is unusable by any process until becoming)6 1693 1 1472 1512 t 10 B f (unpexed)3190 1512 w 10 R f (.)3552 1512 w (A new family of IO controls manipulates the pex state; see \2473.7.2.)11 2646 1 720 1668 t ( has a)2 239(Each stream)1 495 2 720 1824 t 10 I f (stream identifier,)1 695 1 1485 1824 t 10 R f ( identifiers are retrieved by an IO)6 1365( Stream)1 339(which is an arbitrary string.)4 1125 3 2211 1824 t (control and set by a privileged IO control; see \2473.7.3.)9 2130 1 720 1944 t 10 S1 f ()720 2100 w 720 2100 m 100 build_rh 820 2100 m 10 R f ( pipes, terminals, and communication ports; pipes may be mounted in)10 2792(In v10 and IX streams comprise)5 1278 2 970 2100 t ( stream identifier conventionally holds security-related information such as the)9 3229( The)1 214( system.)1 337(the file)1 290 4 970 2220 t (trustedness and authentication record of a terminal port.)7 2229 1 970 2340 t 10 B f (2.4.4. Auditing)1 654 1 720 2580 t 10 R f (Each process)1 523 1 720 2736 t 10 I f (p)1268 2736 w 10 R f (has a)1 203 1 1343 2736 t 10 I f (audit mask, AM)2 632 1 1572 2736 t 10 R f (\()2212 2736 w 10 I f (p)2253 2736 w 10 R f (\). A)1 181 1 2311 2736 t 10 I f (system audit mask, SAM)3 974 1 2518 2736 t 10 R f (, determines the base level of auditing.)6 1548 1 3492 2736 t (Each file has a)3 599 1 720 2856 t 10 I f (poison class, PC)2 680 1 1349 2856 t 10 R f (\()2037 2856 w 10 I f (f)2094 2856 w 10 R f ( each poison)2 507( For)1 193( through 3.)2 444(\), which takes integer values in the range 0)8 1750 4 2146 2856 t (class)720 2976 w 10 I f (i)939 2976 w 10 R f (there is a)2 360 1 992 2976 t 10 I f (poison mask, PM)2 691 1 1377 2976 t 10 R f ([)2076 2976 w 10 I f (i)2117 2976 w 10 R f (].)2153 2976 w 10 S1 f ()720 3132 w 720 3132 m 100 build_rh 820 3132 m 10 R f ( poison)1 304( The)1 217( are inherited across fork and exec.)6 1464(Process audit masks control auditing coverage and)6 2085 4 970 3132 t ( that augments the audit mask of each process that deals with)11 2460(class of a file determines a poison mask)7 1610 2 970 3252 t (the file; see \2473.6.8.)3 760 1 970 3372 t (Logging data is collected in a new kind of special file; see \2473.4.8.)12 2621 1 720 3528 t (A new system call)3 735 1 720 3684 t 10 I f (syslog)1480 3684 w 10 R f (controls auditing; see \2473.6.8.)3 1155 1 1755 3684 t 10 B f (2.4.5. Miscellaneous)1 875 1 720 3924 t 10 R f (There are two new file modes:)5 1216 1 720 4080 t 10 CW f (S_IAPPEND)970 4236 w 10 R f (forces all writing to occur at the end of the file and prevents truncation by)14 2944 1 1535 4236 t 10 I f (creat)4504 4236 w 10 R f (.)4709 4236 w 10 CW f (S_IBLIND)970 4392 w 10 R f (makes a directory unreadable and immune to label checking; see \2473.4.7.)10 2880 1 1475 4392 t (There are two new error return codes:)6 1505 1 720 4548 t 10 CW f (ELAB)970 4704 w 10 R f (is returned for security label violations; see \2473.2.6.)7 2025 1 1235 4704 t 10 CW f (EPRIV)970 4860 w 10 R f (is returned for lack of privilege; see \2473.2.7.)7 1724 1 1295 4860 t (A new signal,)2 552 1 720 5016 t 10 CW f (SIGLAB,)1297 5016 w 10 R f (detects changes in labels of open files; see \2473.2.5.)8 1988 1 1742 5016 t (The old signal)2 572 1 720 5172 t 10 CW f (SIGPIPE)1317 5172 w 10 R f (may be triggered in a new way; see \2473.2.6.)8 1710 1 1762 5172 t (Each file descriptor in each process has a)7 1642 1 720 5328 t 10 I f (safe-to-write)2387 5328 w 10 R f (bit, a)1 200 1 2923 5328 t 10 I f (safe-to-read)3148 5328 w 10 R f (bit, and an)2 419 1 3661 5328 t 10 I f (exempt)4105 5328 w 10 R f (bit; see \2473.6.5.)2 586 1 4412 5328 t (A new system call,)3 760 1 720 5484 t 10 I f (unsafe,)1505 5484 w 10 R f (queries and resets safe-to-read and safe-to-write bits; see \2473.6.9.)8 2562 1 1816 5484 t (A new system call,)3 760 1 720 5640 t 10 I f (nochk,)1505 5640 w 10 R f (changes exempt bits; see \2473.6.5 and \2473.6.9.)6 1734 1 1793 5640 t (Two old system calls,)3 872 1 720 5796 t 10 I f (seek)1617 5796 w 10 R f (and)1813 5796 w 10 I f (tell,)1982 5796 w 10 R f (have been recalled to active duty; see \2473.5.14 and \2473.5.18.)9 2334 1 2160 5796 t 10 B f ( policy)1 281(2.5. Formal)1 516 2 720 6036 t 10 R f (In the policy statements below, variables)5 1686 1 970 6192 t 10 I f (t)2692 6192 w 7 R f (0)2731 6212 w 10 R f (and)2810 6192 w 10 I f (t)2990 6192 w 7 R f (1)3029 6212 w 10 R f (represent times such that)3 1026 1 3108 6192 t 10 I f (t)4171 6192 w 7 R f (0)4210 6212 w 10 S f (\243)4294 6192 w 10 I f (t)4390 6192 w 7 R f (1)4429 6212 w 10 R f ( entities)1 326(. The)1 242 2 4472 6192 t (among which flows occur are not designated; for a complete list of recognized flows, see Table \2473.1.1.)16 4108 1 720 6312 t (Certain system calls)2 827 1 970 6468 t 10 I f (renew)1833 6468 w 10 R f ( memory of)2 490(entities; a renewed entity is actually or nominally bereft of)9 2437 2 2113 6468 t ( an entity)2 376( If)1 118(past contents.)1 547 3 720 6588 t 10 I f (x)1788 6588 w 10 R f (is renewed in the interval)4 1017 1 1859 6588 t 10 I f (t)2903 6588 w 7 R f (0)2942 6608 w 10 R f (to)3012 6588 w 10 I f (t)3117 6588 w 7 R f (1)3156 6608 w 10 R f (, there is no persistent flow)5 1092 1 3199 6588 t 10 I f (x)4318 6588 w 10 S f (\256)4403 6588 w 10 I f (x)4543 6588 w 10 R f (across that)1 426 1 4614 6588 t ( following actions are recognized as renewals.)6 1842(interval. The)1 535 2 720 6708 t (Seeking relative to beginning of file renews the seek pointer.)9 2429 1 970 6864 t (Setting a process ceiling renews the ceiling.)6 1750 1 970 7020 t (Setting a file label away from)5 1184 1 970 7176 t 10 B f (n)2179 7176 w 10 R f (renews the file.)2 612 1 2260 7176 t cleartomark showpage saveobj restore %%EndPage: 6 6 %%Page: 7 7 /saveobj save def mark 7 pagesetup 10 R f (- 7 -)2 166 1 2797 480 t 10 S1 f ()720 840 w 720 840 m 100 build_rh 820 840 m 10 R f (Files labeled)1 508 1 970 840 t 10 B f (n)1503 840 w 10 R f ( reclassifying to)2 638( Thus)1 250(are unobservable in the absence of privilege.)6 1781 3 1584 840 t 10 B f (n)4278 840 w 10 R f (is harmless.)1 472 1 4359 840 t 10 S1 f ()720 996 w 720 996 m 100 build_rh 820 996 m 10 I f (Exec)970 996 w 10 R f ( considered to be a renewal, but our understanding that)9 2217(with no arguments could be)4 1118 2 1190 996 t 10 I f (exec)4553 996 w 10 R f (starts a)1 283 1 4757 996 t (new process makes that unnecessary.)4 1482 1 970 1116 t 10 B f ( policy)1 281(2.5.1. Generic)1 613 2 720 1356 t 10 R f ( process may deviate from the policy)6 1487( Trusted)1 357(The policy is to be observed by all untrusted processes.)9 2226 3 970 1512 t (only in ways recorded as ``exceptions.'')5 1601 1 720 1632 t 10 B f (Upward flow.)1 583 1 720 1788 t 10 R f (If a flow)2 343 1 1353 1788 t 10 I f (x)1721 1788 w 10 S f (\256)1806 1788 w 10 I f (y)1946 1788 w 10 R f (occurs at time)2 560 1 2015 1788 t 10 I f (t)2600 1788 w 10 R f (, it must be upward.)4 794 1 2628 1788 t 10 I f (L)970 1944 w 10 R f (\()1034 1944 w 10 I f (x)1075 1944 w 10 R f (,)1127 1944 w 10 I f (t)1184 1944 w 10 R f (\))1220 1944 w 10 S f (\243)1302 1944 w 10 I f (L)1398 1944 w 10 R f (\()1462 1944 w 10 I f (y)1503 1944 w 10 R f (,)1555 1944 w 10 I f (t)1612 1944 w 10 R f (\))1648 1944 w (Exception: either)1 685 1 720 2100 t 10 I f (x)1430 2100 w 10 R f (or)1499 2100 w 10 I f (y)1607 2100 w 10 R f (is a process)2 460 1 1676 2100 t 10 I f (p)2161 2100 w 10 R f (and Cap)1 330 1 2236 2100 t 7 R f (nochk)2577 2120 w 10 R f (\()2764 2100 w 10 I f (p)2805 2100 w 10 R f (,)2863 2100 w 10 I f (t)2920 2100 w 10 R f (\) is true.)2 330 1 2956 2100 t 10 B f (Monotone labels.)1 730 1 720 2256 t 10 R f (A persistent flow)2 692 1 1502 2256 t 10 I f (x)2221 2256 w 10 S f (\256)2306 2256 w 10 I f (x)2446 2256 w 10 R f (must be upward unless)3 919 1 2517 2256 t 10 I f (L)3463 2256 w 10 R f (\()3527 2256 w 10 I f (x)3568 2256 w 10 R f (,)3620 2256 w 10 I f (t)3677 2256 w 7 R f (1 \))1 63 1 3716 2276 t 10 S f (=)3836 2256 w 10 B f (n)3940 2256 w 10 R f ( it is harmless to rela-)5 878(. so)1 166 2 3996 2256 t (bel a file)2 349 1 720 2376 t 10 B f (n)1094 2376 w 10 R f (.)1150 2376 w 10 I f (L)970 2532 w 10 R f (\()1034 2532 w 10 I f (x)1075 2532 w 10 R f (,)1127 2532 w 10 I f (t)1184 2532 w 7 R f (0)1223 2552 w 10 R f (\))1274 2532 w 10 S f (\243)1356 2532 w 10 I f (L)1452 2532 w 10 R f (\()1516 2532 w 10 I f (x)1557 2532 w 10 R f (,)1609 2532 w 10 I f (t)1666 2532 w 7 R f (1)1705 2552 w 10 R f (\))1756 2532 w 10 S1 f ()720 2688 w 720 2688 m 100 build_rh 820 2688 m 10 R f (A file labeled)2 543 1 970 2688 t 10 B f (n)1538 2688 w 10 R f (is inaccessible to untrusted processes,)4 1506 1 1619 2688 t 10 B f (Impenetrable Ceilings.)1 977 1 720 2844 t 10 R f (If a flow)2 353 1 1752 2844 t 10 I f (x)2136 2844 w 10 S f (\256)2221 2844 w 10 I f (y)2361 2844 w 10 R f (occurs at time)2 572 1 2436 2844 t 10 I f (t)3039 2844 w 10 R f (, it must respect the ceiling of the causative pro-)9 1973 1 3067 2844 t (cess)720 2964 w 10 I f (p)911 2964 w 10 R f (, and any ceilings of the participating entities.)7 1823 1 961 2964 t (sup \()1 180 1 970 3120 t 10 I f (L)1158 3120 w 10 R f (\()1222 3120 w 10 I f (x)1263 3120 w 10 R f (,)1315 3120 w 10 I f (t)1372 3120 w 10 R f (\) ,)1 74 1 1408 3120 t 10 I f (L)1523 3120 w 10 R f (\()1587 3120 w 10 I f (y)1628 3120 w 10 R f (,)1680 3120 w 10 I f (t)1737 3120 w 10 R f (\) \))1 74 1 1773 3120 t 10 S f (\243)1896 3120 w 10 R f (inf \()1 152 1 1992 3120 t 10 I f (C)2152 3120 w 10 R f (\()2227 3120 w 10 I f (p)2268 3120 w 10 R f (,)2326 3120 w 10 I f (t)2383 3120 w 10 R f (\) ,)1 74 1 2419 3120 t 10 I f (C)2534 3120 w 10 R f (\()2609 3120 w 10 I f (x)2650 3120 w 10 R f (,)2702 3120 w 10 I f (t)2759 3120 w 10 R f (\) ,)1 74 1 2795 3120 t 10 I f (C)2910 3120 w 10 R f (\()2985 3120 w 10 I f (y)3026 3120 w 10 R f (,)3078 3120 w 10 I f (t)3135 3120 w 10 R f (\) \))1 74 1 3171 3120 t (Exception: either)1 685 1 720 3276 t 10 I f (x)1430 3276 w 10 R f (or)1499 3276 w 10 I f (y)1607 3276 w 10 R f (is a process)2 460 1 1676 3276 t 10 I f (p)2161 3276 w 10 R f (and Cap)1 330 1 2236 3276 t 7 R f (nochk)2577 3296 w 10 R f (\()2764 3276 w 10 I f (p)2805 3276 w 10 R f (,)2863 3276 w 10 I f (t)2920 3276 w 10 R f (\) is true.)2 330 1 2956 3276 t 10 B f (Monotone ceilings.)1 800 1 720 3432 t 10 R f (A ceiling can only decrease.)4 1127 1 1570 3432 t 10 I f (C)970 3588 w 10 R f (\()1045 3588 w 10 I f (x)1086 3588 w 10 R f (,)1138 3588 w 10 I f (t)1195 3588 w 7 R f (1)1234 3608 w 10 R f (\))1285 3588 w 10 S f (\243)1367 3588 w 10 I f (C)1463 3588 w 10 R f (\()1538 3588 w 10 I f (x)1579 3588 w 10 R f (,)1631 3588 w 10 I f (t)1688 3588 w 7 R f (0)1727 3608 w 10 R f (\))1778 3588 w (Exception:)720 3744 w 10 I f (x)1178 3744 w 10 R f (is a process)2 460 1 1247 3744 t 10 I f (p)1732 3744 w 10 R f (and Cap)1 330 1 1807 3744 t 7 R f (setlic)2148 3764 w 10 R f (\()2313 3744 w 10 I f (p)2354 3744 w 10 R f (,)2412 3744 w 10 I f (t)2469 3744 w 7 R f (0)2508 3764 w 10 R f (\) is true.)2 330 1 2559 3744 t 10 B f (Inherited ceilings.)1 776 1 720 3900 t 10 R f (At the time)2 468 1 1555 3900 t 10 I f (t)2057 3900 w 7 R f (0)2096 3920 w 10 R f (of starting, the ceiling of a new process)7 1632 1 2173 3900 t 10 I f (q)3839 3900 w 10 R f ( that of the)3 460(is dominated by)2 657 2 3923 3900 t (process)720 4020 w 10 I f (p)1044 4020 w 10 R f (that started it.)2 547 1 1119 4020 t 10 I f (C)970 4176 w 10 R f (\()1045 4176 w 10 I f (q)1086 4176 w 10 R f (,)1144 4176 w 10 I f (t)1201 4176 w 7 R f (0)1240 4196 w 10 R f (\))1291 4176 w 10 S f (\243)1373 4176 w 10 I f (C)1469 4176 w 10 R f (\()1544 4176 w 10 I f (p)1585 4176 w 10 R f (,)1643 4176 w 10 I f (t)1700 4176 w 7 R f (0)1739 4196 w 10 R f (\))1790 4176 w ( of flows)2 383(In the absence of privilege, the policy forbids a chain)9 2240 2 970 4332 t 10 I f (x)3632 4332 w 7 R f (0)3687 4352 w 10 S f (\256)3771 4332 w 10 I f (x)3911 4332 w 7 R f (1)3966 4352 w 10 S f (\256)4050 4332 w 10 R f (. . .)2 125 1 4215 4307 t 10 S f (\256)4406 4332 w 10 I f (x)4546 4332 w 7 I f (n)4601 4352 w 10 R f (, between)1 396 1 4644 4332 t (entities observed at times)3 1046 1 720 4452 t 10 I f (t)1802 4452 w 7 R f (0)1841 4472 w 10 S f (\243)1925 4452 w 10 I f (t)2021 4452 w 7 R f (1)2060 4472 w 10 S f (\243)2144 4452 w 10 R f (. . .)2 125 1 2265 4427 t 10 S f (\243)2456 4452 w 10 I f (t)2552 4452 w 7 I f (n)2591 4472 w 10 R f (, where)1 304 1 2634 4452 t 10 I f (L)2974 4452 w 10 R f (\()3038 4452 w 10 I f (x)3079 4452 w 7 R f (0)3134 4472 w 10 R f (,)3185 4452 w 10 I f (t)3242 4452 w 7 R f (0)3281 4472 w 10 R f (\))3332 4452 w 10 S f (\243)3414 4452 w 10 I f (/ L)1 138 1 3428 4452 t 10 R f (\()3574 4452 w 10 I f (x)3615 4452 w 7 I f (n)3670 4472 w 10 R f (,)3721 4452 w 10 I f (t)3778 4452 w 7 I f (n)3817 4472 w 10 R f ( label policy also for-)4 898(\). The)1 274 2 3868 4452 t (bids such a chain of flows when)6 1281 1 720 4572 t 10 I f (L)2026 4572 w 10 R f (\()2090 4572 w 10 I f (x)2131 4572 w 7 I f (n)2186 4592 w 10 R f (,)2237 4572 w 10 I f (t)2294 4572 w 7 R f (0)2333 4592 w 10 R f (\) is defined and)3 618 1 2384 4572 t 10 I f (L)3027 4572 w 10 R f (\()3091 4572 w 10 I f (x)3132 4572 w 7 I f (n)3187 4592 w 10 R f (,)3238 4572 w 10 I f (t)3295 4572 w 7 R f (0)3334 4592 w 10 R f (\))3385 4572 w 10 S f (\243)3467 4572 w 10 I f (/ C)1 149 1 3481 4572 t 10 R f (\()3638 4572 w 10 I f (x)3679 4572 w 7 I f (n)3734 4592 w 10 R f (,)3785 4572 w 10 I f (t)3842 4572 w 7 R f (0)3881 4592 w 10 R f (\).)3932 4572 w 10 S1 f ()720 4728 w 720 4728 m 100 build_rh 820 4728 m 10 R f ( and flows and then assuring that each flow)8 1738(Correct implementation depends on identifying all entities)6 2332 2 970 4728 t (respects the policy.)2 768 1 970 4848 t 10 B f ( policy)1 281(2.5.2. Privilege)1 652 2 720 5088 t 10 R f (These rules do not address the initial setting of capabilities in a process; see \2473.3.)14 3246 1 970 5244 t 10 B f (Monotone capabilities.)1 967 1 720 5400 t 10 R f (The capabilities of a process)4 1136 1 1737 5400 t 10 I f (p)2898 5400 w 10 R f (can only decrease.)2 733 1 2973 5400 t (Cap \()1 202 1 970 5556 t 10 I f (p)1180 5556 w 10 R f (,)1238 5556 w 10 I f (t)1295 5556 w 7 R f (1)1334 5576 w 10 R f (\))1385 5556 w 10 S f (\243)1467 5556 w 10 R f (Cap \()1 202 1 1563 5556 t 10 I f (p)1773 5556 w 10 R f (,)1831 5556 w 10 I f (t)1888 5556 w 7 R f (0)1927 5576 w 10 R f (\))1978 5556 w 10 B f (Monotone licenses.)1 805 1 720 5712 t 10 R f (The licenses of a process)4 997 1 1575 5712 t 10 I f (p)2597 5712 w 10 R f (can only decrease.)2 733 1 2672 5712 t (Lic \()1 174 1 970 5868 t 10 I f (p)1152 5868 w 10 R f (,)1210 5868 w 10 I f (t)1267 5868 w 7 R f (1)1306 5888 w 10 R f (\))1357 5868 w 10 S f (\243)1439 5868 w 10 R f (Lic \()1 174 1 1535 5868 t 10 I f (p)1717 5868 w 10 R f (,)1775 5868 w 10 I f (t)1832 5868 w 7 R f (0)1871 5888 w 10 R f (\))1922 5868 w (Exception: Cap)1 619 1 720 6024 t 7 R f (setlic)1350 6044 w 10 R f (\()1515 6024 w 10 I f (p)1556 6024 w 10 R f (,)1614 6024 w 10 I f (t)1671 6024 w 7 R f (0)1710 6044 w 10 R f (\) is true.)2 330 1 1761 6024 t 10 B f (Inherited licenses.)1 780 1 720 6180 t 10 R f (At the time)2 466 1 1558 6180 t 10 I f (t)2057 6180 w 7 R f (0)2096 6200 w 10 R f ( the license of a new process)6 1195(of starting,)1 441 2 2172 6180 t 10 I f (q)3842 6180 w 10 R f (is dominated by that of the)5 1114 1 3926 6180 t (process)720 6300 w 10 I f (p)1044 6300 w 10 R f (that started it.)2 547 1 1119 6300 t (Lic \()1 174 1 970 6456 t 10 I f (q)1152 6456 w 10 R f (,)1210 6456 w 10 I f (t)1267 6456 w 7 R f (0)1306 6476 w 10 R f (\))1357 6456 w 10 S f (\243)1439 6456 w 10 R f (Lic \()1 174 1 1535 6456 t 10 I f (p)1717 6456 w 10 R f (,)1775 6456 w 10 I f (t)1832 6456 w 7 R f (0)1871 6476 w 10 R f (\))1922 6456 w 10 B f (Persistent file privilege.)2 1001 1 720 6612 t 10 R f (The privileges of a file cannot be changed.)7 1701 1 1771 6612 t (Priv \()1 208 1 970 6768 t 10 I f (f)1202 6768 w 10 R f (,)1254 6768 w 10 I f (t)1311 6768 w 7 R f (1)1350 6788 w 10 R f (\))1401 6768 w 10 S f (=)1491 6768 w 10 R f (Priv \()1 208 1 1595 6768 t 10 I f (f)1827 6768 w 10 R f (,)1879 6768 w 10 I f (t)1936 6768 w 7 R f (0)1975 6788 w 10 R f (\))2026 6768 w (Exception: process)1 757 1 720 6924 t 10 I f (p)1502 6924 w 10 R f (with capability Cap)2 783 1 1577 6924 t 7 R f (setpriv)2371 6944 w 10 R f (\()2578 6924 w 10 I f (p)2619 6924 w 10 R f (,)2677 6924 w 10 I f (t)2734 6924 w 10 R f (\) causes a change during)4 980 1 2770 6924 t 10 I f (t)3775 6924 w 7 R f (0)3814 6944 w 10 S f (\243)3898 6924 w 10 I f (t)3994 6924 w 10 S f (\243)4063 6924 w 10 I f (T)4159 6924 w 7 R f (1)4226 6944 w 10 R f (.)4269 6924 w 10 B f (Persistent trusted files.)2 973 1 720 7080 t 10 R f (A trusted file)2 527 1 1743 7080 t 10 I f (f)2295 7080 w 10 R f (cannot be written into.)3 899 1 2348 7080 t 10 I f (x)970 7236 w 10 S f (\256)1055 7236 w 10 I f (f)1203 7236 w 10 S f ( \330)1 120(= >)1 126 2 1296 7236 t 10 I f (T)1550 7236 w 10 R f (\()1614 7236 w 10 I f (f)1671 7236 w 10 R f (\).)1723 7236 w cleartomark showpage saveobj restore %%EndPage: 7 7 %%Page: 8 8 /saveobj save def mark 8 pagesetup 10 R f (- 8 -)2 166 1 2797 480 t 10 B f (3. Details)1 419 1 720 840 t 10 R f ( specifies security check calculations \(\2473.1\), the effect of label changes and)11 3170(This section)1 500 2 970 996 t 10 CW f (SIGLAB)4680 996 w 10 R f ( privilege mechanism \(\2473.3\), labels of special files \(\2473.4\), new system calls \(\2473.6\), and special)14 3897(\(\2473.2\), the)1 423 2 720 1116 t (security behavior of system calls \(\2473.5, \2473.7\).)6 1825 1 720 1236 t 10 B f ( checks)1 308(3.1. Security)1 555 2 720 1476 t 10 R f ( system)1 306( Each)1 252( are made for system calls that refer to files or file descriptors.)12 2516(Standard security checks)2 996 4 970 1632 t ( security check calculation specified in table \2473.1.1 below, as elaborated in sec-)12 3221(call is first subjected to the)5 1099 2 720 1752 t ( security checks return error)4 1122( Failed)1 301(tions \2473.5, \2473.6, and \2473.7.)4 1043 3 720 1872 t 10 CW f (ELAB)3212 1872 w 10 R f (\(\2473.2.6\) or)1 426 1 3479 1872 t 10 CW f (EPRIV)3932 1872 w 10 R f (\(\2473.2.7\) unless oth-)2 781 1 4259 1872 t (erwise specified.)1 670 1 720 1992 t ( the data flows caused by each system call, lists the standard checks per-)13 3044(Table \2473.1.1 summarizes)2 1026 2 970 2148 t ( are)1 169( calls have special checks, which)5 1433( Some)1 302(formed for each call, and indicates renewal possibilities.)7 2416 4 720 2268 t ( standard checks are)3 805( The)1 205(described in sections referred to in the Notes column.)8 2132 3 720 2388 t (READ\()970 2544 w 10 I f (d)1275 2544 w 10 R f ( a)1 69(\) for)1 261 2 1325 2544 t 10 I f (read)1680 2544 w 10 R f (call with descriptor)2 771 1 1888 2544 t 10 I f (d)2684 2544 w 10 R f (\(\2473.1.3\))2759 2544 w (WRITE\()970 2700 w 10 I f (d)1319 2700 w 10 R f ( a)1 69(\) for)1 217 2 1369 2700 t 10 I f (write)1680 2700 w 10 R f (call with descriptor)2 771 1 1911 2700 t 10 I f (d)2707 2700 w 10 R f (\(\2473.1.4\))2782 2700 w (R\()970 2856 w 10 I f (x)1070 2856 w 10 R f ( retrieving other data from an object)6 1441(\) fre)1 466 2 1114 2856 t 10 I f (x)3046 2856 w 10 R f (, as in)2 236 1 3090 2856 t 10 I f (stat)3351 2856 w 10 R f (\(\2473.1.5\))3521 2856 w (RS\()970 3012 w 10 I f (d)1126 3012 w 10 R f ( retrieving the seek pointer of file descriptor)7 1760(\) for)1 410 2 1176 3012 t 10 I f (d)3371 3012 w 10 R f (\(\2473.1.6\))3446 3012 w (W\()970 3168 w 10 I f (x)1097 3168 w 10 R f ( assigning other data to an object)6 1315(\) for)1 445 2 1141 3168 t 10 I f (x)2926 3168 w 10 R f (\(\2473.1.7\))2995 3168 w (WS\()970 3324 w 10 I f (d)1153 3324 w 10 R f ( assigning to the seek pointer of file descriptor)8 1853(\) for)1 383 2 1203 3324 t 10 I f (d)3464 3324 w 10 R f (\(\2473.1.8\))3539 3324 w (RD\()970 3480 w 10 I f (f)1142 3480 w 10 R f ( interpreting a file name)4 959(\) for)1 416 2 1170 3480 t 10 I f (f)2570 3480 w 10 R f (\(\2473.1.9\))2623 3480 w (WRD\()970 3636 w 10 I f (f)1236 3636 w 10 R f ( writing a file name)4 782(\) for)1 322 2 1264 3636 t 10 I f (f)2393 3636 w 10 R f (in a directory \(\2473.1.10\))3 923 1 2446 3636 t (P\()970 3792 w 10 I f (f)1059 3792 w 10 R f ( access \(\2473.1.11\))2 670(\) process-exclusive)1 1092 2 1087 3792 t (Cap)970 3948 w 7 R f (log)1142 3968 w 10 R f (Cap)1470 3948 w 7 R f (log)1642 3968 w 10 R f (\()1748 3948 w 10 I f (p)1789 3948 w 10 R f (\) must be true)3 552 1 1847 3948 t (Cap)970 4104 w 7 R f (extern)1142 4124 w 10 R f (Cap)1470 4104 w 7 R f (extern)1642 4124 w 10 R f (\()1833 4104 w 10 I f (p)1874 4104 w 10 R f (\) must be true)3 552 1 1932 4104 t (Cap)970 4260 w 7 R f (uarea)1142 4280 w 10 R f (Cap)1470 4260 w 7 R f (uarea)1642 4280 w 10 R f (\()1809 4260 w 10 I f (p)1850 4260 w 10 R f (\) must be true if superuser status is required)8 1747 1 1908 4260 t ( access rights\) obtained only through error returns is not normally)10 2754(Information \(usually concerning)2 1316 2 970 4416 t ( \(such as link counts\) created as side effects of system calls is)12 2672( Information)1 545( security checks.)2 698(subject to)1 405 4 720 4536 t (checked unless checking would seriously impair utility.)6 2223 1 720 4656 t ( flow column refer to covert flows)6 1375( entries in the data)4 732( Bracketed)1 454(Data flows marked * are not checked.)6 1509 4 970 4812 t (that are checked, although they do not count as data flows in the strict sense of \2472.1.)16 3364 1 720 4932 t 10 S1 f ()720 5088 w 720 5088 m 100 build_rh 820 5088 m 10 R f ( to infer the value of a seek pointer from the bits delivered by a read,)15 2783(For example, it may be possible)5 1287 2 970 5088 t ( a flow [)3 368( Hence)1 316(although the value is not delivered directly.)6 1806 3 970 5208 t 10 I f (s)3468 5208 w 10 S f (\256)3515 5208 w 10 I f (p)3622 5208 w 10 R f (] is attributed to the)4 827 1 3680 5208 t 10 I f (read)4543 5208 w 10 R f (system)4762 5208 w (call.)970 5328 w (Symbols)970 5484 w 10 I f (f)1352 5484 w 10 R f (,)1380 5484 w 10 I f (d)1436 5484 w 10 R f (, and)1 200 1 1486 5484 t 10 I f (s)1717 5484 w 10 R f ( table denote the file, file descriptor, and seek pointer \(if any\))11 2524(in the body of the)4 729 2 1787 5484 t ( for a system call with a file descriptor argument)9 1938( Thus)1 250( arguments of the system call.)5 1193(referred to by the)3 692 4 720 5604 t 10 I f (d)4818 5604 w 10 R f (, the)1 172 1 4868 5604 t (symbol)720 5724 w 10 I f (f)1042 5724 w 10 R f (means)1097 5724 w 10 I f (f)1379 5724 w 10 R f (\()1423 5724 w 10 I f (d)1464 5724 w 10 R f (\) and)1 204 1 1522 5724 t 10 I f (s)1753 5724 w 10 R f (means)1820 5724 w 10 I f (s)2103 5724 w 10 R f (\()2150 5724 w 10 I f (d)2191 5724 w 10 R f ( Symbol)1 365( distinguish multiple file arguments.)4 1460(\). Subscripts)1 528 3 2249 5724 t 10 I f (q)4630 5724 w 10 R f (refers to)1 332 1 4708 5724 t ( new process after)3 728(another process, in particular the)4 1317 2 720 5844 t 10 I f (exec)2792 5844 w 10 R f (;)2968 5844 w 10 I f (u)3023 5844 w 10 R f (\()3081 5844 w 10 I f (p)3122 5844 w 10 R f (\) and)1 204 1 3180 5844 t 10 I f (u)3411 5844 w 10 R f (\()3469 5844 w 10 I f (q)3510 5844 w 10 R f (\) denote the user areas of the respec-)7 1472 1 3568 5844 t (tive processes;)1 585 1 720 5964 t 10 I f (u)1330 5964 w 10 R f (is short for)2 433 1 1405 5964 t 10 I f (u)1863 5964 w 10 R f (\()1921 5964 w 10 I f (p)1962 5964 w 10 R f ( remaining codes used in the table are)7 1505(\). The)1 263 2 2020 5964 t ( about inode inferable through error return)6 1690(i information)1 872 2 970 6120 t ( write to)2 333(p implicit)1 712 2 970 6276 t 10 CW f (/proc)2040 6276 w 10 R f (or to inode of)3 541 1 2365 6276 t 10 CW f (/proc/)2931 6276 w 10 I f (p)3291 6276 w 10 R f ( uarea, readable through)3 1026( write in)2 373(u implicit)1 712 3 970 6432 t 10 CW f (/proc/)3127 6432 w 10 I f (p)3487 6432 w 10 CW f (; contrast with explicit)3 1503 1 3537 6432 t (write)1370 6552 w 10 I f (p)1730 6552 w 10 S f (\256)1856 6552 w 10 I f (u)2031 6552 w 10 R f (X abolish)1 689 1 970 6708 t 10 S1 f ()720 6864 w 720 6864 m 100 build_rh 820 6864 m 10 R f (Consider)970 6864 w 10 CW f (chmod\("/etc/passwd",0666\))1356 6864 w 10 R f ( is necessary to read directory)5 1188(. It)1 136 2 2856 6864 t 10 CW f (/etc)4205 6864 w 10 R f ( file)1 159(to find the)2 411 2 4470 6864 t 10 CW f (passwd)970 6984 w 10 R f ( is also necessary to read the inode of)8 1571(\(RD\). It)1 351 2 1365 6984 t 10 CW f (/etc/passwd)3322 6984 w 10 R f ( whether the)2 511(to determine)1 512 2 4017 6984 t ( permission is granted, the given)5 1359( If)1 128( \(i\).)1 156( is an implicit read)4 788( This)1 239(process has the right to change it.)6 1400 6 970 7104 t (mode is written into the inode \(W\()6 1382 1 970 7224 t 10 I f (f)2352 7224 w 10 R f ( the inode change date is set as a side effect.)10 1759(\)\). Finally)1 425 2 2380 7224 t cleartomark showpage saveobj restore %%EndPage: 8 8 %%Page: 9 9 /saveobj save def mark 9 pagesetup 10 R f (- 9 -)2 166 1 2797 480 t 10 S1 f ()720 840 w 720 840 m 100 build_rh 820 840 m 10 R f (To do)1 236 1 970 840 t 10 CW f (unlink\("/etc/passwd"\))1231 840 w 10 R f ( is necessary to read directory)5 1193(, it)1 106 2 2491 840 t 10 CW f (/etc)3816 840 w 10 R f (to find the file)3 572 1 4082 840 t 10 CW f (passwd)4680 840 w 10 R f ( inode of)2 371(\(RD, implied by WRD\) and to read the)7 1622 2 970 960 t 10 CW f (/etc/passwd)2996 960 w 10 R f (to determine whether the process)4 1351 1 3689 960 t ( the link count does not go to zero, the new count must be written and)15 2816( If)1 118( \(i\).)1 146(has the right to change it)5 990 4 970 1080 t ( the entry for)3 548( Finally)1 344(the inode change time updated \(W\).)5 1480 3 970 1200 t 10 CW f (passwd)3377 1200 w 10 R f ( deleted from directory)3 944(must be)1 324 2 3772 1200 t 10 CW f (/etc)970 1320 w 10 R f (and the modification and change times for)6 1686 1 1235 1320 t 10 CW f (/etc)2946 1320 w 10 R f (must be updated \(WRD\).)3 1004 1 3211 1320 t ( both security and per-)4 926( When)1 295( unaffected.)1 477(The behavior of system calls with no marks in the table is)11 2372 4 970 1476 t ( choose to return a)4 785( implementer may)2 753( An)1 185(missions are checked on a given file, security is checked first.)10 2597 4 720 1596 t (search permission error encountered early in a path even if a security error would occur later in the path.)18 4163 1 720 1716 t 10 B f ( of system calls)3 635(3.1.1. Table)1 520 2 720 1956 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 2072 t (_ ____________________________________________________________________________)1 3819 1 970 2092 t 10 R f ( Notes)1 801( Checks)1 968( Data)1 622(System Priv)1 1243 4 1020 2212 t (call flows)1 1882 1 1020 2332 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 2342 t (_ ____________________________________________________________________________)1 3819 1 970 2362 t (\347)970 2352 w (\347)970 2292 w (\347)970 2192 w (\347)2432 2352 w (\347)2432 2292 w (\347)2432 2192 w (\347)3151 2352 w (\347)3151 2292 w (\347)3151 2192 w (\347)4261 2352 w (\347)4261 2292 w (\347)4261 2192 w (\347)4789 2352 w (\347)4789 2292 w (\347)4789 2192 w 10 R f (access\()1020 2472 w 10 I f (f)1307 2472 w 10 R f (,)1359 2472 w 10 I f (m)1392 2472 w 10 R f (\) RD\()1 1934 1 1464 2472 t 10 I f (f)3398 2472 w 10 R f (\) i)1 938 1 3426 2472 t (acct\()1020 2592 w 10 I f (f)1213 2592 w 10 R f (\) Cap)1 964 1 1241 2592 t 7 R f (log)2216 2612 w 10 R f (RD\()3226 2592 w 10 I f (f)3398 2592 w 10 R f ( \2473.5.1)1 275(\) i)1 938 2 3426 2592 t (alarm\()1020 2712 w 10 I f (n)1280 2712 w 10 R f (\))1330 2712 w (biasclock\()1020 2832 w 10 I f (n)1430 2832 w 10 R f (\) \2473.5.17)1 3156 1 1480 2832 t (brk\()1020 2952 w 10 I f (n)1186 2952 w 10 R f (\))1236 2952 w 10 I f (p)2861 2952 w 10 S f (\256)2919 2952 w 10 I f (u)3026 2952 w 10 S f (_ ____________________________________________________________________________)1 3819 1 970 2972 t 10 R f (chdir\()1020 3092 w 10 I f (f)1258 3092 w 10 R f (\) RD\()1 1729 1 1286 3092 t 10 I f (f)3015 3092 w 10 R f (\) iu)1 261 1 3043 3092 t (chmod\()1020 3212 w 10 I f (f)1325 3212 w 10 R f (,)1377 3212 w 10 I f (m)1410 3212 w 10 R f (\))1482 3212 w 10 I f (p)2875 3212 w 10 S f (\256)2933 3212 w 10 I f (f)3048 3212 w 10 R f (RD\()3226 3212 w 10 I f (f)3398 3212 w 10 R f (\),W\()3426 3212 w 10 I f (f)3611 3212 w 10 R f ( \2473.5.2)1 275(\) i)1 725 2 3639 3212 t (chown\()1020 3332 w 10 I f (f)1319 3332 w 10 R f (,)1371 3332 w 10 I f (n)1404 3332 w 7 R f (1)1465 3352 w 10 R f (,)1516 3332 w 10 I f (n)1549 3332 w 7 R f (2)1610 3352 w 10 R f (\))1653 3332 w 10 I f (p)2875 3332 w 10 S f (\256)2933 3332 w 10 I f (f)3048 3332 w 10 R f (RD\()3226 3332 w 10 I f (f)3398 3332 w 10 R f (\),W\()3426 3332 w 10 I f (f)3611 3332 w 10 R f (\))3639 3332 w (chroot X)1 3388 1 1020 3452 t (close\()1020 3572 w 10 I f (d)1258 3572 w 10 R f ( \2473.5.4)1 275(\) u)1 3078 2 1308 3572 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 3592 t 10 R f (creat\()1020 3712 w 10 I f (f)1246 3712 w 10 R f (,)1298 3712 w 10 I f (m)1331 3712 w 10 R f (\))1403 3712 w 10 I f (p)2875 3712 w 10 S f (\256)2933 3712 w 10 I f (f)3048 3712 w 10 R f (P\()3226 3712 w 10 I f (f)3315 3712 w 10 R f (\),WRD\()3343 3712 w 10 I f (f)3667 3712 w 10 R f ( \2473.5.5)1 275(\) iu)1 719 2 3695 3712 t (dirread\()1020 3832 w 10 I f (d)1335 3832 w 10 R f (\))1385 3832 w 10 I f (f)2867 3832 w 10 S f (\256)2919 3832 w 10 I f (p)3026 3832 w 10 R f (READ\()3226 3832 w 10 I f (d)3531 3832 w 10 R f ( \2473.5.13)1 325(\) i)1 783 2 3581 3832 t ([)2780 3952 w 10 I f (f)2837 3952 w 10 S f (\256)2889 3952 w 10 I f (s)2996 3952 w 10 R f (])3043 3952 w ([)2790 4072 w 10 I f (s)2831 4072 w 10 S f (\256)2878 4072 w 10 I f (p)2985 4072 w 10 R f (])3043 4072 w (dup\()1020 4192 w 10 I f (d)1203 4192 w 10 R f ( \2473.5.6)1 275(\) u)1 3133 2 1253 4192 t (dup2\()1020 4312 w 10 I f (d)1253 4312 w 7 R f (1)1314 4332 w 10 R f (,)1365 4312 w 10 I f (d)1398 4312 w 7 R f (2)1459 4332 w 10 R f ( \2473.5.6)1 275(\) u)1 2884 2 1502 4312 t (exec\()1020 4432 w 10 I f (f)1235 4432 w 10 R f (,)1287 4432 w 10 I f (a)1320 4432 w 10 R f (\))1370 4432 w 10 I f (p)2861 4432 w 10 S f (\256)2919 4432 w 10 I f (q)3026 4432 w 10 R f (RD\()3226 4432 w 10 I f (f)3398 4432 w 10 R f ( \2473.5.7)1 275(\) iup)1 1038 2 3426 4432 t 10 I f (f)2867 4552 w 10 S f (\256)2919 4552 w 10 I f (q)3026 4552 w (u)2507 4672 w 10 R f (\()2565 4672 w 10 I f (p)2606 4672 w 10 R f (\))2664 4672 w 10 S f (\256)2713 4672 w 10 I f (u)2820 4672 w 10 R f (\()2878 4672 w 10 I f (q)2919 4672 w 10 R f (\))2977 4672 w 10 I f (*)3026 4672 w 10 S f (_ ____________________________________________________________________________)1 3819 1 970 4692 t 10 R f (exec\()1020 4812 w 10 I f (f)1235 4812 w 10 R f (, 0\))1 116 1 1287 4812 t 10 I f (f)2867 4812 w 10 S f (\256)2919 4812 w 10 I f (q)3026 4812 w 10 R f (RD\()3226 4812 w 10 I f (f)3398 4812 w 10 R f ( \2473.5.7)1 275(\) iup)1 1038 2 3426 4812 t 10 I f (u)2507 4932 w 10 R f (\()2565 4932 w 10 I f (p)2606 4932 w 10 R f (\))2664 4932 w 10 S f (\256)2713 4932 w 10 I f (u)2820 4932 w 10 R f (\()2878 4932 w 10 I f (q)2919 4932 w 10 R f (\))2977 4932 w 10 I f (*)3026 4932 w 10 R f (exit\()1020 5052 w 10 I f (v)1203 5052 w 10 R f ( \2473.5.22)1 325(\) p)1 3139 2 1247 5052 t (fchmod\()1020 5172 w 10 I f (d)1358 5172 w 10 R f (,)1416 5172 w 10 I f (m)1449 5172 w 10 R f (\))1521 5172 w 10 I f (p)2875 5172 w 10 S f (\256)2933 5172 w 10 I f (f)3048 5172 w 10 R f (W\()3226 5172 w 10 I f (f)3353 5172 w 10 R f (\))3381 5172 w (fchown\()1020 5292 w 10 I f (d)1352 5292 w 10 R f (,)1410 5292 w 10 I f (n)1443 5292 w 7 R f (1)1504 5312 w 10 R f (,)1555 5292 w 10 I f (n)1588 5292 w 7 R f (2)1649 5312 w 10 R f (\))1692 5292 w 10 I f (p)2875 5292 w 10 S f (\256)2933 5292 w 10 I f (f)3048 5292 w 10 R f (W\()3226 5292 w 10 I f (f)3353 5292 w 10 R f (\))3381 5292 w (fgetflab\()1020 5412 w 10 I f (d)1363 5412 w 10 R f (,)1421 5412 w 10 I f (l)1454 5412 w 10 R f (\))1482 5412 w 10 I f (f)2867 5412 w 10 S f (\256)2919 5412 w 10 I f (p)3026 5412 w 10 R f (R\()3226 5412 w 10 I f (f)3326 5412 w 10 R f (\) \2473.6.2)1 1232 1 3354 5412 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 5432 t 10 R f (fmount\()1020 5552 w 10 I f (n)1342 5552 w 7 R f (1)1403 5572 w 10 R f (,)1454 5552 w 10 I f (d)1487 5552 w 10 R f (,)1545 5552 w 10 I f (f)1586 5552 w 10 R f (,)1638 5552 w 10 I f (n)1671 5552 w 7 R f (2)1732 5572 w 10 R f (\) Cap)1 388 1 1775 5552 t 7 R f (extern)2174 5572 w 10 I f (p)2875 5552 w 10 S f (\256)2933 5552 w 10 I f (f)3048 5552 w 10 R f (RD\()3226 5552 w 10 I f (f)3398 5552 w 10 R f (\),W\()3426 5552 w 10 I f (f)3611 5552 w 10 R f ( \2473.5.8)1 275(\) i)1 725 2 3639 5552 t (fmount5\()1020 5672 w 10 I f (n)1392 5672 w 10 R f (,)1450 5672 w 10 I f (d)1483 5672 w 10 R f (,)1541 5672 w 10 I f (f)1582 5672 w 10 R f (,)1634 5672 w 10 I f (n)1667 5672 w 10 R f (,)1725 5672 w 10 I f (c)1758 5672 w 10 R f (\) Cap)1 361 1 1802 5672 t 7 R f (extern)2174 5692 w 10 I f (p)2824 5672 w 10 S f (- >)1 126 1 2898 5672 t 10 I f (f)3048 5672 w 10 R f (RD\()3226 5672 w 10 I f (f)3398 5672 w 10 R f (\),W\()3426 5672 w 10 I f (f)3611 5672 w 10 R f ( \2473.5.8)1 275(\) i)1 725 2 3639 5672 t (fork\(\))1020 5792 w 10 I f (u)2573 5792 w 10 R f (\()2631 5792 w 10 I f (p)2672 5792 w 10 R f (\))2730 5792 w 10 S f (\256)2779 5792 w 10 I f (u)2886 5792 w 10 R f (\()2944 5792 w 10 I f (q)2985 5792 w 10 R f (\) up)1 1393 1 3043 5792 t (fsetflab\()1020 5912 w 10 I f (d)1352 5912 w 10 R f (,)1410 5912 w 10 I f (l)1443 5912 w 10 R f (\))1471 5912 w 10 I f (p)2875 5912 w 10 S f (\256)2933 5912 w 10 I f (f)3048 5912 w 10 R f (\2473.6.6)4336 5912 w (fstat\()1020 6032 w 10 I f (d)1225 6032 w 10 R f (,)1283 6032 w 10 I f (b)1316 6032 w 10 R f (\))1366 6032 w 10 I f (f)2867 6032 w 10 S f (\256)2919 6032 w 10 I f (p)3026 6032 w 10 R f (R\()4336 6032 w 10 I f (f)4436 6032 w 10 R f (\))4464 6032 w 10 S f (_ ____________________________________________________________________________)1 3819 1 970 6052 t 10 R f (ftime\()1020 6172 w 10 I f (b)1264 6172 w 10 R f (\))1314 6172 w (funmount\()1020 6292 w 10 I f (f)1442 6292 w 10 R f (\))1470 6292 w 10 I f (p)2875 6292 w 10 S f (\256)2933 6292 w 10 I f (f)3048 6292 w 10 R f (RD\()3226 6292 w 10 I f (f)3398 6292 w 10 R f (\),W\()3426 6292 w 10 I f (f)3611 6292 w 10 R f (\))3639 6292 w (getegid\(\))1020 6412 w 10 I f (u)2861 6412 w 10 S f (\256)2919 6412 w 10 I f (p)3026 6412 w 10 R f (geteuid\(\))1020 6532 w 10 I f (u)2861 6532 w 10 S f (\256)2919 6532 w 10 I f (p)3026 6532 w 10 R f (getflab\()1020 6652 w 10 I f (f)1330 6652 w 10 R f (,)1382 6652 w 10 I f (l)1415 6652 w 10 R f (\))1443 6652 w 10 I f (f)2867 6652 w 10 S f (\256)2919 6652 w 10 I f (p)3026 6652 w 10 R f (RD\()3226 6652 w 10 I f (f)3398 6652 w 10 R f (\),R\()3426 6652 w 10 I f (f)3584 6652 w 10 R f (\) \2473.6.2)1 974 1 3612 6652 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 6672 t 10 R f (getgid\(\))1020 6792 w 10 I f (u)2861 6792 w 10 S f (\256)2919 6792 w 10 I f (p)3026 6792 w 10 R f (getgroups\()1020 6912 w 10 I f (n)1447 6912 w 10 R f (,)1505 6912 w 10 I f (b)1538 6912 w 10 R f (\) X)1 2820 1 1588 6912 t (getlogname\()1020 7032 w 10 I f (b)1519 7032 w 10 R f (\))1569 7032 w 10 I f (u)2861 7032 w 10 S f (\256)2919 7032 w 10 I f (p)3026 7032 w 10 R f (getpgrp\()1020 7152 w 10 I f (p)1358 7152 w 10 R f (\))1408 7152 w 10 I f (u)2803 7152 w 10 S f (\256)2861 7152 w 10 I f (p *)1 108 1 2968 7152 t 10 R f (getpid\(\))1020 7272 w 10 I f (u)2861 7272 w 10 S f (\256)2919 7272 w 10 I f (p)3026 7272 w 10 S f (\347)970 7272 w (\347)970 7172 w (\347)970 7072 w (\347)970 6972 w (\347)970 6872 w (\347)970 6772 w (\347)970 6672 w (\347)970 6572 w (\347)970 6472 w (\347)970 6372 w (\347)970 6272 w (\347)970 6172 w (\347)970 6072 w (\347)970 5972 w (\347)970 5872 w (\347)970 5772 w (\347)970 5672 w (\347)970 5572 w (\347)970 5472 w (\347)970 5372 w (\347)970 5272 w (\347)970 5172 w (\347)970 5072 w (\347)970 4972 w (\347)970 4872 w (\347)970 4772 w (\347)970 4672 w (\347)970 4572 w (\347)970 4472 w (\347)970 4372 w (\347)970 4272 w (\347)970 4172 w (\347)970 4072 w (\347)970 3972 w (\347)970 3872 w (\347)970 3772 w (\347)970 3672 w (\347)970 3572 w (\347)970 3472 w (\347)970 3372 w (\347)970 3272 w (\347)970 3172 w (\347)970 3072 w (\347)970 2972 w (\347)970 2872 w (\347)970 2772 w (\347)970 2672 w (\347)970 2572 w (\347)970 2472 w (\347)2432 7272 w (\347)2432 7172 w (\347)2432 7072 w (\347)2432 6972 w (\347)2432 6872 w (\347)2432 6772 w (\347)2432 6672 w (\347)2432 6572 w (\347)2432 6472 w (\347)2432 6372 w (\347)2432 6272 w (\347)2432 6172 w (\347)2432 6072 w (\347)2432 5972 w (\347)2432 5872 w (\347)2432 5772 w (\347)2432 5672 w (\347)2432 5572 w (\347)2432 5472 w (\347)2432 5372 w (\347)2432 5272 w (\347)2432 5172 w (\347)2432 5072 w (\347)2432 4972 w (\347)2432 4872 w (\347)2432 4772 w (\347)2432 4672 w (\347)2432 4572 w (\347)2432 4472 w (\347)2432 4372 w (\347)2432 4272 w (\347)2432 4172 w (\347)2432 4072 w (\347)2432 3972 w (\347)2432 3872 w (\347)2432 3772 w (\347)2432 3672 w (\347)2432 3572 w (\347)2432 3472 w (\347)2432 3372 w (\347)2432 3272 w (\347)2432 3172 w (\347)2432 3072 w (\347)2432 2972 w (\347)2432 2872 w (\347)2432 2772 w (\347)2432 2672 w (\347)2432 2572 w (\347)2432 2472 w (\347)3151 7272 w (\347)3151 7172 w (\347)3151 7072 w (\347)3151 6972 w (\347)3151 6872 w (\347)3151 6772 w (\347)3151 6672 w (\347)3151 6572 w (\347)3151 6472 w (\347)3151 6372 w (\347)3151 6272 w (\347)3151 6172 w (\347)3151 6072 w (\347)3151 5972 w (\347)3151 5872 w (\347)3151 5772 w (\347)3151 5672 w (\347)3151 5572 w (\347)3151 5472 w (\347)3151 5372 w (\347)3151 5272 w (\347)3151 5172 w (\347)3151 5072 w (\347)3151 4972 w (\347)3151 4872 w (\347)3151 4772 w (\347)3151 4672 w (\347)3151 4572 w (\347)3151 4472 w (\347)3151 4372 w (\347)3151 4272 w (\347)3151 4172 w (\347)3151 4072 w (\347)3151 3972 w (\347)3151 3872 w (\347)3151 3772 w (\347)3151 3672 w (\347)3151 3572 w (\347)3151 3472 w (\347)3151 3372 w (\347)3151 3272 w (\347)3151 3172 w (\347)3151 3072 w (\347)3151 2972 w (\347)3151 2872 w (\347)3151 2772 w (\347)3151 2672 w (\347)3151 2572 w (\347)3151 2472 w (\347)4261 7272 w (\347)4261 7172 w (\347)4261 7072 w (\347)4261 6972 w (\347)4261 6872 w (\347)4261 6772 w (\347)4261 6672 w (\347)4261 6572 w (\347)4261 6472 w (\347)4261 6372 w (\347)4261 6272 w (\347)4261 6172 w (\347)4261 6072 w (\347)4261 5972 w (\347)4261 5872 w (\347)4261 5772 w (\347)4261 5672 w (\347)4261 5572 w (\347)4261 5472 w (\347)4261 5372 w (\347)4261 5272 w (\347)4261 5172 w (\347)4261 5072 w (\347)4261 4972 w (\347)4261 4872 w (\347)4261 4772 w (\347)4261 4672 w (\347)4261 4572 w (\347)4261 4472 w (\347)4261 4372 w (\347)4261 4272 w (\347)4261 4172 w (\347)4261 4072 w (\347)4261 3972 w (\347)4261 3872 w (\347)4261 3772 w (\347)4261 3672 w (\347)4261 3572 w (\347)4261 3472 w (\347)4261 3372 w (\347)4261 3272 w (\347)4261 3172 w (\347)4261 3072 w (\347)4261 2972 w (\347)4261 2872 w (\347)4261 2772 w (\347)4261 2672 w (\347)4261 2572 w (\347)4261 2472 w (\347)4789 7272 w (\347)4789 7172 w (\347)4789 7072 w (\347)4789 6972 w (\347)4789 6872 w (\347)4789 6772 w (\347)4789 6672 w (\347)4789 6572 w (\347)4789 6472 w (\347)4789 6372 w (\347)4789 6272 w (\347)4789 6172 w (\347)4789 6072 w (\347)4789 5972 w (\347)4789 5872 w (\347)4789 5772 w (\347)4789 5672 w (\347)4789 5572 w (\347)4789 5472 w (\347)4789 5372 w (\347)4789 5272 w (\347)4789 5172 w (\347)4789 5072 w (\347)4789 4972 w (\347)4789 4872 w (\347)4789 4772 w (\347)4789 4672 w (\347)4789 4572 w (\347)4789 4472 w (\347)4789 4372 w (\347)4789 4272 w (\347)4789 4172 w (\347)4789 4072 w (\347)4789 3972 w (\347)4789 3872 w (\347)4789 3772 w (\347)4789 3672 w (\347)4789 3572 w (\347)4789 3472 w (\347)4789 3372 w (\347)4789 3272 w (\347)4789 3172 w (\347)4789 3072 w (\347)4789 2972 w (\347)4789 2872 w (\347)4789 2772 w (\347)4789 2672 w (\347)4789 2572 w (\347)4789 2472 w cleartomark showpage saveobj restore %%EndPage: 9 9 %%Page: 10 10 /saveobj save def mark 10 pagesetup 10 R f (- 10 -)2 216 1 2772 480 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 740 t (_ ____________________________________________________________________________)1 3819 1 970 760 t 10 R f ( Notes)1 801( Checks)1 968( Data)1 622(System Priv)1 1243 4 1020 880 t (call flows)1 1882 1 1020 1000 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 1010 t (_ ____________________________________________________________________________)1 3819 1 970 1030 t (\347)970 1020 w (\347)970 960 w (\347)970 860 w (\347)2432 1020 w (\347)2432 960 w (\347)2432 860 w (\347)3151 1020 w (\347)3151 960 w (\347)3151 860 w (\347)4261 1020 w (\347)4261 960 w (\347)4261 860 w (\347)4789 1020 w (\347)4789 960 w (\347)4789 860 w (_ ____________________________________________________________________________)1 3819 1 970 1040 t 10 R f (getplab\()1020 1160 w 10 I f (l)1347 1160 w 10 R f (,)1383 1160 w 10 I f (c)1416 1160 w 10 R f (\) RS\()1 1922 1 1460 1160 t 10 I f (C)3382 1160 w 10 R f (\()3457 1160 w 10 I f (p)3498 1160 w 10 R f (\)\) \2473.6.3)1 1030 1 3556 1160 t (getppid\(\))1020 1280 w 10 I f (u)2861 1280 w 10 S f (\256)2919 1280 w 10 I f (p)3026 1280 w 10 R f (getuid\(\))1020 1400 w 10 I f (u)2861 1400 w 10 S f (\256)2919 1400 w 10 I f (p)3026 1400 w 10 R f (ioctl\()1020 1520 w 10 I f (d)1231 1520 w 10 R f (,)1289 1520 w 10 I f (n)1322 1520 w 10 R f (,)1380 1520 w 10 I f (b)1413 1520 w 10 R f ( P\()1 239(\) various)1 1613 2 1463 1520 t 10 I f (f)3315 1520 w 10 R f (\),etc. \2473.7)1 1168 1 3343 1520 t (kill\()1020 1640 w 10 I f (q)1187 1640 w 10 R f (,)1245 1640 w 10 I f (n)1278 1640 w 10 R f (\) [)1 1484 1 1328 1640 t 10 I f (p)2820 1640 w 10 S f (\256)2878 1640 w 10 I f (q)2985 1640 w 10 R f ( \2473.5.16)1 325(] p)1 1343 2 3043 1640 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 1660 t 10 R f (labmount\()1020 1780 w 10 I f (d)1431 1780 w 10 R f (,)1489 1780 w 10 I f (l)1522 1780 w 10 R f (\))1550 1780 w 10 I f (f)2867 1780 w 10 S f (\256)2919 1780 w 10 I f (p)3026 1780 w 10 R f (\2473.6.4)4336 1780 w (link\()1020 1900 w 10 I f (f)1209 1900 w 7 R f (1 ,)1 58 1 1248 1920 t 10 I f (f)1330 1900 w 7 R f (2)1369 1920 w 10 R f (\) [)1 1360 1 1412 1900 t 10 I f (p)2780 1900 w 10 S f (\256)2838 1900 w 10 I f (f)2953 1900 w 7 R f (1)2992 1920 w 10 R f (] RD\()1 355 1 3043 1900 t 10 I f (f)3398 1900 w 7 R f (1)3437 1920 w 10 R f (\),WRD\()3480 1900 w 10 I f (f)3804 1900 w 7 R f (2)3843 1920 w 10 R f (\),W\()3886 1900 w 10 I f (f)4071 1900 w 7 R f (1)4110 1920 w 10 R f (\))4153 1900 w (lock\()1020 2020 w 10 I f (n)1225 2020 w 10 R f (\) u)1 3111 1 1275 2020 t (lseek\()1020 2140 w 10 I f (d)1258 2140 w 10 R f (,)1316 2140 w 10 I f (n)1349 2140 w 7 R f (1)1410 2160 w 10 R f (,)1461 2140 w 10 I f (n)1494 2140 w 7 R f (2)1555 2160 w 10 R f (\))1598 2140 w 10 I f (p)2872 2140 w 10 S f (\256)2930 2140 w 10 I f (s)3037 2140 w 10 R f (P\()3226 2140 w 10 I f (f)3315 2140 w 10 R f (\),WS\()3343 2140 w 10 I f (d)3584 2140 w 10 R f (\),RS\()3634 2140 w 10 I f (d)3848 2140 w 10 R f (\) \2473.5.10)1 738 1 3898 2140 t 10 I f (s)2872 2260 w 10 S f (\256)2919 2260 w 10 I f (p)3026 2260 w 10 R f (lstat\()1020 2380 w 10 I f (f)1220 2380 w 10 R f (,)1272 2380 w 10 I f (b)1305 2380 w 10 R f (\))1355 2380 w 10 I f (f)2867 2380 w 10 S f (\256)2919 2380 w 10 I f (p)3026 2380 w 10 R f (RD\()3226 2380 w 10 I f (f)3398 2380 w 10 R f (\),R\()3426 2380 w 10 I f (f)3584 2380 w 10 R f (\))3612 2380 w 10 S f (_ ____________________________________________________________________________)1 3819 1 970 2400 t 10 R f (mkdir\()1020 2520 w 10 I f (f)1292 2520 w 10 R f (,)1344 2520 w 10 I f (m)1377 2520 w 10 R f (\))1449 2520 w 10 I f (p)2801 2520 w 10 S f (\256)2859 2520 w 10 I f (f *)1 102 1 2974 2520 t 10 R f (WRD\()3226 2520 w 10 I f (f)3492 2520 w 10 R f (\) \2473.5.11)1 1116 1 3520 2520 t (mknod\()1020 2640 w 10 I f (f)1331 2640 w 10 R f (,)1383 2640 w 10 I f (m)1416 2640 w 10 R f (,)1496 2640 w 10 I f (b)1529 2640 w 10 R f (\))1579 2640 w 10 I f (p)2801 2640 w 10 S f (\256)2859 2640 w 10 I f (f *)1 102 1 2974 2640 t 10 R f (WRD\()3226 2640 w 10 I f (f)3492 2640 w 10 R f (\) \2473.5.11)1 1116 1 3520 2640 t (nap\()1020 2760 w 10 I f (n)1197 2760 w 10 R f (\))1247 2760 w (nice\()1020 2880 w 10 I f (n)1219 2880 w 10 R f ( \2473.5.12)1 325(\) u)1 3117 2 1269 2880 t (nochk\()1020 3000 w 10 I f (d)1297 3000 w 10 R f (,)1355 3000 w 10 I f (m)1388 3000 w 10 R f (\) \2473.6.5)1 3126 1 1460 3000 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 3020 t 10 R f (open\()1020 3140 w 10 I f (f)1247 3140 w 10 R f (,)1299 3140 w 10 I f (n)1332 3140 w 10 R f (\) RD\()1 2016 1 1382 3140 t 10 I f (f)3398 3140 w 10 R f (\) iu)1 988 1 3426 3140 t (pause\(\) u)1 3366 1 1020 3260 t (pipe\(\) u)1 3366 1 1020 3380 t (profil\()1020 3500 w 10 I f (b)1275 3500 w 10 R f (,)1333 3500 w 10 I f (n)1366 3500 w 7 R f (1)1427 3520 w 10 R f (,)1478 3500 w 10 I f (n)1511 3500 w 7 R f (2)1572 3520 w 10 R f (,)1623 3500 w 10 I f (n)1656 3500 w 7 R f (3)1717 3520 w 10 R f (\))1760 3500 w (read\()1020 3620 w 10 I f (d)1224 3620 w 10 R f (,)1282 3620 w 10 I f (b)1315 3620 w 10 R f (,)1373 3620 w 10 I f (n)1406 3620 w 10 R f (\))1456 3620 w 10 I f (f)2867 3620 w 10 S f (\256)2919 3620 w 10 I f (p)3026 3620 w 10 R f (P\()3226 3620 w 10 I f (f)3315 3620 w 10 R f (\),READ\()3343 3620 w 10 I f (d)3706 3620 w 10 R f (\) \2473.5.13)1 880 1 3756 3620 t ([)2780 3740 w 10 I f (f)2837 3740 w 10 S f (\256)2889 3740 w 10 I f (s)2996 3740 w 10 R f (])3043 3740 w ([)2790 3860 w 10 I f (s)2831 3860 w 10 S f (\256)2878 3860 w 10 I f (p)2985 3860 w 10 R f (])3043 3860 w ([)2036 3980 w 10 I f (p)2077 3980 w 10 S f (\256)2135 3980 w 10 I f (s)2242 3980 w 10 R f (])2289 3980 w 10 S f (_ ____________________________________________________________________________)1 3819 1 970 4000 t 10 R f (readlink\()1020 4120 w 10 I f (f)1380 4120 w 10 R f (,)1432 4120 w 10 I f (b)1465 4120 w 10 R f (,)1523 4120 w 10 I f (n)1556 4120 w 10 R f (\))1606 4120 w 10 I f (f)2867 4120 w 10 S f (\256)2919 4120 w 10 I f (p)3026 4120 w 10 R f (RD\()3226 4120 w 10 I f (f)3398 4120 w 10 R f (\),R\()3426 4120 w 10 I f (f)3584 4120 w 10 R f (\))3612 4120 w (reboot\()1020 4240 w 10 I f (n)1308 4240 w 10 R f (\))1358 4240 w (rmdir\()1020 4360 w 10 I f (f)1275 4360 w 10 R f (\) WRD\()1 1712 1 1303 4360 t 10 I f (f)3015 4360 w 10 R f (\))3043 4360 w (seek\()1020 4480 w 10 I f (d)1230 4480 w 10 R f (,)1288 4480 w 10 I f (n)1321 4480 w 7 R f (1)1382 4500 w 10 R f (,)1433 4480 w 10 I f (n)1466 4480 w 7 R f (2)1527 4500 w 10 R f (\))1570 4480 w 10 I f (p)2872 4480 w 10 S f (\256)2930 4480 w 10 I f (s)3037 4480 w 10 R f (P\()3226 4480 w 10 I f (f)3315 4480 w 10 R f (\),WS\()3343 4480 w 10 I f (d)3584 4480 w 10 R f (\) \2473.5.14)1 1002 1 3634 4480 t (select\()1020 4600 w 10 I f (n)1280 4600 w 7 R f (1)1341 4620 w 10 R f (,)1392 4600 w 10 I f (b)1425 4600 w 7 R f (1)1486 4620 w 10 R f (,)1537 4600 w 10 I f (b)1570 4600 w 7 R f (2)1631 4620 w 10 R f (,)1682 4600 w 10 I f (n)1715 4600 w 7 R f (2)1776 4620 w 10 R f (\) \2473.5.15)1 2817 1 1819 4600 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 4620 t 10 R f (setflab\()1020 4740 w 10 I f (f)1319 4740 w 10 R f (,)1371 4740 w 10 I f (l)1404 4740 w 10 R f (\))1432 4740 w 10 I f (p)2875 4740 w 10 S f (\256)2933 4740 w 10 I f (f)3048 4740 w 10 R f (RD\()3226 4740 w 10 I f (f)3398 4740 w 10 R f ( \2473.6.6)1 275(\) i)1 938 2 3426 4740 t (setgid\()1020 4860 w 10 I f (n)1292 4860 w 10 R f (\) Cap)1 833 1 1342 4860 t 7 R f (uarea)2186 4880 w 10 I f (p)2861 4860 w 10 S f (\256)2919 4860 w 10 I f (u)3026 4860 w 10 R f (setgroups\()1020 4980 w 10 I f (n)1436 4980 w 10 R f (,)1494 4980 w 10 I f (b)1527 4980 w 10 R f (\) X)1 1721 1 1577 4980 t (setlogname\()1020 5100 w 10 I f (b)1508 5100 w 10 R f (\) Cap)1 617 1 1558 5100 t 7 R f (uarea)2186 5120 w 10 I f (p)2861 5100 w 10 S f (\256)2919 5100 w 10 I f (u)3026 5100 w 10 R f (setpgrp\()1020 5220 w 10 I f (p)1347 5220 w 10 R f ( \2473.5.9)1 275( u)1 1755(, 0\))1 116 3 1405 5220 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 5240 t 10 R f (setpgrp\()1020 5360 w 10 I f (p)1347 5360 w 10 R f (,)1405 5360 w 10 I f (n)1438 5360 w 10 R f (\) Cap)1 687 1 1488 5360 t 7 R f (uarea)2186 5380 w 10 I f (p)2861 5360 w 10 S f (\256)2919 5360 w 10 I f (u)3026 5360 w 10 R f (\2473.5.9)4336 5360 w (setplab\()1020 5480 w 10 I f (l)1336 5480 w 10 R f (,)1372 5480 w 10 I f (c)1405 5480 w 10 R f ( \2473.6.7)1 275(\) u)1 2937 2 1449 5480 t (setruid\()1020 5600 w 10 I f (n)1325 5600 w 10 R f (\) Cap)1 800 1 1375 5600 t 7 R f (uarea)2186 5620 w 10 I f (p)2861 5600 w 10 S f (\256)2919 5600 w 10 I f (u)3026 5600 w 10 R f (up)4336 5600 w (setuid\()1020 5720 w 10 I f (n)1292 5720 w 10 R f (\) Cap)1 833 1 1342 5720 t 7 R f (uarea)2186 5740 w 10 I f (p)2861 5720 w 10 S f (\256)2919 5720 w 10 I f (u)3026 5720 w 10 R f (up)4336 5720 w (signal\()1020 5840 w 10 I f (n)1292 5840 w 10 R f (,)1350 5840 w 10 I f (g)1383 5840 w 10 R f ( \2473.5.16)1 325(\) u)1 2953 2 1433 5840 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 5860 t 10 R f (stat\()1020 5980 w 10 I f (f)1192 5980 w 10 R f (,)1244 5980 w 10 I f (b)1277 5980 w 10 R f (\))1327 5980 w 10 I f (f)2867 5980 w 10 S f (\256)2919 5980 w 10 I f (p)3026 5980 w 10 R f (RD\()3226 5980 w 10 I f (f)3398 5980 w 10 R f (\),R\()3426 5980 w 10 I f (f)3584 5980 w 10 R f (\))3612 5980 w (stime\()1020 6100 w 10 I f (b)1270 6100 w 10 R f (\) \2473.5.17)1 3316 1 1320 6100 t (symlink\()1020 6220 w 10 I f (f)1376 6220 w 7 R f (1 ,)1 58 1 1415 6240 t 10 I f (f)1497 6220 w 7 R f (2)1536 6240 w 10 R f (\))1579 6220 w 10 I f (p)2821 6220 w 10 S f (\256)2879 6220 w 10 I f (f)2994 6220 w 7 R f (2)3033 6240 w 10 R f (WRD\()3226 6220 w 10 I f (f)3492 6220 w 10 R f (\),W\()3520 6220 w 10 I f (f)3705 6220 w 7 R f (2)3744 6240 w 10 R f (\) i)1 577 1 3787 6220 t (sync\(\))1020 6340 w (syslog\()1020 6460 w 10 I f (n)1309 6460 w 7 R f (1)1370 6480 w 10 R f (,)1421 6460 w 10 I f (n)1454 6460 w 7 R f (2)1515 6480 w 10 R f (,)1566 6460 w 10 I f (n)1599 6460 w 7 R f (3)1660 6480 w 10 R f (\) Cap)1 502 1 1703 6460 t 7 R f (log)2216 6480 w 10 R f (various \2473.6.8)1 1804 1 2782 6460 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 6480 t 10 R f (tell\()1020 6600 w 10 I f (d)1181 6600 w 10 R f (\))1231 6600 w 10 I f (s)2872 6600 w 10 S f (\256)2919 6600 w 10 I f (p)3026 6600 w 10 R f (RS\()3226 6600 w 10 I f (d)3382 6600 w 10 R f (\) \2473.5.18)1 1204 1 3432 6600 t (time\()1020 6720 w 10 I f (b)1231 6720 w 10 R f (\))1281 6720 w (times\()1020 6840 w 10 I f (b)1270 6840 w 10 R f (\) \2473.5.20)1 3316 1 1320 6840 t (umask\()1020 6960 w 10 I f (m)1314 6960 w 10 R f (\))1386 6960 w 10 I f (p)2861 6960 w 10 S f (\256)2919 6960 w 10 I f (u)3026 6960 w 10 R f (unlink\()1020 7080 w 10 I f (f)1309 7080 w 10 R f (\) [)1 1473 1 1337 7080 t 10 I f (p)2818 7080 w 10 S f (\256)2876 7080 w 10 I f (f)2991 7080 w 10 R f (] WRD\()1 449 1 3043 7080 t 10 I f (f)3492 7080 w 10 R f ( \2473.5.21)1 325(\) i)1 844 2 3520 7080 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 7100 t 10 R f (unsafe\()1020 7220 w 10 I f (n)1313 7220 w 10 R f (,)1371 7220 w 10 I f (b)1404 7220 w 7 R f (1)1465 7240 w 10 R f (,)1516 7220 w 10 I f (b)1549 7220 w 7 R f (2)1610 7240 w 10 R f (\) \2473.6.9)1 2933 1 1653 7220 t 10 S f (\347)970 7220 w (\347)970 7140 w (\347)970 7040 w (\347)970 6940 w (\347)970 6840 w (\347)970 6740 w (\347)970 6640 w (\347)970 6540 w (\347)970 6440 w (\347)970 6340 w (\347)970 6240 w (\347)970 6140 w (\347)970 6040 w (\347)970 5940 w (\347)970 5840 w (\347)970 5740 w (\347)970 5640 w (\347)970 5540 w (\347)970 5440 w (\347)970 5340 w (\347)970 5240 w (\347)970 5140 w (\347)970 5040 w (\347)970 4940 w (\347)970 4840 w (\347)970 4740 w (\347)970 4640 w (\347)970 4540 w (\347)970 4440 w (\347)970 4340 w (\347)970 4240 w (\347)970 4140 w (\347)970 4040 w (\347)970 3940 w (\347)970 3840 w (\347)970 3740 w (\347)970 3640 w (\347)970 3540 w (\347)970 3440 w (\347)970 3340 w (\347)970 3240 w (\347)970 3140 w (\347)970 3040 w (\347)970 2940 w (\347)970 2840 w (\347)970 2740 w (\347)970 2640 w (\347)970 2540 w (\347)970 2440 w (\347)970 2340 w (\347)970 2240 w (\347)970 2140 w (\347)970 2040 w (\347)970 1940 w (\347)970 1840 w (\347)970 1740 w (\347)970 1640 w (\347)970 1540 w (\347)970 1440 w (\347)970 1340 w (\347)970 1240 w (\347)970 1140 w (\347)2432 7220 w (\347)2432 7140 w (\347)2432 7040 w (\347)2432 6940 w (\347)2432 6840 w (\347)2432 6740 w (\347)2432 6640 w (\347)2432 6540 w (\347)2432 6440 w (\347)2432 6340 w (\347)2432 6240 w (\347)2432 6140 w (\347)2432 6040 w (\347)2432 5940 w (\347)2432 5840 w (\347)2432 5740 w (\347)2432 5640 w (\347)2432 5540 w (\347)2432 5440 w (\347)2432 5340 w (\347)2432 5240 w (\347)2432 5140 w (\347)2432 5040 w (\347)2432 4940 w (\347)2432 4840 w (\347)2432 4740 w (\347)2432 4640 w (\347)2432 4540 w (\347)2432 4440 w (\347)2432 4340 w (\347)2432 4240 w (\347)2432 4140 w (\347)2432 4040 w (\347)2432 3940 w (\347)2432 3840 w (\347)2432 3740 w (\347)2432 3640 w (\347)2432 3540 w (\347)2432 3440 w (\347)2432 3340 w (\347)2432 3240 w (\347)2432 3140 w (\347)2432 3040 w (\347)2432 2940 w (\347)2432 2840 w (\347)2432 2740 w (\347)2432 2640 w (\347)2432 2540 w (\347)2432 2440 w (\347)2432 2340 w (\347)2432 2240 w (\347)2432 2140 w (\347)2432 2040 w (\347)2432 1940 w (\347)2432 1840 w (\347)2432 1740 w (\347)2432 1640 w (\347)2432 1540 w (\347)2432 1440 w (\347)2432 1340 w (\347)2432 1240 w (\347)2432 1140 w (\347)3151 7220 w (\347)3151 7140 w (\347)3151 7040 w (\347)3151 6940 w (\347)3151 6840 w (\347)3151 6740 w (\347)3151 6640 w (\347)3151 6540 w (\347)3151 6440 w (\347)3151 6340 w (\347)3151 6240 w (\347)3151 6140 w (\347)3151 6040 w (\347)3151 5940 w (\347)3151 5840 w (\347)3151 5740 w (\347)3151 5640 w (\347)3151 5540 w (\347)3151 5440 w (\347)3151 5340 w (\347)3151 5240 w (\347)3151 5140 w (\347)3151 5040 w (\347)3151 4940 w (\347)3151 4840 w (\347)3151 4740 w (\347)3151 4640 w (\347)3151 4540 w (\347)3151 4440 w (\347)3151 4340 w (\347)3151 4240 w (\347)3151 4140 w (\347)3151 4040 w (\347)3151 3940 w (\347)3151 3840 w (\347)3151 3740 w (\347)3151 3640 w (\347)3151 3540 w (\347)3151 3440 w (\347)3151 3340 w (\347)3151 3240 w (\347)3151 3140 w (\347)3151 3040 w (\347)3151 2940 w (\347)3151 2840 w (\347)3151 2740 w (\347)3151 2640 w (\347)3151 2540 w (\347)3151 2440 w (\347)3151 2340 w (\347)3151 2240 w (\347)3151 2140 w (\347)3151 2040 w (\347)3151 1940 w (\347)3151 1840 w (\347)3151 1740 w (\347)3151 1640 w (\347)3151 1540 w (\347)3151 1440 w (\347)3151 1340 w (\347)3151 1240 w (\347)3151 1140 w (\347)4261 7220 w (\347)4261 7140 w (\347)4261 7040 w (\347)4261 6940 w (\347)4261 6840 w (\347)4261 6740 w (\347)4261 6640 w (\347)4261 6540 w (\347)4261 6440 w (\347)4261 6340 w (\347)4261 6240 w (\347)4261 6140 w (\347)4261 6040 w (\347)4261 5940 w (\347)4261 5840 w (\347)4261 5740 w (\347)4261 5640 w (\347)4261 5540 w (\347)4261 5440 w (\347)4261 5340 w (\347)4261 5240 w (\347)4261 5140 w (\347)4261 5040 w (\347)4261 4940 w (\347)4261 4840 w (\347)4261 4740 w (\347)4261 4640 w (\347)4261 4540 w (\347)4261 4440 w (\347)4261 4340 w (\347)4261 4240 w (\347)4261 4140 w (\347)4261 4040 w (\347)4261 3940 w (\347)4261 3840 w (\347)4261 3740 w (\347)4261 3640 w (\347)4261 3540 w (\347)4261 3440 w (\347)4261 3340 w (\347)4261 3240 w (\347)4261 3140 w (\347)4261 3040 w (\347)4261 2940 w (\347)4261 2840 w (\347)4261 2740 w (\347)4261 2640 w (\347)4261 2540 w (\347)4261 2440 w (\347)4261 2340 w (\347)4261 2240 w (\347)4261 2140 w (\347)4261 2040 w (\347)4261 1940 w (\347)4261 1840 w (\347)4261 1740 w (\347)4261 1640 w (\347)4261 1540 w (\347)4261 1440 w (\347)4261 1340 w (\347)4261 1240 w (\347)4261 1140 w (\347)4789 7220 w (\347)4789 7140 w (\347)4789 7040 w (\347)4789 6940 w (\347)4789 6840 w (\347)4789 6740 w (\347)4789 6640 w (\347)4789 6540 w (\347)4789 6440 w (\347)4789 6340 w (\347)4789 6240 w (\347)4789 6140 w (\347)4789 6040 w (\347)4789 5940 w (\347)4789 5840 w (\347)4789 5740 w (\347)4789 5640 w (\347)4789 5540 w (\347)4789 5440 w (\347)4789 5340 w (\347)4789 5240 w (\347)4789 5140 w (\347)4789 5040 w (\347)4789 4940 w (\347)4789 4840 w (\347)4789 4740 w (\347)4789 4640 w (\347)4789 4540 w (\347)4789 4440 w (\347)4789 4340 w (\347)4789 4240 w (\347)4789 4140 w (\347)4789 4040 w (\347)4789 3940 w (\347)4789 3840 w (\347)4789 3740 w (\347)4789 3640 w (\347)4789 3540 w (\347)4789 3440 w (\347)4789 3340 w (\347)4789 3240 w (\347)4789 3140 w (\347)4789 3040 w (\347)4789 2940 w (\347)4789 2840 w (\347)4789 2740 w (\347)4789 2640 w (\347)4789 2540 w (\347)4789 2440 w (\347)4789 2340 w (\347)4789 2240 w (\347)4789 2140 w (\347)4789 2040 w (\347)4789 1940 w (\347)4789 1840 w (\347)4789 1740 w (\347)4789 1640 w (\347)4789 1540 w (\347)4789 1440 w (\347)4789 1340 w (\347)4789 1240 w (\347)4789 1140 w cleartomark showpage saveobj restore %%EndPage: 10 10 %%Page: 11 11 /saveobj save def mark 11 pagesetup 10 R f (- 11 -)2 216 1 2772 480 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 740 t (_ ____________________________________________________________________________)1 3819 1 970 760 t 10 R f ( Notes)1 801( Checks)1 968( Data)1 622(System Priv)1 1243 4 1020 880 t (call flows)1 1882 1 1020 1000 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 1010 t (_ ____________________________________________________________________________)1 3819 1 970 1030 t (\347)970 1020 w (\347)970 960 w (\347)970 860 w (\347)2432 1020 w (\347)2432 960 w (\347)2432 860 w (\347)3151 1020 w (\347)3151 960 w (\347)3151 860 w (\347)4261 1020 w (\347)4261 960 w (\347)4261 860 w (\347)4789 1020 w (\347)4789 960 w (\347)4789 860 w 10 R f (utime\()1020 1140 w 10 I f (f)1281 1140 w 10 R f (,)1333 1140 w 10 I f (b)1366 1140 w 10 R f (\))1416 1140 w 10 I f (p)2875 1140 w 10 S f (\256)2933 1140 w 10 I f (f)3048 1140 w 10 R f (RD\()3226 1140 w 10 I f (f)3398 1140 w 10 R f (\),W\()3426 1140 w 10 I f (f)3611 1140 w 10 R f (\))3639 1140 w (vadvise\()1020 1260 w 10 I f (n)1358 1260 w 10 R f (\))1408 1260 w (vlimit\()1020 1380 w 10 I f (d)1293 1380 w 10 R f (,)1351 1380 w 10 I f (n)1384 1380 w 7 R f (1)1445 1400 w 10 R f (,)1496 1380 w 10 I f (n)1529 1380 w 7 R f (2)1590 1400 w 10 R f (\) Cap)1 542 1 1633 1380 t 7 R f (uarea)2186 1400 w 10 I f (p)2861 1380 w 10 S f (\256)2919 1380 w 10 I f (u)3026 1380 w 10 R f (vswapon\()1020 1500 w 10 I f (f)1408 1500 w 10 R f (\) \2473.5.19)1 3200 1 1436 1500 t 10 S f (_ ____________________________________________________________________________)1 3819 1 970 1520 t 10 R f (vtimes\()1020 1640 w 10 I f (b)1320 1640 w 7 R f (1)1381 1660 w 10 R f (,)1432 1640 w 10 I f (b)1465 1640 w 7 R f (2)1526 1660 w 10 R f (\) sys)1 592 1 1569 1640 t 10 S f (\256)2161 1640 w 10 I f (p)2276 1640 w 10 R f (wait\()1020 1760 w 10 I f (b)1225 1760 w 10 R f (\))1275 1760 w 10 I f (q)2861 1760 w 10 S f (\256)2919 1760 w 10 I f (p)3026 1760 w 10 R f (u \2473.5.22)1 375 1 4336 1760 t (write\()1020 1880 w 10 I f (d)1258 1880 w 10 R f (,)1316 1880 w 10 I f (b)1349 1880 w 10 R f (,)1407 1880 w 10 I f (n)1440 1880 w 10 R f (\))1490 1880 w 10 I f (p)2875 1880 w 10 S f (\256)2933 1880 w 10 I f (f)3048 1880 w 10 R f (P\()3226 1880 w 10 I f (f)3315 1880 w 10 R f (\),WRITE\()3343 1880 w 10 I f (d)3750 1880 w 10 R f (\),W\()3800 1880 w 10 I f (f)3985 1880 w 10 R f (\) \2473.5.23)1 623 1 4013 1880 t ([)2790 2000 w 10 I f (p)2831 2000 w 10 S f (\256)2889 2000 w 10 I f (s)2996 2000 w 10 R f (])3043 2000 w ([)2788 2120 w 10 I f (s)2829 2120 w 10 S f (\256)2876 2120 w 10 I f (f)2991 2120 w 10 R f (])3043 2120 w 10 S f ( \347)1 -3819(_ ____________________________________________________________________________)1 3819 2 970 2140 t (\347)970 2040 w (\347)970 1940 w (\347)970 1840 w (\347)970 1740 w (\347)970 1640 w (\347)970 1540 w (\347)970 1440 w (\347)970 1340 w (\347)970 1240 w (\347)970 1140 w (\347)2432 2140 w (\347)2432 2040 w (\347)2432 1940 w (\347)2432 1840 w (\347)2432 1740 w (\347)2432 1640 w (\347)2432 1540 w (\347)2432 1440 w (\347)2432 1340 w (\347)2432 1240 w (\347)2432 1140 w (\347)3151 2140 w (\347)3151 2040 w (\347)3151 1940 w (\347)3151 1840 w (\347)3151 1740 w (\347)3151 1640 w (\347)3151 1540 w (\347)3151 1440 w (\347)3151 1340 w (\347)3151 1240 w (\347)3151 1140 w (\347)4261 2140 w (\347)4261 2040 w (\347)4261 1940 w (\347)4261 1840 w (\347)4261 1740 w (\347)4261 1640 w (\347)4261 1540 w (\347)4261 1440 w (\347)4261 1340 w (\347)4261 1240 w (\347)4261 1140 w (\347)4789 2140 w (\347)4789 2040 w (\347)4789 1940 w (\347)4789 1840 w (\347)4789 1740 w (\347)4789 1640 w (\347)4789 1540 w (\347)4789 1440 w (\347)4789 1340 w (\347)4789 1240 w (\347)4789 1140 w 10 B f ( check computations)2 872(3.1.2. Standard)1 676 2 720 2440 t 10 R f (Security checks enforce)2 956 1 970 2596 t 10 I f (critical inequalities)1 783 1 1953 2596 t 10 R f ( by the ``Data flow'' column of)6 1276(among labels as required)3 1001 2 2763 2596 t ( pointer)1 309( inequality need not be checked if it is overridden by privilege, if it involves a seek)16 3341( An)1 174(table \2473.1.1.)1 496 4 720 2716 t ( bits, or)2 305( knowledge may be obtained from safe)6 1552( Such)1 250(in a stream, or if its truth is implied by side knowledge.)11 2213 4 720 2836 t (from the partial transitivity of)4 1188 1 720 2956 t 10 S f (\243)1933 2956 w 10 R f (and the invariants)2 710 1 2013 2956 t 10 I f (L)1220 3536 w 10 R f (\()1284 3536 w 10 I f (s)1325 3536 w 10 R f (\))1372 3536 w 10 S f (\316)1454 3536 w 10 HB f (L)1566 3536 w 10 R f ( the seek pointer is defined)5 1073(, if)1 127 2 1635 3536 t 10 I f (C)1220 3396 w 10 R f (\()1295 3396 w 10 I f (p)1336 3396 w 10 R f (\))1394 3396 w 10 S f (\316)1476 3396 w 10 HB f (L)1588 3396 w 10 I f (L)1220 3256 w 10 R f (\()1284 3256 w 10 I f (p)1325 3256 w 10 R f (\))1383 3256 w 10 S f (\316)1465 3256 w 10 HB f (L)1577 3256 w 10 I f (L)1220 3116 w 10 R f (\()1284 3116 w 10 I f (p)1325 3116 w 10 R f (\))1383 3116 w 10 S f (\243)1465 3116 w 10 I f (C)1561 3116 w 10 R f (\()1636 3116 w 10 I f (p)1677 3116 w 10 R f (\))1735 3116 w 10 B f (3.1.3. READ\()1 591 1 720 3816 t 10 I f (d)1311 3816 w 10 B f (\): Check for the read system call)6 1380 1 1361 3816 t 10 R f (Let file descriptor)2 715 1 720 3972 t 10 I f (d)1460 3972 w 10 R f (name \()1 274 1 1535 3972 t 10 I f (p)1817 3972 w 10 R f (,)1875 3972 w 10 I f (s)1932 3972 w 10 R f (,)1979 3972 w 10 I f (f)2044 3972 w 10 R f ( critical inequalities are)3 934(\). The)1 263 2 2096 3972 t 10 I f (L)1220 4972 w 10 R f (\()1284 4972 w 10 I f (p)1325 4972 w 10 R f (\))1383 4972 w 10 S f (\243)1465 4972 w 10 I f (L)1561 4972 w 10 R f (\()1625 4972 w 10 I f (s)1666 4972 w 10 R f (\))1713 4972 w 10 I f (L)1220 4832 w 10 R f (\()1284 4832 w 10 I f (s)1325 4832 w 10 R f (\))1372 4832 w 10 S f (\243)1454 4832 w 10 I f (C)1550 4832 w 10 R f (\()1625 4832 w 10 I f (p)1666 4832 w 10 R f (\))1724 4832 w 10 I f (L)1220 4692 w 10 R f (\()1284 4692 w 10 I f (s)1325 4692 w 10 R f (\))1372 4692 w 10 S f (\243)1454 4692 w 10 I f (L)1550 4692 w 10 R f (\()1614 4692 w 10 I f (p)1655 4692 w 10 R f (\))1713 4692 w 10 I f (L)1220 4552 w 10 R f (\()1284 4552 w 10 I f (f)1341 4552 w 10 R f (\))1393 4552 w 10 S f (\243)1475 4552 w 10 I f (C)1571 4552 w 10 R f (\()1646 4552 w 10 I f (p)1687 4552 w 10 R f (\))1745 4552 w 10 I f (L)1220 4412 w 10 R f (\()1284 4412 w 10 I f (f)1341 4412 w 10 R f (\))1393 4412 w 10 S f (\243)1475 4412 w 10 I f (L)1571 4412 w 10 R f (\()1635 4412 w 10 I f (p)1676 4412 w 10 R f (\))1734 4412 w 10 I f (L)1220 4272 w 10 R f (\()1284 4272 w 10 I f (f)1341 4272 w 10 R f (\))1393 4272 w 10 S f (\243)1475 4272 w 10 I f (L)1571 4272 w 10 R f (\()1635 4272 w 10 I f (s)1676 4272 w 10 R f (\))1723 4272 w 10 I f (L)1220 4132 w 10 R f (\()1284 4132 w 10 I f (f)1341 4132 w 10 R f (\))1393 4132 w 10 S f (\243)1475 4132 w 10 I f (C)1571 4132 w 10 R f (\()1646 4132 w 10 I f (f)1703 4132 w 10 R f (\))1755 4132 w 10 S1 f ()720 5168 w 720 5168 m 100 build_rh 820 5168 m 10 R f ( from the observation that reading entails direct flow)8 2110(Seek pointer inequalities follow)3 1274 2 970 5168 t 10 I f (f)4380 5168 w 10 S f (\256)4465 5168 w 10 I f (p)4605 5168 w 10 R f (\(the bits\))1 359 1 4681 5168 t (and covert flows [)3 723 1 970 5288 t 10 I f (s)1701 5288 w 10 S f (\256)1781 5288 w 10 I f (p)1921 5288 w 10 R f (] \(which bits\), [)3 621 1 1979 5288 t 10 I f (p)2608 5288 w 10 S f (\256)2699 5288 w 10 I f (s)2839 5288 w 10 R f (] \(how many\) and [)4 770 1 2886 5288 t 10 I f (f)3680 5288 w 10 S f (\256)3765 5288 w 10 I f (s)3905 5288 w 10 R f (] \(at end of file\).)4 656 1 3952 5288 t (Do the following check as each block of data is copied to user space.)13 2749 1 720 5444 t (Let)970 5600 w 10 I f (M)1128 5600 w 10 S f (=)1260 5600 w 10 R f (sup \()1 180 1 1364 5600 t 10 I f (L)1552 5600 w 10 R f (\()1616 5600 w 10 I f (p)1657 5600 w 10 R f (\) ,)1 74 1 1715 5600 t 10 I f (L)1821 5600 w 10 R f (\()1885 5600 w 10 I f (s)1926 5600 w 10 R f (\) ,)1 74 1 1973 5600 t 10 I f (L)2079 5600 w 10 R f (\()2143 5600 w 10 I f (f)2200 5600 w 10 R f (\) \).)1 99 1 2252 5600 t (If)970 5756 w 10 I f (d)1061 5756 w 10 R f (is marked safe-to-read the check succeeds.)5 1699 1 1136 5756 t (Otherwise, if Cap)2 707 1 970 5912 t 7 R f (nochk)1688 5932 w 10 R f (\()1875 5912 w 10 I f (p)1916 5912 w 10 R f (\) and)1 202 1 1974 5912 t 10 I f (d)2201 5912 w 10 R f (is marked exempt the check succeeds.)5 1518 1 2276 5912 t (Otherwise, if the critical inequalities hold the check succeeds.)8 2467 1 970 6068 t (Otherwise, if)1 521 1 970 6224 t 10 I f (L)1516 6224 w 10 R f (\()1580 6224 w 10 I f (f)1637 6224 w 10 R f (\))1689 6224 w 10 S f (\243)1771 6224 w 10 I f (/ C)1 149 1 1785 6224 t 10 R f (\()1942 6224 w 10 I f (f)1999 6224 w 10 R f (\) then)1 230 1 2051 6224 t 10 B f (error)2306 6224 w 10 R f (.)2532 6224 w (Otherwise, if)1 521 1 970 6380 t 10 I f (M)1516 6380 w 10 S f (\243)1640 6380 w 10 I f (/ C)1 149 1 1654 6380 t 10 R f (\()1811 6380 w 10 I f (p)1852 6380 w 10 R f (\) then)1 230 1 1910 6380 t 10 B f (error)2165 6380 w 10 R f (.)2391 6380 w (Otherwise, if)1 521 1 970 6536 t 10 I f (L)1516 6536 w 10 R f (\()1580 6536 w 10 I f (p)1621 6536 w 10 R f (\))1679 6536 w 10 S f (\271)1761 6536 w 10 I f (M)1857 6536 w 10 R f (and)1965 6536 w 10 I f (F)2134 6536 w 10 R f (\()2203 6536 w 10 I f (p)2244 6536 w 10 R f (\))2302 6536 w 10 S f (\271)2384 6536 w 10 B f (loose)2480 6536 w 10 R f (then)2716 6536 w 10 B f (error)2913 6536 w 10 R f (.)3139 6536 w (Otherwise, establish the critical inequalities:)4 1773 1 970 6692 t (If)1220 6848 w 10 I f (L)1311 6848 w 10 R f (\()1375 6848 w 10 I f (p)1416 6848 w 10 R f (\))1474 6848 w 10 S f (\271)1556 6848 w 10 I f (M)1652 6848 w 10 R f (set)1760 6848 w 10 I f (L)1896 6848 w 10 R f (\()1960 6848 w 10 I f (p)2001 6848 w 10 R f (\) :)1 110 1 2059 6848 t 10 S f (=)2185 6848 w 10 I f (M)2289 6848 w 10 R f (and propagate with CHP\()3 1018 1 2397 6848 t 10 I f (p)3415 6848 w 10 R f (\), \2473.2.1.)1 358 1 3465 6848 t (If)1220 7004 w 10 I f (L)1311 7004 w 10 R f (\()1375 7004 w 10 I f (s)1416 7004 w 10 R f (\))1463 7004 w 10 S f (\271)1545 7004 w 10 I f (M)1641 7004 w 10 R f (set)1749 7004 w 10 I f (L)1885 7004 w 10 R f (\()1949 7004 w 10 I f (s)1990 7004 w 10 R f (\) :)1 110 1 2037 7004 t 10 S f (=)2163 7004 w 10 I f (M)2267 7004 w 10 R f (and propagate with CHS\()3 1018 1 2375 7004 t 10 I f (s)3393 7004 w 10 R f (\), \2473.2.3.)1 358 1 3432 7004 t (If no error occurred mark)4 1012 1 720 7160 t 10 I f (d)1757 7160 w 10 R f (safe-to-read.)1832 7160 w cleartomark showpage saveobj restore %%EndPage: 11 11 %%Page: 12 12 /saveobj save def mark 12 pagesetup 10 R f (- 12 -)2 216 1 2772 480 t 10 B f (3.1.4. WRITE\()1 653 1 720 840 t 10 I f (d)1373 840 w 10 B f (\): Check for the write system call)6 1407 1 1423 840 t 10 R f (Let file descriptor)2 721 1 720 996 t 10 I f (d)1469 996 w 10 R f (name \()1 277 1 1547 996 t 10 I f (p)1832 996 w 10 R f (,)1890 996 w 10 I f (s)1947 996 w 10 R f (,)1994 996 w 10 I f (f)2059 996 w 10 R f ( streams,)1 359(\). For)1 250 2 2111 996 t 10 I f (s)2749 996 w 10 R f (doesn't matter; we suppose)3 1102 1 2817 996 t 10 I f (L)3948 996 w 10 R f (\()4012 996 w 10 I f (s)4053 996 w 10 R f (\))4100 996 w 10 S f (=)4190 996 w 10 I f (L)4294 996 w 10 R f (\()4358 996 w 10 I f (f)4415 996 w 10 R f ( critical)1 306(\). The)1 267 2 4467 996 t (inequalities are)1 607 1 720 1116 t 10 I f (L)1080 1296 w 10 R f (\()1144 1296 w 10 I f (p)1185 1296 w 10 R f (\))1243 1296 w 10 S f (\243)1325 1296 w 10 I f (C)1421 1296 w 10 R f (\()1496 1296 w 10 I f (f)1553 1296 w 10 R f (\))1605 1296 w 10 I f (L)1080 1416 w 10 R f (\()1144 1416 w 10 I f (s)1185 1416 w 10 R f (\))1232 1416 w 10 S f (\243)1314 1416 w 10 I f (C)1410 1416 w 10 R f (\()1485 1416 w 10 I f (f)1542 1416 w 10 R f (\))1594 1416 w 10 I f (L)1080 1536 w 10 R f (\()1144 1536 w 10 I f (f)1201 1536 w 10 R f (\))1253 1536 w 10 S f (\243)1335 1536 w 10 I f (C)1431 1536 w 10 R f (\()1506 1536 w 10 I f (p)1547 1536 w 10 R f (\))1605 1536 w 10 I f (L)1080 1656 w 10 R f (\()1144 1656 w 10 I f (s)1185 1656 w 10 R f (\))1232 1656 w 10 S f (\243)1314 1656 w 10 I f (L)1410 1656 w 10 R f (\()1474 1656 w 10 I f (f)1531 1656 w 10 R f (\))1583 1656 w 10 I f (L)1080 1776 w 10 R f (\()1144 1776 w 10 I f (s)1185 1776 w 10 R f (\))1232 1776 w 10 S f (\243)1314 1776 w 10 I f (C)1410 1776 w 10 R f (\()1485 1776 w 10 I f (p)1526 1776 w 10 R f (\))1584 1776 w 10 I f (L)1080 1896 w 10 R f (\()1144 1896 w 10 I f (p)1185 1896 w 10 R f (\))1243 1896 w 10 S f (\243)1325 1896 w 10 I f (L)1421 1896 w 10 R f (\()1485 1896 w 10 I f (s)1526 1896 w 10 R f (\))1573 1896 w 10 I f (L)1080 2016 w 10 R f (\()1144 2016 w 10 I f (p)1185 2016 w 10 R f (\))1243 2016 w 10 S f (\243)1325 2016 w 10 I f (L)1421 2016 w 10 R f (\()1485 2016 w 10 I f (f)1542 2016 w 10 R f (\))1594 2016 w 10 S1 f ()720 2232 w 720 2232 m 100 build_rh 820 2232 m 10 R f ( follow from the observation that writing entails direct flows)9 2552(Seek pointer inequalities)2 1016 2 970 2232 t 10 I f (p)4578 2232 w 10 S f (\256)4669 2232 w 10 I f (f)4817 2232 w 10 R f (\(the)4885 2232 w (bits\) and covert flows [)4 938 1 970 2352 t 10 I f (s)1916 2352 w 10 S f (\256)1996 2352 w 10 I f (f)2144 2352 w 10 R f (] \(which bits\) and [)4 777 1 2196 2352 t 10 I f (p)2981 2352 w 10 S f (\256)3072 2352 w 10 I f (s)3212 2352 w 10 R f ( Inequality)1 457( many\).)1 307(] \(how)1 266 3 3259 2352 t 10 I f (L)4316 2352 w 10 R f (\()4380 2352 w 10 I f (s)4421 2352 w 10 R f (\))4468 2352 w 10 S f (\243)4550 2352 w 10 I f (C)4646 2352 w 10 R f (\()4721 2352 w 10 I f (p)4762 2352 w 10 R f (\) pre-)1 220 1 4820 2352 t (vents)970 2472 w 10 I f (p)1206 2472 w 10 R f (from interfering with a higher process through a shared seek pointer.)10 2741 1 1281 2472 t (Do the following check as each block of data is copied out of user space.)14 2907 1 720 2628 t (Let)970 2784 w 10 I f (M)1128 2784 w 10 S f (=)1260 2784 w 10 R f (sup \()1 180 1 1364 2784 t 10 I f (L)1552 2784 w 10 R f (\()1616 2784 w 10 I f (p)1657 2784 w 10 R f (\) ,)1 74 1 1715 2784 t 10 I f (L)1821 2784 w 10 R f (\()1885 2784 w 10 I f (s)1926 2784 w 10 R f (\) ,)1 74 1 1973 2784 t 10 I f (L)2079 2784 w 10 R f (\()2143 2784 w 10 I f (f)2200 2784 w 10 R f ( and)1 169(\) \))1 74 2 2252 2784 t 10 I f (C)2520 2784 w 10 S f (=)2636 2784 w 10 R f (inf \()1 152 1 2740 2784 t 10 I f (C)2900 2784 w 10 R f (\()2975 2784 w 10 I f (p)3016 2784 w 10 R f (\) ,)1 74 1 3074 2784 t 10 I f (C)3180 2784 w 10 R f (\()3255 2784 w 10 I f (f)3312 2784 w 10 R f (\) \).)1 99 1 3364 2784 t (If)970 2940 w 10 I f (d)1061 2940 w 10 R f (is marked safe-to-write the check succeeds.)5 1733 1 1136 2940 t (Otherwise, if)1 521 1 970 3096 t 10 I f (T)1516 3096 w 10 R f (\()1580 3096 w 10 I f (f)1637 3096 w 10 R f (\) then)1 230 1 1689 3096 t 10 B f (error)1944 3096 w 10 R f (.)2170 3096 w (Otherwise, if Cap)2 707 1 970 3252 t 7 R f (nochk)1688 3272 w 10 R f (\()1875 3252 w 10 I f (p)1916 3252 w 10 R f (\) and)1 202 1 1974 3252 t 10 I f (d)2201 3252 w 10 R f (is marked exempt the check succeeds.)5 1518 1 2276 3252 t (Otherwise, if the critical inequalities hold the check succeeds.)8 2467 1 970 3408 t (Otherwise, if)1 521 1 970 3564 t 10 I f (M)1516 3564 w 10 S f (\243)1640 3564 w 10 I f (/ C)1 149 1 1654 3564 t 10 R f (then)1828 3564 w 10 B f (error)2025 3564 w 10 R f (.)2251 3564 w (Otherwise, if)1 521 1 970 3720 t 10 I f (f)1516 3720 w 10 R f (is the process file for process)5 1161 1 1569 3720 t 10 I f (q)2755 3720 w 10 R f (and)2830 3720 w 10 I f (M)2999 3720 w 10 S f (\243)3123 3720 w 10 I f (/ L)1 138 1 3137 3720 t 10 R f (\()3283 3720 w 10 I f (q)3324 3720 w 10 R f (\) then)1 230 1 3382 3720 t 10 B f (error)3637 3720 w 10 R f (.)3863 3720 w (Otherwise, if)1 521 1 970 3876 t 10 I f (M)1516 3876 w 10 S f (\243)1640 3876 w 10 I f (/ L)1 138 1 1654 3876 t 10 R f (\()1800 3876 w 10 I f (f)1857 3876 w 10 R f (\) and)1 202 1 1909 3876 t 10 I f (F)2136 3876 w 10 R f (\()2205 3876 w 10 I f (f)2262 3876 w 10 R f (\))2314 3876 w 10 S f (\271)2396 3876 w 10 B f (loose)2492 3876 w 10 R f (then)2728 3876 w 10 B f (error)2925 3876 w 10 R f (.)3151 3876 w (Otherwise, establish the critical inequalities:)4 1773 1 970 4032 t (If)1220 4188 w 10 I f (L)1311 4188 w 10 R f (\()1375 4188 w 10 I f (p)1416 4188 w 10 R f (\))1474 4188 w 10 S f (\243)1556 4188 w 10 I f (/ L)1 138 1 1570 4188 t 10 R f (\()1716 4188 w 10 I f (s)1757 4188 w 10 R f (\) set)1 169 1 1804 4188 t 10 I f (L)1998 4188 w 10 R f (\()2062 4188 w 10 I f (s)2103 4188 w 10 R f (\) :)1 110 1 2150 4188 t 10 S f (=)2276 4188 w 10 R f (sup \()1 180 1 2380 4188 t 10 I f (L)2568 4188 w 10 R f (\()2632 4188 w 10 I f (p)2673 4188 w 10 R f (\) ,)1 74 1 2731 4188 t 10 I f (L)2837 4188 w 10 R f (\()2901 4188 w 10 I f (s)2942 4188 w 10 R f ( and propagate with CHS\()4 1043(\) \))1 74 2 2989 4188 t 10 I f (s)4106 4188 w 10 R f (\), \2473.2.3.)1 358 1 4145 4188 t (If)1220 4344 w 10 I f (L)1311 4344 w 10 R f (\()1375 4344 w 10 I f (f)1432 4344 w 10 R f (\))1484 4344 w 10 S f (\271)1566 4344 w 10 I f (M)1662 4344 w 10 R f (set)1770 4344 w 10 I f (L)1906 4344 w 10 R f (\()1970 4344 w 10 I f (f)2027 4344 w 10 R f (\) :)1 110 1 2079 4344 t 10 S f (=)2205 4344 w 10 I f (M)2309 4344 w 10 R f (and propagate with CHF\()3 1018 1 2417 4344 t 10 I f (f)3435 4344 w 10 R f (\), \2473.2.2.)1 358 1 3463 4344 t (On error, raise signal)3 842 1 720 4500 t 10 CW f (SIGPIPE)1587 4500 w 10 R f (.)2007 4500 w (Otherwise, mark)1 665 1 720 4656 t 10 I f (d)1410 4656 w 10 R f (safe-to-write.)1485 4656 w 10 S1 f ()720 4812 w 720 4812 m 100 build_rh 820 4812 m 10 R f (Some of the complexity of the check arises from the possibility that)11 2706 1 970 4812 t 10 I f (L)3701 4812 w 10 R f (\()3765 4812 w 10 I f (f)3822 4812 w 10 R f (\))3874 4812 w 10 S f (=)3964 4812 w 10 B f (y)4068 4812 w 10 R f (.)4118 4812 w 10 S1 f ()720 4968 w 720 4968 m 100 build_rh 820 4968 m 10 CW f (SIGPIPE)970 4968 w 10 R f ( stops processes when their)4 1119( as with broken pipes, it)5 990( Just)1 213(has nothing to do with security.)5 1296 4 1422 4968 t (output is unexpectedly being thrown away.)5 1720 1 970 5088 t 10 S1 f ()720 5244 w 720 5244 m 100 build_rh 820 5244 m 10 I f (Write)970 5244 w 10 R f (calls may fail with)3 768 1 1226 5244 t 10 CW f (ELAB)2028 5244 w 10 R f (or)2302 5244 w 10 CW f (ECONC)2419 5244 w 10 R f (even though the corresponding)3 1261 1 2753 5244 t 10 I f (open)4049 5244 w 10 R f (calls succeed; pro-)2 762 1 4278 5244 t (grammers should always take care to check for)7 1875 1 970 5364 t 10 I f (write)2870 5364 w 10 R f (errors explicitly.)1 660 1 3101 5364 t 10 B f (3.1.5. R\()1 380 1 720 5604 t 10 I f (f)1100 5604 w 10 B f (\): Check for read-like calls on a file)7 1501 1 1128 5604 t 10 R f (The critical inequalities are)3 1089 1 720 5760 t 10 I f (L)1080 5940 w 10 R f (\()1144 5940 w 10 I f (f)1201 5940 w 10 R f (\))1253 5940 w 10 S f (\243)1335 5940 w 10 I f (C)1431 5940 w 10 R f (\()1506 5940 w 10 I f (f)1563 5940 w 10 R f (\))1615 5940 w 10 I f (L)1080 6060 w 10 R f (\()1144 6060 w 10 I f (f)1201 6060 w 10 R f (\))1253 6060 w 10 S f (\243)1335 6060 w 10 I f (L)1431 6060 w 10 R f (\()1495 6060 w 10 I f (p)1536 6060 w 10 R f (\))1594 6060 w 10 I f (L)1080 6180 w 10 R f (\()1144 6180 w 10 I f (p)1185 6180 w 10 R f (\))1243 6180 w 10 S f (\243)1325 6180 w 10 I f (C)1421 6180 w 10 R f (\()1496 6180 w 10 I f (p)1537 6180 w 10 R f (\))1595 6180 w (If Cap)1 252 1 720 6396 t 7 R f (nochk)983 6416 w 10 R f (\()1170 6396 w 10 I f (p)1211 6396 w 10 R f (\) the check succeeds.)3 841 1 1269 6396 t (Otherwise, if the critical inequalities hold the check succeeds.)8 2467 1 720 6552 t (Otherwise, if)1 521 1 720 6708 t 10 I f (L)1266 6708 w 10 R f (\()1330 6708 w 10 I f (f)1387 6708 w 10 R f (\))1439 6708 w 10 S f (\243)1521 6708 w 10 I f (/)1535 6708 w 10 S f (\245)1617 6708 w 10 R f (\()1698 6708 w 10 I f (C)1739 6708 w 10 R f (\()1814 6708 w 10 I f (f)1871 6708 w 10 R f (\) ,)1 74 1 1923 6708 t 10 I f (C)2029 6708 w 10 R f (\()2104 6708 w 10 I f (p)2145 6708 w 10 R f ( then)1 197(\) \))1 74 2 2203 6708 t 10 B f (error)2499 6708 w 10 R f (.)2725 6708 w (Otherwise, if)1 521 1 720 6864 t 10 I f (F)1266 6864 w 10 R f (\()1335 6864 w 10 I f (p)1376 6864 w 10 R f (\))1434 6864 w 10 S f (\271)1516 6864 w 10 B f (loose)1612 6864 w 10 R f (then)1848 6864 w 10 B f (error)2045 6864 w 10 R f (.)2271 6864 w (Otherwise, establish the critical inequalities:)4 1773 1 720 7020 t (Set)970 7176 w 10 I f (L)1123 7176 w 10 R f (\()1187 7176 w 10 I f (p)1228 7176 w 10 R f (\) :)1 110 1 1286 7176 t 10 S f (=)1412 7176 w 10 R f (sup \()1 180 1 1516 7176 t 10 I f (L)1704 7176 w 10 R f (\()1768 7176 w 10 I f (p)1809 7176 w 10 R f (\) ,)1 74 1 1867 7176 t 10 I f (L)1973 7176 w 10 R f (\()2037 7176 w 10 I f (f)2094 7176 w 10 R f ( and propagate with CHP\()4 1043(\) \))1 74 2 2146 7176 t 10 I f (p)3263 7176 w 10 R f (\), \2473.2.1.)1 358 1 3313 7176 t cleartomark showpage saveobj restore %%EndPage: 12 12 %%Page: 13 13 /saveobj save def mark 13 pagesetup 10 R f (- 13 -)2 216 1 2772 480 t 10 S1 f ()720 840 w 720 840 m 100 build_rh 820 840 m 10 R f ( the process is not cleared to read the object, raise the pro-)12 2343( If)1 118( overrides.)1 423(The capability to omit checks)4 1186 4 970 840 t (cess label.)1 410 1 970 960 t 10 B f (3.1.6. RS\()1 436 1 720 1200 t 10 I f (x)1156 1200 w 10 B f (\): Check for other read-like calls)5 1389 1 1200 1200 t 10 R f (If)720 1356 w 10 I f (x)811 1356 w 10 R f (is a file descriptor)3 718 1 880 1356 t 10 I f (d)1623 1356 w 10 R f (let)1698 1356 w 10 I f (s)1823 1356 w 10 R f (be)1887 1356 w 10 I f (s)2006 1356 w 10 R f (\()2053 1356 w 10 I f (d)2094 1356 w 10 R f (\).)2152 1356 w (Otherwise let)1 535 1 720 1512 t 10 I f (s)1280 1512 w 10 R f (be)1344 1512 w 10 I f (C)1463 1512 w 10 R f (\()1538 1512 w 10 I f (p)1579 1512 w 10 R f (\).)1637 1512 w (The critical inequalities are)3 1089 1 720 1668 t 10 I f (L)1080 1848 w 10 R f (\()1144 1848 w 10 I f (s)1185 1848 w 10 R f (\))1232 1848 w 10 S f (\243)1314 1848 w 10 I f (L)1410 1848 w 10 R f (\()1474 1848 w 10 I f (p)1515 1848 w 10 R f (\))1573 1848 w 10 I f (L)1080 1968 w 10 R f (\()1144 1968 w 10 I f (p)1185 1968 w 10 R f (\))1243 1968 w 10 S f (\243)1325 1968 w 10 I f (C)1421 1968 w 10 R f (\()1496 1968 w 10 I f (p)1537 1968 w 10 R f (\))1595 1968 w (If Cap)1 252 1 720 2184 t 7 R f (nochk)983 2204 w 10 R f (\()1170 2184 w 10 I f (p)1211 2184 w 10 R f (\) the check succeeds.)3 841 1 1269 2184 t (Otherwise, if)1 521 1 720 2340 t 10 I f (d)1266 2340 w 10 R f (is marked safe-to-read the check succeeds.)5 1699 1 1341 2340 t (Otherwise, if the critical inequalities hold the check succeeds.)8 2467 1 720 2496 t (Otherwise, if)1 521 1 720 2652 t 10 I f (L)1266 2652 w 10 R f (\()1330 2652 w 10 I f (s)1371 2652 w 10 R f (\))1418 2652 w 10 S f (\243)1500 2652 w 10 I f (/ C)1 149 1 1514 2652 t 10 R f (\()1671 2652 w 10 I f (p)1712 2652 w 10 R f (\) or)1 141 1 1770 2652 t 10 I f (F)1936 2652 w 10 R f (\()2005 2652 w 10 I f (p)2046 2652 w 10 R f (\))2104 2652 w 10 S f (\271)2186 2652 w 10 B f (loose)2282 2652 w 10 R f (then)2518 2652 w 10 B f (error)2715 2652 w 10 R f (.)2941 2652 w (Otherwise, establish the critical inequalities:)4 1773 1 720 2808 t (Set)970 2964 w 10 I f (L)1123 2964 w 10 R f (\()1187 2964 w 10 I f (p)1228 2964 w 10 R f (\) :)1 110 1 1286 2964 t 10 S f (=)1412 2964 w 10 R f (sup \()1 180 1 1516 2964 t 10 I f (L)1704 2964 w 10 R f (\()1768 2964 w 10 I f (p)1809 2964 w 10 R f (\) ,)1 74 1 1867 2964 t 10 I f (L)1973 2964 w 10 R f (\()2037 2964 w 10 I f (s)2078 2964 w 10 R f ( and propagate with CHP\()4 1043(\) \))1 74 2 2125 2964 t 10 I f (p)3242 2964 w 10 R f (\), \2473.2.1.)1 358 1 3292 2964 t 10 S1 f ()720 3120 w 720 3120 m 100 build_rh 820 3120 m 10 R f (This check is used only by)5 1118 1 970 3120 t 10 I f (lseek,)2124 3120 w 10 R f (\2473.5.10,)2384 3120 w 10 I f (tell,)2745 3120 w 10 R f (\2473.5.18, and)1 505 1 2934 3120 t 10 I f (getplab,)3475 3120 w 10 R f (\2473.6.3. For)1 476 1 3837 3120 t 10 I f (getplab)4350 3120 w 10 R f (the label)1 353 1 4687 3120 t 10 I f (L)970 3240 w 10 R f (\()1034 3240 w 10 I f (s)1075 3240 w 10 R f (\) is not the ceiling label)5 941 1 1122 3240 t 10 I f (C)2088 3240 w 10 R f (\()2163 3240 w 10 I f (p)2204 3240 w 10 R f (\), but is instead the label of the ceiling,)8 1554 1 2262 3240 t 10 I f (L)3841 3240 w 10 R f (\()3905 3240 w 10 I f (C)3946 3240 w 10 R f (\()4021 3240 w 10 I f (p)4062 3240 w 10 R f (\) \).)1 99 1 4120 3240 t 10 B f (3.1.7. W\()1 408 1 720 3480 t 10 I f (f)1128 3480 w 10 B f (\): Check for write-like calls on a file)7 1528 1 1156 3480 t 10 R f (The critical inequalities are)3 1089 1 720 3636 t 10 I f (L)1080 3816 w 10 R f (\()1144 3816 w 10 I f (p)1185 3816 w 10 R f (\))1243 3816 w 10 S f (\243)1325 3816 w 10 I f (C)1421 3816 w 10 R f (\()1496 3816 w 10 I f (f)1553 3816 w 10 R f (\))1605 3816 w 10 I f (L)1080 3936 w 10 R f (\()1144 3936 w 10 I f (f)1201 3936 w 10 R f (\))1253 3936 w 10 S f (\243)1335 3936 w 10 I f (C)1431 3936 w 10 R f (\()1506 3936 w 10 I f (p)1547 3936 w 10 R f (\))1605 3936 w 10 I f (L)1080 4056 w 10 R f (\()1144 4056 w 10 I f (p)1185 4056 w 10 R f (\))1243 4056 w 10 S f (\243)1325 4056 w 10 I f (L)1421 4056 w 10 R f (\()1485 4056 w 10 I f (f)1542 4056 w 10 R f (\))1594 4056 w (If)720 4272 w 10 I f (T)811 4272 w 10 R f (\()875 4272 w 10 I f (f)932 4272 w 10 R f (\) then)1 230 1 984 4272 t 10 B f (error)1239 4272 w 10 R f (.)1465 4272 w (Otherwise, if Cap)2 707 1 720 4428 t 7 R f (nochk)1438 4448 w 10 R f (\()1625 4428 w 10 I f (p)1666 4428 w 10 R f (\) the check succeeds.)3 841 1 1724 4428 t (Otherwise, if the critical inequalities hold the check succeeds.)8 2467 1 720 4584 t (Otherwise, if)1 521 1 720 4740 t 10 I f (f)1266 4740 w 10 R f (is the process file for process)5 1161 1 1319 4740 t 10 I f (q)2505 4740 w 10 R f (and)2580 4740 w 10 I f (L)2749 4740 w 10 R f (\()2813 4740 w 10 I f (p)2854 4740 w 10 R f (\))2912 4740 w 10 S f (\243)2994 4740 w 10 I f (/ L)1 138 1 3008 4740 t 10 R f (\()3154 4740 w 10 I f (q)3195 4740 w 10 R f (\) then)1 230 1 3253 4740 t 10 B f (error)3508 4740 w 10 R f (.)3734 4740 w (Otherwise, if)1 521 1 720 4896 t 10 I f (L)1266 4896 w 10 R f (\()1330 4896 w 10 I f (f)1387 4896 w 10 R f (\))1439 4896 w 10 S f (=)1529 4896 w 10 B f (n)1633 4896 w 10 R f (then)1714 4896 w 10 B f (error)1911 4896 w 10 R f (.)2137 4896 w (Otherwise, if)1 521 1 720 5052 t 10 I f (F)1266 5052 w 10 R f (\()1335 5052 w 10 I f (x)1376 5052 w 10 R f (\))1428 5052 w 10 S f (\271)1510 5052 w 10 B f (loose)1606 5052 w 10 R f (then)1842 5052 w 10 B f (error)2039 5052 w 10 R f (.)2265 5052 w (Otherwise establish the critical inequalities:)4 1748 1 720 5208 t (Set)970 5364 w 10 I f (L)1123 5364 w 10 R f (\()1187 5364 w 10 I f (f)1244 5364 w 10 R f (\) :)1 110 1 1296 5364 t 10 S f (=)1422 5364 w 10 R f (sup \()1 180 1 1526 5364 t 10 I f (L)1714 5364 w 10 R f (\()1778 5364 w 10 I f (p)1819 5364 w 10 R f (\) ,)1 74 1 1877 5364 t 10 I f (L)1983 5364 w 10 R f (\()2047 5364 w 10 I f (f)2104 5364 w 10 R f ( and propagate with CHF\()4 1043(\) \))1 74 2 2156 5364 t 10 I f (f)3273 5364 w 10 R f (\), \2473.2.2.)1 358 1 3301 5364 t 10 S1 f ()720 5520 w 720 5520 m 100 build_rh 820 5520 m 10 R f (Do not alter trusted files \(except with a privileged)8 2007 1 970 5520 t 10 I f (setflab,)3004 5520 w 10 R f ( the file is not cleared to receive)7 1291(\2473.6.6\). If)1 426 2 3323 5520 t (from the process, attempt to raise the file label.)8 1880 1 970 5640 t 10 B f (3.1.8. WS\()1 464 1 720 5880 t 10 I f (d)1184 5880 w 10 B f (\): Check for write-like calls on a seek pointer)8 1914 1 1234 5880 t 10 R f (Let)720 6036 w 10 I f (s)878 6036 w 10 S f (=)966 6036 w 10 I f (s)1070 6036 w 10 R f (\()1117 6036 w 10 I f (d)1158 6036 w 10 R f (\).)1216 6036 w (The critical inequalities are)3 1089 1 720 6192 t 10 I f (L)1080 6372 w 10 R f (\()1144 6372 w 10 I f (s)1185 6372 w 10 R f (\))1232 6372 w 10 S f (\243)1314 6372 w 10 I f (C)1410 6372 w 10 R f (\()1485 6372 w 10 I f (p)1526 6372 w 10 R f (\))1584 6372 w 10 I f (L)1080 6492 w 10 R f (\()1144 6492 w 10 I f (p)1185 6492 w 10 R f (\))1243 6492 w 10 S f (\243)1325 6492 w 10 I f (L)1421 6492 w 10 R f (\()1485 6492 w 10 I f (s)1526 6492 w 10 R f (\))1573 6492 w (If)720 6708 w 10 I f (d)811 6708 w 10 R f (is marked safe-to-read the check succeeds.)5 1699 1 886 6708 t (Otherwise, if Cap)2 707 1 720 6864 t 7 R f (nochk)1438 6884 w 10 R f (\()1625 6864 w 10 I f (p)1666 6864 w 10 R f (\) and)1 202 1 1724 6864 t 10 I f (d)1951 6864 w 10 R f (is marked exempt the check succeeds.)5 1518 1 2026 6864 t (Otherwise, if the critical inequalities hold the check succeeds.)8 2467 1 720 7020 t (Otherwise, if the real value of)5 1241 1 720 7176 t 10 I f (L)1996 7176 w 10 R f (\()2060 7176 w 10 I f (s)2101 7176 w 10 R f (\))2148 7176 w 10 S f (=)2238 7176 w 10 R f (sup \()1 180 1 2342 7176 t 10 I f (L)2530 7176 w 10 R f (\()2594 7176 w 10 I f (p)2635 7176 w 10 R f (\) ,)1 74 1 2693 7176 t 10 I f (L)2799 7176 w 10 R f (\()2863 7176 w 10 I f (s)2904 7176 w 10 R f ( artificial value of)3 742( \(An)1 215( the check succeeds.)3 838(\) \))1 74 4 2951 7176 t 10 I f (L)4855 7176 w 10 R f (\()4919 7176 w 10 I f (s)4960 7176 w 10 R f (\))5007 7176 w (may have been considered, \2473.5.14.\))4 1463 1 720 7296 t cleartomark showpage saveobj restore %%EndPage: 13 13 %%Page: 14 14 /saveobj save def mark 14 pagesetup 10 R f (- 14 -)2 216 1 2772 480 t (Otherwise establish the critical inequalities:)4 1748 1 720 840 t (Set)970 996 w 10 I f (L)1123 996 w 10 R f (\()1187 996 w 10 I f (s)1228 996 w 10 R f (\) :)1 110 1 1275 996 t 10 S f (=)1401 996 w 10 R f (sup \()1 180 1 1505 996 t 10 I f (L)1693 996 w 10 R f (\()1757 996 w 10 I f (p)1798 996 w 10 R f (\) ,)1 74 1 1856 996 t 10 I f (L)1962 996 w 10 R f (\()2026 996 w 10 I f (s)2067 996 w 10 R f ( and propagate with CHS\()4 1043(\) \))1 74 2 2114 996 t 10 I f (s)3231 996 w 10 R f (\), \2473.2.3.)1 358 1 3270 996 t 10 S1 f ()720 1152 w 720 1152 m 100 build_rh 820 1152 m 10 R f (This check is used only by)5 1063 1 970 1152 t 10 I f (lseek,)2058 1152 w 10 R f (\2473.5.10, and)1 494 1 2307 1152 t 10 I f (seek,)2826 1152 w 10 R f (\2473.5.14.)3047 1152 w 10 B f ( Interpret a file name)4 909(3.1.9. RD:)1 452 2 720 1392 t 10 R f (Let directories)1 582 1 720 1548 t 10 I f (f)1330 1548 w 7 I f (i)1369 1568 w 10 R f (,)1405 1548 w 10 I f (i)1462 1548 w 10 S f (=)1514 1548 w 10 R f (1 , 2 ,)3 174 1 1585 1548 t (. . .)2 125 1 1792 1523 t ( current directory is visited in trac-)6 1410( \(The)1 242( the pathname.)2 593(, be visited in tracing)4 853 4 1942 1548 t (ing a relative pathname.\))3 992 1 720 1668 t (For each)1 346 1 720 1824 t 10 I f (f)1091 1824 w 7 I f (i)1130 1844 w 10 R f (check R\()1 357 1 1183 1824 t 10 I f (f)1540 1824 w 7 I f (i)1579 1844 w 10 R f (\).)1607 1824 w (If the check fails then)4 864 1 970 1980 t 10 B f (error)1859 1980 w 10 R f (.)2085 1980 w (Otherwise, if)1 521 1 970 2136 t 10 I f (L)1516 2136 w 10 R f (\()1580 2136 w 10 I f (f)1637 2136 w 7 I f (i)1676 2156 w 10 R f (\))1712 2136 w 10 S f (\243)1794 2136 w 10 I f (/ C)1 149 1 1808 2136 t 10 R f (\()1965 2136 w 10 I f (f)2022 2136 w 7 I f (i)2061 2156 w 10 R f (\) then)1 230 1 2097 2136 t 10 B f (error)2352 2136 w 10 R f (.)2578 2136 w 10 S1 f ()720 2292 w 720 2292 m 100 build_rh 820 2292 m 10 R f ( it)1 89( However,)1 448( so the label check is something of a frill.)9 1720(Directory search does not involve data flow,)6 1813 4 970 2292 t ( above their ceilings.)3 868(stops a potential 150bps covert channel and prevents processes from peeking)10 3202 2 970 2412 t (\(Bit rates are explained at \2473.5.\))5 1283 1 970 2532 t 10 S1 f ()720 2688 w 720 2688 m 100 build_rh 820 2688 m 10 R f ( permissions, are not checked; the labels of the substituted)9 2451(The labels of symbolic links, like their)6 1619 2 970 2688 t (pathname suffice.)1 709 1 970 2808 t 10 B f ( Write in a directory)4 876(3.1.10. WRD:)1 602 2 720 3048 t 10 R f (Directories are written whenever entries are made or deleted.)8 2433 1 720 3204 t ( the directory as if it)5 832( the directory is blind, \2473.4.7, perform the W check for)10 2230( Unless)1 326(Perform the RD check.)3 932 4 720 3360 t (were a plain file being written.)5 1225 1 720 3480 t 10 S1 f ()720 3636 w 720 3636 m 100 build_rh 820 3636 m 10 R f (Although deleted entries are discernible only by processes authorized to read a directory, it would be)15 4070 1 970 3636 t (prudent to clear them.)3 876 1 970 3756 t 10 B f (3.1.11. P\()1 419 1 720 3996 t 10 I f (f)1139 3996 w 10 B f (\): Process-exclusive check)2 1097 1 1167 3996 t 10 R f (If)720 4152 w 10 I f (X)811 4152 w 10 R f (\()880 4152 w 10 I f (f)937 4152 w 10 R f (\))989 4152 w 10 S f (\271)1071 4152 w 10 B f (unpexed)1200 4152 w 10 R f (and)1587 4152 w 10 I f (p)1756 4152 w 10 S f (\271)1847 4152 w 10 I f (H)1943 4152 w 10 R f (\()2023 4152 w 10 I f (f)2080 4152 w 10 R f (\) then error)2 448 1 2132 4152 t 10 CW f (ECONC)2605 4152 w 10 R f (.)2905 4152 w (If)720 4308 w 10 I f (f)811 4308 w 10 R f (is one end of a pipe and)6 948 1 864 4308 t 10 I f (p)1837 4308 w 10 S f (=)1936 4308 w 10 I f (H)2040 4308 w 10 R f (\()2120 4308 w 10 I f (f)2177 4308 w 10 R f (\))2229 4308 w (If)970 4464 w 10 I f (X)1061 4464 w 10 R f (\()1130 4464 w 10 I f (f)1187 4464 w 10 R f (\))1239 4464 w 10 S f (=)1329 4464 w 10 B f (pexed)1433 4464 w 10 R f (and)1708 4464 w 10 I f (X)1877 4464 w 10 R f (\()1946 4464 w 10 I f (f)2003 4464 w 10 S f (\242)2053 4459 w 10 R f (\))2094 4464 w 10 S f (\271)2176 4464 w 10 B f (pexed)2272 4464 w 10 R f (then error)1 390 1 2547 4464 t 10 CW f (ECONC)2962 4464 w 10 R f (.)3262 4464 w (If)970 4620 w 10 I f (X)1061 4620 w 10 R f (\()1130 4620 w 10 I f (f)1187 4620 w 10 R f (\))1239 4620 w 10 S f (=)1329 4620 w 10 B f (unpexing)1433 4620 w 10 R f (, then error)2 440 1 1829 4620 t 10 CW f (ECONC)2294 4620 w 10 R f (.)2594 4620 w 10 B f (3.1.12. Atomicity)1 746 1 720 4860 t 10 R f ( shall occur between making a security check and performing the action that the)13 3359(No label changes)2 711 2 970 5016 t ( changes to intervene between checking a)6 1680( is permissible, however, for label)5 1381( It)1 116(check is intended to protect.)4 1143 4 720 5136 t ( may be necessary to check several times)7 1665( It)1 115( the directory.)2 565(directory in a pathname and checking an entry in)8 1975 4 720 5256 t (during an action, for example during a)6 1533 1 720 5376 t 10 I f (read)2278 5376 w 10 R f (that incurs several disk transfers or page waits.)7 1868 1 2486 5376 t 10 B f ( changes)1 364(3.2. Label)1 445 2 720 5616 t 10 R f ( is determined by its fixity, which takes on one of four val-)12 2386(The degree to which a label is changeable)7 1684 2 970 5772 t (ues)720 5892 w 10 B f (loose)880 5892 w 10 R f (,)1091 5892 w 10 B f (frozen)1142 5892 w 10 R f (,)1413 5892 w 10 B f (rigid)1464 5892 w 10 R f (, and)1 195 1 1670 5892 t 10 B f (constant)1891 5892 w 10 R f ( owner of a file with a loose or frozen label may change the fix-)14 2557(. The)1 231 2 2252 5892 t ( any value except)3 713(ity of that label to)4 731 2 720 6012 t 10 B f (constant)2195 6012 w 10 R f ( process may change the fixity of its label back and forth)11 2331(. A)1 153 2 2556 6012 t ( is no other way to change fixity.)7 1315( There)1 282(between loose and frozen.)3 1041 3 720 6132 t 10 I f (Loose)970 6288 w 10 R f ( be changed by any process, either as a result of an explicit label-changing system)14 3394(labels can)1 404 2 1242 6288 t (call or as a side effect of a security check calculation.)10 2129 1 720 6408 t 10 I f (Frozen)970 6564 w 10 R f (labels cannot be changed without first making the label loose.)9 2469 1 1278 6564 t 10 I f (Rigid)970 6720 w 10 R f ( with capability Cap)3 811(labels can be changed only by processes)6 1607 2 1212 6720 t 7 R f (extern)3641 6740 w 10 R f ( labels of external media)4 985(. The)1 231 2 3824 6720 t (are forced to be rigid.)4 861 1 720 6840 t 10 I f (Constant)970 6996 w 10 R f ( constancy is a property of certain device files; see \2473.4.)10 2239( Label)1 277(labels never change.)2 811 3 1357 6996 t cleartomark showpage saveobj restore %%EndPage: 14 14 %%Page: 15 15 /saveobj save def mark 15 pagesetup 10 R f (- 15 -)2 216 1 2772 480 t 10 S1 f ()720 840 w 720 840 m 100 build_rh 820 840 m 10 R f ( the external destination)3 972(External media have rigid labels because the label is the only record of what)13 3098 2 970 840 t (is allowed to see or of how incoming data should be classified.)11 2508 1 970 960 t ( are to be taken)4 625( actions described)2 721( The)1 208(Changes in labels are propagated by the following procedures.)8 2516 4 970 1116 t (immediately and atomically, even in the middle of a)8 2084 1 720 1236 t 10 I f (read)2829 1236 w 10 R f (or)3037 1236 w 10 I f (write)3145 1236 w 10 R f (call.)3376 1236 w 10 B f (3.2.1. CHP\()1 519 1 720 1476 t 10 I f (p)1239 1476 w 10 B f (\): Propagate change in process label)5 1535 1 1289 1476 t 10 R f (Clear the safe-to-write bits on all file descriptors in process)9 2365 1 720 1632 t 10 I f (p)3110 1632 w 10 R f (.)3160 1632 w (If)720 1788 w 10 I f (p)811 1788 w 10 R f (has an associated process file)4 1169 1 886 1788 t 10 I f (f)2080 1788 w 10 R f (, propagate with CHF\()3 899 1 2108 1788 t 10 I f (f)3007 1788 w 10 R f (\), avoiding further recursion.)3 1150 1 3035 1788 t 10 S1 f ()720 1944 w 720 1944 m 100 build_rh 820 1944 m 10 R f (The inequalities)1 654 1 970 1944 t 10 I f (L)1662 1944 w 10 R f (\()1726 1944 w 10 I f (p)1767 1944 w 10 R f (\))1825 1944 w 10 S f (\243)1907 1944 w 10 I f (L)2003 1944 w 10 R f (\()2067 1944 w 10 I f (f)2124 1944 w 10 R f (\) are no longer known to be true for files)9 1738 1 2176 1944 t 10 I f (f)3952 1944 w 10 R f (open in)1 310 1 4018 1944 t 10 I f (p)4366 1944 w 10 R f (. When)1 326 1 4416 1944 t 10 I f (p)4780 1944 w 10 R f (next)4868 1944 w (attempts a write or when)4 987 1 970 2064 t 10 I f (p)1982 2064 w 10 R f (resumes an incomplete write WRITE will be checked afresh.)8 2430 1 2057 2064 t 10 B f (3.2.2. CHF\()1 519 1 720 2304 t 10 I f (f)1239 2304 w 10 B f (\): Propagate change in file label)5 1352 1 1267 2304 t 10 R f (For all file descriptors)3 885 1 720 2460 t 10 I f (d)1630 2460 w 10 R f (such that)1 358 1 1705 2460 t 10 I f (f)2088 2460 w 10 R f (\()2132 2460 w 10 I f (d)2173 2460 w 10 R f (\))2231 2460 w 10 S f (=)2321 2460 w 10 I f (f)2433 2460 w 10 R f (Clear the safe-to-read and safe-to-write bits on)6 1861 1 970 2616 t 10 I f (d)2856 2616 w 10 R f (.)2906 2616 w (Raise signal)1 486 1 970 2772 t 10 CW f (SIGLAB)1481 2772 w 10 R f (in)1866 2772 w 10 I f (p)1969 2772 w 10 R f (\()2027 2772 w 10 I f (d)2068 2772 w 10 R f (\).)2126 2772 w (If)720 2928 w 10 I f (f)811 2928 w 10 R f (is the process file for process)5 1161 1 864 2928 t 10 I f (q)2050 2928 w 10 R f (then propagate with CHP\()3 1046 1 2125 2928 t 10 I f (q)3171 2928 w 10 R f (\), avoiding further recursion.)3 1150 1 3221 2928 t (If)720 3084 w 10 I f (f)811 3084 w 10 R f (is a pipe end with other end)6 1104 1 864 3084 t 10 I f (f)1993 3084 w 10 S f (\242)2043 3079 w 10 R f (then propagate with CHF\()3 1046 1 2101 3084 t 10 I f (f)3147 3084 w 10 S f (\242)3197 3079 w 10 R f (\), avoiding further recursion.)3 1150 1 3230 3084 t 10 S1 f ()720 3240 w 720 3240 m 100 build_rh 820 3240 m 10 R f (The inequalities)1 653 1 970 3240 t 10 I f (L)1661 3240 w 10 R f (\()1725 3240 w 10 I f (f)1782 3240 w 10 R f (\))1834 3240 w 10 S f (\243)1916 3240 w 10 I f (L)2012 3240 w 10 R f (\()2076 3240 w 10 I f (q)2117 3240 w 10 R f (\) are no longer known to be true in other processes)10 2153 1 2175 3240 t 10 I f (q)4366 3240 w 10 R f (. When)1 326 1 4416 3240 t 10 I f (q)4780 3240 w 10 R f (next)4868 3240 w (attempts a read or when)4 977 1 970 3360 t 10 I f (q)1978 3360 w 10 R f ( the)1 152( Similarly)1 429(resumes an incomplete read READ will be checked afresh.)8 2400 3 2059 3360 t (inequalities)970 3480 w 10 I f (L)1456 3480 w 10 R f (\()1520 3480 w 10 I f (f)1577 3480 w 10 R f (\))1629 3480 w 10 S f (\243)1711 3480 w 10 I f (C)1807 3480 w 10 R f (\()1882 3480 w 10 I f (q)1923 3480 w 10 R f (\) will be checked on future writes.)6 1366 1 1981 3480 t 10 B f (3.2.3. CHS\()1 514 1 720 3720 t 10 I f (s)1234 3720 w 10 B f (\): Propagate change in seek pointer label)6 1738 1 1273 3720 t 10 R f (Clear the safe-to-read and safe-to-write bits on all file descriptors)9 2607 1 720 3876 t 10 I f (d)3352 3876 w 10 R f (such that)1 358 1 3427 3876 t 10 I f (s)3810 3876 w 10 R f (\()3857 3876 w 10 I f (d)3898 3876 w 10 R f (\))3956 3876 w 10 S f (=)4046 3876 w 10 I f (s)4150 3876 w 10 R f (.)4189 3876 w (Raise signal)1 486 1 720 4032 t 10 CW f (SIGLAB)1231 4032 w 10 R f (in)1616 4032 w 10 I f (p)1719 4032 w 10 R f (\()1777 4032 w 10 I f (d)1818 4032 w 10 R f (\) for all such)3 507 1 1876 4032 t 10 I f (d)2408 4032 w 10 R f (.)2458 4032 w 10 B f ( file descriptors)2 660(3.2.4. New)1 463 2 720 4272 t 10 R f ( descriptor copied between pro-)4 1271( every new file descriptor and on every)7 1566( on)1 151(Perform the following operations)3 1332 4 720 4428 t (cesses, as by)2 507 1 720 4548 t 10 I f (exec)1252 4548 w 10 R f (or)1453 4548 w 10 CW f (FIORCVFD)1561 4548 w 10 R f (.)2041 4548 w (Clear the safe-to-read bit and safe-to-write bit.)6 1853 1 720 4704 t (Set the exempt bit.)3 750 1 720 4860 t 10 S1 f ()720 5016 w 720 5016 m 100 build_rh 820 5016 m 10 R f ( implementer may copy the safe bits on descriptors cloned by)10 2522( An)1 179( conservative.)1 561(These rules are)2 615 4 970 5016 t 10 I f (fork)4879 5016 w 10 R f (or)970 5136 w 10 I f (dup)1086 5136 w 10 R f (or by)1 216 1 1269 5136 t 10 I f (open)1518 5136 w 10 R f ( \()1 65(ing a file descriptor file)4 969 2 1712 5136 t 10 CW f (/dev/fd/*)2746 5136 w 10 R f ( values of exempt bits do not matter)7 1484(\). The)1 270 2 3286 5136 t (unless Cap)1 436 1 970 5256 t 7 R f (nochk)1417 5276 w 10 R f (\()1604 5256 w 10 I f (p)1645 5256 w 10 R f (\) is true.)2 330 1 1703 5256 t 10 B f (3.2.5. SIGLAB)1 654 1 720 5496 t 10 R f (Signal)970 5652 w 10 CW f (SIGLAB)1271 5652 w 10 R f (is raised whenever a file descriptor changes label.)7 2123 1 1676 5652 t 10 CW f (SIGLAB)3939 5652 w 10 R f (is ignored if not)3 696 1 4344 5652 t (caught.)720 5772 w 10 S1 f ()720 5928 w 720 5928 m 100 build_rh 820 5928 m 10 R f (A trusted process with Cap)4 1106 1 970 5928 t 7 R f (nochk)2087 5948 w 10 R f ( use)1 165(capability would)1 675 2 2297 5928 t 10 CW f (SIGLAB)3204 5928 w 10 R f (to prevent unintended downgrading)3 1444 1 3596 5928 t ( process would most likely freeze its own)7 1670( The)1 207( occur if the labels of its input files changed.)9 1793(that could)1 400 4 970 6048 t (label by setting)2 613 1 970 6168 t 10 I f (F)1609 6168 w 10 R f (\()1678 6168 w 10 I f (p)1719 6168 w 10 R f (\) with)1 237 1 1777 6168 t 10 I f (setplab)2040 6168 w 10 R f (\(\2473.6.7\), catch)1 577 1 2355 6168 t 10 CW f (SIGLAB)2958 6168 w 10 R f (, and use)2 354 1 3318 6168 t 10 I f (unsafe)3698 6168 w 10 R f ( changes)1 348(\(\2473.6.9\) to isolate)2 707 2 3985 6168 t (when they occur.)2 684 1 970 6288 t 10 B f (3.2.6. ELAB)1 548 1 720 6528 t 10 R f (Attempts to violate critical label inequalities return error number)8 2585 1 970 6684 t 10 CW f (ELAB)3580 6684 w 10 R f (.)3820 6684 w 10 S1 f ()720 6840 w 720 6840 m 100 build_rh 820 6840 m 10 R f (Information may be communicated through)4 1778 1 970 6840 t 10 CW f (ELAB)2782 6840 w 10 R f ( Low not be cleared for information)6 1490(: Let process)2 528 2 3022 6840 t (known to process High, i.e.)4 1148 1 970 6960 t 10 I f (L)2155 6960 w 10 R f (\( High \))2 282 1 2219 6960 t 10 S f (\243)2550 6960 w 10 I f (/ L)1 138 1 2564 6960 t 10 R f ( and let)2 318(\( Low \),)2 290 2 2710 6960 t 10 I f (f)3355 6960 w 10 R f ( High)1 262(be a file that Low is cleared for.)7 1358 2 3420 6960 t (either does or does not contaminate \(raise the label of\))9 2188 1 970 7080 t 10 I f (f)3185 7080 w 10 R f ( tries to read)3 505( Low)1 235(by writing in it.)3 629 3 3240 7080 t 10 I f (f)4637 7080 w 10 R f (, and dis-)2 375 1 4665 7080 t ( does not get error)4 758(covers which action High took according as it does or)9 2230 2 970 7200 t 10 CW f (ELAB)3991 7200 w 10 R f ( bandwidth of)2 571(. The)1 238 2 4231 7200 t cleartomark showpage saveobj restore %%EndPage: 15 15 %%Page: 16 16 /saveobj save def mark 16 pagesetup 10 R f (- 16 -)2 216 1 2772 480 t (about 80bps might be reduced by inserting delay when returning)9 2577 1 970 840 t 10 CW f (ELAB)3572 840 w 10 R f (.)3812 840 w 10 S1 f ()720 996 w 720 996 m 100 build_rh 820 996 m 10 R f ( \(10bps\) but nonetheless elegant:)4 1363(Denning describes a similar channel, slower)5 1818 2 970 996 t 8 R f (5)4159 964 w 10 R f (High either does or)3 804 1 4236 996 t (does not contaminate)2 851 1 970 1116 t 10 I f (f)1846 1116 w 10 R f ( writes a 1 in another low file)7 1173(. Low)1 258 2 1874 1116 t 10 I f (g)3330 1116 w 10 R f (, then reads)2 457 1 3380 1116 t 10 I f (f)3862 1116 w 10 R f (and from the contents deter-)4 1125 1 3915 1116 t (mines whether)1 587 1 970 1236 t 10 I f (f)1584 1236 w 10 R f ( If)1 119( itself\) has been contaminated.)4 1229(\(and Low)1 387 3 1639 1236 t 10 I f (f)3402 1236 w 10 R f (is not contaminated Low replaces the 1)6 1582 1 3458 1236 t ( still low file)3 518( The)1 208(by a 0.)2 275 3 970 1356 t 10 I f (g)1999 1356 w 10 R f ( \(0\) contaminate)2 658(now tells whether High did \(1\) or did not)8 1667 2 2077 1356 t 10 I f (f)4429 1356 w 10 R f (, yet in neither)3 583 1 4457 1356 t ( sense of \2472.5\) from High to)6 1141(case does there exist a forbidden chain of data flow \(in the)11 2341 2 970 1476 t 10 I f (g)4479 1476 w 10 R f (, nor did any)3 511 1 4529 1476 t (system call fail.)2 630 1 970 1596 t 10 S1 f ()720 1752 w 720 1752 m 100 build_rh 820 1752 m 10 R f ( descriptor raise)2 651(Denied writes on a file)4 933 2 970 1752 t 10 CW f (SIGPIPE)2586 1752 w 10 R f ( may also be desirable to stop pro-)7 1422( It)1 118(; see \2473.1.4.)2 494 3 3006 1752 t (cesses that attempt too many security violations with a new, uncatchable signal, say)12 3346 1 970 1872 t 10 CW f (SIGSPY)4341 1872 w 10 R f (.)4701 1872 w 10 B f (3.2.7. EPRIV)1 586 1 720 2112 t 10 R f (Attempts to violate privilege rules return error number)7 2177 1 970 2268 t 10 CW f (EPRIV)3172 2268 w 10 R f (.)3472 2268 w 10 S1 f ()720 2424 w 720 2424 m 100 build_rh 820 2424 m 10 CW f (EPRIV)970 2424 w 10 R f (affords covert channels as does)4 1250 1 1296 2424 t 10 CW f (ELAB)2572 2424 w 10 R f ( processes that can modulate privilege must them-)7 2007(. But)1 221 2 2812 2424 t (selves be privileged; they have far more potent ways to make covert channels.)12 3118 1 970 2544 t 10 B f (3.3. Privileges)1 616 1 720 2784 t 10 R f ( \()1 41(The privilege bits Priv)3 930 2 970 2940 t 10 I f (p)1949 2940 w 10 R f ( \()1 41(\) and Priv)2 416 2 2007 2940 t 10 I f (f)2488 2940 w 10 R f ( and)1 181( \(. \),)2 132( comprises both capabilities, Cap)4 1368( \(. \))2 107(\) \(recall that Priv)3 712 5 2540 2940 t ( are stored with)3 663( \(. \)\))2 140(licenses, Lic)1 514 3 720 3060 t 10 I f (L)2077 3060 w 10 R f (\()2141 3060 w 10 I f (p)2182 3060 w 10 R f (\) and)1 217 1 2240 3060 t 10 I f (L)2497 3060 w 10 R f (\()2561 3060 w 10 I f (f)2618 3060 w 10 R f ( system calls)2 541(\). The)1 278 2 2670 3060 t 10 I f (getplap, setplab, getflab,)2 1022 1 3529 3060 t 10 R f (and)4590 3060 w 10 I f (setflab)4773 3060 w 10 R f (retrieve and change privileges according to the policy set forth in \2472.5.2.)11 2900 1 720 3180 t ( \()1 41(Privileges Priv)1 593 2 720 3336 t 10 I f (p)1362 3336 w 10 R f (\) are inherited across)3 836 1 1420 3336 t 10 I f (fork.)2282 3336 w 10 R f ( \()1 41(Licenses Lic)1 509 2 2519 3336 t 10 I f (p)3077 3336 w 10 R f (\) may be inherited across)4 1011 1 3135 3336 t 10 I f (exec)4173 3336 w 10 R f ( The)1 207(; see \2473.5.7.)2 484 2 4349 3336 t (initial capabilities of a child process)5 1440 1 720 3456 t 10 I f (q)2185 3456 w 10 R f (executing a trusted file)3 912 1 2260 3456 t 10 I f (f)3197 3456 w 10 R f (from file system)2 655 1 3250 3456 t 10 I f (FS)3930 3456 w 10 R f (\()4049 3456 w 10 I f (f)4106 3456 w 10 R f (\) are given by)3 551 1 4158 3456 t (Cap \()1 202 1 1384 3636 t 10 I f (q)1594 3636 w 10 R f (\))1652 3636 w 10 S f (=)1742 3636 w 10 R f (Cap \()1 202 1 1846 3636 t 10 I f (f)2072 3636 w 10 R f (\))2124 3636 w 10 S f (\331)2173 3636 w 10 R f (Cap)2241 3636 w 10 I f (FS)2410 3636 w 10 R f (\()2529 3636 w 10 I f (f)2586 3636 w 10 R f (\))2638 3636 w 10 S f (\331)2687 3636 w 10 R f (\( Lic \()2 215 1 2755 3636 t 10 I f (p)2978 3636 w 10 R f (\))3036 3636 w 10 S f (\332)3118 3636 w 10 R f (Lic \()1 174 1 3219 3636 t 10 I f (f)3417 3636 w 10 R f (\))3469 3636 w 10 S f (\331)3518 3636 w 10 R f (Lic \()1 174 1 3586 3636 t 10 I f (FS)3768 3636 w 10 R f (\()3887 3636 w 10 I f (f)3944 3636 w 10 R f (\) \))1 74 1 3996 3636 t 10 S f (\331)4086 3636 w 10 R f (Lic)4154 3636 w 7 R f (0)4292 3596 w 10 R f (\))4343 3636 w (The compile-time parameter Lic)3 1309 1 720 3852 t 7 R f (0)2034 3812 w 10 R f ( only Cap)2 401( Currently)1 439( self-licensing of files.)3 911(limits the)1 381 4 2107 3852 t 7 R f (nochk)4250 3872 w 10 R f (, Cap)1 217 1 4429 3852 t 7 R f (extern)4657 3872 w 10 R f (, and)1 200 1 4840 3852 t (Cap)720 3972 w 7 R f (uarea)892 3992 w 10 R f (may be self-licensed.)2 845 1 1076 3972 t 10 S1 f ()720 4128 w 720 4128 m 100 build_rh 820 4128 m 10 R f ( of a file are masked by the capability and license of its file system. A)15 2904(The capabilities and licenses)3 1166 2 970 4128 t ( Capabili-)1 424( is licensed for from the capabilities of its executable file.)10 2313(process obtains the capabilities it)4 1333 3 970 4248 t ( \()1 41(ties are licensed either by inherited licenses Lic)7 1893 2 970 4368 t 10 I f (p)2912 4368 w 10 R f ( \()1 41(\) or by file licenses Lic)5 923 2 2970 4368 t 10 I f (f)3958 4368 w 10 R f (\).)4010 4368 w 10 S1 f ()720 4524 w 720 4524 m 100 build_rh 820 4524 m 10 R f (The utility of the self-licensing limit Lic)6 1611 1 970 4524 t 7 R f (0)2586 4484 w 10 R f (is questionable.)1 622 1 2654 4524 t 10 B f (3.3.1.)720 4764 w 10 R f (Cap)995 4764 w 7 B f (extern)1167 4784 w 10 R f ( the)1 151( is required for)3 599( It)1 114(This capability is used to introduce foreign data into the system.)10 2592 4 970 4920 t 10 I f (fmount)4455 4920 w 10 R f (system)4762 4920 w (call, to change labels away from)5 1291 1 720 5040 t 10 B f (n)2036 5040 w 10 R f (, and to change rigid labels.)5 1101 1 2092 5040 t 10 S1 f ()720 5196 w 720 5196 m 100 build_rh 820 5196 m 10 R f (Capability Cap)1 614 1 970 5196 t 7 R f (extern)1595 5216 w 10 R f ( open)1 231(is necessary to open external media or to modify the label of an already)13 2995 2 1814 5196 t ( general a Cap)3 591( In)1 139(external medium.)1 705 3 970 5316 t 7 R f (extern)2416 5336 w 10 R f ( protocol to deter-)3 733(process will perform some authentication)4 1677 2 2630 5316 t ( label setting won't work because the system does)8 2045( Automatic)1 478(mine the proper label for the medium.)6 1547 3 970 5436 t (not know what or who is out there.)7 1393 1 970 5556 t 10 S1 f ()720 5712 w 720 5712 m 100 build_rh 820 5712 m 10 R f (Label)970 5712 w 10 B f (n)1225 5712 w 10 R f ( marked)1 328( Once)1 264( used to hide data from \(almost\) everybody.)7 1775(may be)1 294 4 1309 5712 t 10 B f (n)3999 5712 w 10 R f (, it can't be read by nor-)6 985 1 4055 5712 t (mal means until resurrected by Cap)5 1422 1 970 5832 t 7 R f (extern)2403 5852 w 10 R f ( effect data marked)3 769(. In)1 159 2 2586 5832 t 10 B f (n)3540 5832 w 10 R f ( removed from the system;)4 1071(has been)1 347 2 3622 5832 t ( an administrative program with capability)5 1721(it comes back with a newly minted label as determined by)10 2349 2 970 5952 t (Cap)970 6072 w 7 R f (extern)1142 6092 w 10 R f (.)1325 6072 w 10 B f (3.3.2.)720 6312 w 10 R f (Cap)995 6312 w 7 B f (uarea)1167 6332 w 10 R f ( In)1 144( that is readable by a descendent processes.)7 1800(This capability permits modifying ``user-area'' data)5 2126 3 970 6468 t ( such data \(e.g.)3 628(general, only the superuser can write)5 1518 2 720 6588 t 10 I f (setuid)2925 6588 w 10 R f (and)3198 6588 w 10 I f (setlogname)3376 6588 w 10 R f ( Cap)1 195(\). Thus)1 317 2 3831 6588 t 7 R f (uarea)4354 6608 w 10 R f (enforces the)1 493 1 4547 6588 t (notion that the superuser has no business executing untrusted code.)9 2680 1 720 6708 t 10 S1 f ()720 6864 w 720 6864 m 100 build_rh 820 6864 m 10 R f (Non-superuser writing in the user area is controlled differently.)8 2637 1 970 6864 t 10 I f (Umask)3671 6864 w 10 R f (is censored when process)3 1053 1 3987 6864 t ( notion of abolishing)3 858( The)1 214( process ceiling has its own label; see \2473.6.7.)8 1867( The)1 215(labels drop; see\2473.5.7.)2 916 5 970 6984 t (Cap)970 7104 w 7 R f (uarea)1142 7124 w 10 R f ( we feared that this could)5 1056( However,)1 450(and instead labeling each user-area item is appealing.)7 2198 3 1336 7104 t (lead to the necessity for some other privilege to undo label creep in the user area.)15 3237 1 970 7224 t cleartomark showpage saveobj restore %%EndPage: 16 16 %%Page: 17 17 /saveobj save def mark 17 pagesetup 10 R f (- 17 -)2 216 1 2772 480 t 10 B f (3.3.3.)720 840 w 10 R f (Cap)995 840 w 7 B f (nochk)1167 860 w 10 R f ( is required for programs that inher-)6 1484( It)1 120(This privilege allows a process to ignore label comparisons.)8 2466 3 970 996 t ( or back up file systems, or programs to han-)9 1795(ently deal with multilevel data, for example programs to repair)9 2525 2 720 1116 t (dle multilevel multiplexed communication.)3 1728 1 720 1236 t (Capability Cap)1 622 1 970 1392 t 7 R f (nochk)1603 1412 w 10 R f ( file)1 178( Fresh)1 292(overrides label checking only on file descriptors marked exempt.)8 2744 3 1826 1392 t (descriptors are exempt; their exempt status may be changed by the)10 2656 1 720 1512 t 10 I f (nochk)3401 1512 w 10 R f (system call; see \2473.6.5.)3 927 1 3664 1512 t 10 S1 f ()720 1668 w 720 1668 m 100 build_rh 820 1668 m 10 R f (Cap)970 1668 w 7 R f (nochk)1142 1688 w 10 R f (and Cap)1 341 1 1357 1668 t 7 R f (extern)1709 1688 w 10 R f ( difference is that)3 731( The)1 217( be used to grant access to external media.)8 1778(may both)1 386 4 1928 1668 t (Cap)970 1788 w 7 R f (nochk)1142 1808 w 10 R f (gives access only to the process that has the privilege\320what is done with the access is)15 3678 1 1362 1788 t (under its control\320while Cap)3 1163 1 970 1908 t 7 R f (extern)2144 1928 w 10 R f (makes the data available to other processes.)6 1743 1 2352 1908 t 10 B f (3.3.4.)720 2148 w 10 R f (Cap)995 2148 w 7 B f (setpriv)1167 2168 w 10 R f (This capability is required to change file privileges.)7 2058 1 970 2304 t 10 S1 f ()720 2460 w 720 2460 m 100 build_rh 820 2460 m 10 R f (Programs with capability Cap)3 1260 1 970 2460 t 7 R f (setpriv)2241 2480 w 10 R f ( be very carefully)3 772(have the keys to the kingdom; they must)7 1780 2 2488 2460 t (designed.)970 2580 w 10 B f (3.3.5.)720 2820 w 10 R f (Cap)995 2820 w 7 B f (setlic)1167 2840 w 10 R f ( ceiling arbi-)2 514(This capability is required to increase process licenses or to change the process label and)14 3556 2 970 2976 t (trarily.)720 3096 w 10 S1 f ()720 3252 w 720 3252 m 100 build_rh 820 3252 m 10 R f (Capability Cap)1 603 1 970 3252 t 7 R f (setlic)1584 3272 w 10 R f (is used to set up user sessions.)6 1208 1 1766 3252 t 10 B f (3.3.6.)720 3492 w 10 R f (Cap)995 3492 w 7 R f (log)1167 3512 w 10 R f (This capability is required to set up or change mandatory auditing.)10 2655 1 970 3648 t 10 B f ( files)1 197(3.4. Special)1 506 2 720 3888 t 10 R f ( they may require unusual security)5 1453(Because special files address resources with unusual properties)7 2617 2 970 4044 t ( example)1 368( files, for)2 375(considerations. Some)1 886 3 720 4164 t 10 CW f (/dev/stdin)2379 4164 w 10 R f (, have the property that the file descriptor obtained)8 2061 1 2979 4164 t (by)720 4284 w 10 I f (open)851 4284 w 10 R f ( such a file)3 453( On)1 178(refers to a different object than the file name does.)9 2065 3 1076 4284 t 10 I f (fstat)3803 4284 w 10 R f (and)4008 4284 w 10 I f (stat)4184 4284 w 10 R f (may return com-)2 679 1 4361 4284 t (pletely differing data; similarly)3 1276 1 720 4404 t 10 I f (fchmod)2031 4404 w 10 R f ( file that was opened to obtain the file)8 1581(may not affect the original)4 1099 2 2360 4404 t ( these)1 241( special files have rigid or constant labels; it is impossible to change the fixity of)15 3367(descriptor. Some)1 712 3 720 4524 t (files.)720 4644 w 10 B f ( special files.)2 536(3.4.1. Character)1 712 2 720 4884 t 10 R f (On directories and character special files the accept pex indicator)9 2627 1 970 5040 t 10 I f (APX)3625 5040 w 10 R f (\()3816 5040 w 10 I f (f)3873 5040 w 10 R f (\))3925 5040 w 10 S f (=)4015 5040 w 10 B f (false)4119 5040 w 10 R f (by default, other-)2 698 1 4342 5040 t (wise)720 5160 w 10 I f (APX)939 5160 w 10 R f (\()1130 5160 w 10 I f (f)1187 5160 w 10 R f (\))1239 5160 w 10 S f (=)1329 5160 w 10 B f (true)1433 5160 w 10 R f ( of)1 118( setting)1 303( The)1 216(by default.)1 438 4 1646 5160 t 10 I f (APX)2756 5160 w 10 R f (\()2947 5160 w 10 I f (f)3004 5160 w 10 R f (\) can be changed only for character special files)8 1984 1 3056 5160 t (\(\2473.7.2.4\).)720 5280 w 10 S1 f ()720 5436 w 720 5436 m 100 build_rh 820 5436 m 10 R f ( to secure trusted paths that are free from eavesdropping)9 2250(Process exclusive \(pex\) requests are designed)5 1820 2 970 5436 t ( typical application is demanding)4 1331( A)1 123( \(\2473.7.2\).)1 367(or from forging or corruption of data by other processes)9 2249 4 970 5556 t ( however, the ``terminal'' is really a communication line to another)10 2772( If,)1 149(a password from a terminal.)4 1149 3 970 5676 t ( guarantee the)2 577(computer that is relaying the conversation, process-exclusive access is not enough to)11 3493 2 970 5796 t ( after a trusted process has somehow authenticated the trustedness of)10 2814( Only)1 257(privacy of the password.)3 999 3 970 5916 t ( then,)1 239( Initially,)1 409( assure privacy \(\2473.7.2.3\).)3 1090(the external path can exclusive use of the internal path)9 2332 4 970 6036 t (devices must refuse to accept pex requests.)6 1715 1 970 6156 t 10 B f ( media)1 286(3.4.2. External)1 647 2 720 6396 t 10 R f ( are files over)3 554( They)1 258( discussed in section \2473.4.)4 1056(External media comprise all special files not otherwise)7 2202 4 970 6552 t ( terminals, communication)2 1083( are)1 154( Examples)1 452(whose contents the system has not maintained complete control.)8 2631 4 720 6672 t ( are not external media.)4 939( Pipes)1 267(links, tapes, and disks.)3 900 3 720 6792 t ( external medium is not open, its label is)8 1667(When an)1 362 2 970 6948 t 10 B f (n)3030 6948 w 10 R f ( label is rigid and remains)5 1065(. The)1 236 2 3086 6948 t 10 B f (n)4418 6948 w 10 R f (after opening)1 535 1 4505 6948 t (until it is set away from)5 972 1 720 7068 t 10 B f (n)1722 7068 w 10 R f ( label)1 223( The)1 209( openings see this new label.)5 1163( Further)1 348(by a trusted process; see \2473.6.6.)5 1290 5 1807 7068 t (reverts to)1 374 1 720 7188 t 10 B f (n)1119 7188 w 10 R f (when no process has the file open.)6 1372 1 1200 7188 t cleartomark showpage saveobj restore %%EndPage: 17 17 %%Page: 18 18 /saveobj save def mark 18 pagesetup 10 R f (- 18 -)2 216 1 2772 480 t 10 S1 f ()720 840 w 720 840 m 100 build_rh 820 840 m 10 R f ( Authenti-)1 437( before access may be granted to an external medium.)9 2180(In general authentication is required)4 1453 3 970 840 t (cation will be administered by trusted processes.)6 1939 1 970 960 t 10 S1 f ()720 1116 w 720 1116 m 100 build_rh 820 1116 m 10 R f ( a label with a file has the unfortunate effect that ordinary programs can-)13 2921(The fact that an inode shares)5 1149 2 970 1116 t (not read the properties of most device files.)7 1730 1 970 1236 t 10 B f (3.4.3. Streams)1 624 1 720 1476 t 10 R f (When a stream is created, its stream identifier is initialized to the null string.)13 3055 1 970 1632 t (Both ends of a pipe stream share a single label, which is initialized to)13 2769 1 970 1788 t 10 S f (^)3772 1788 w 10 R f (.)3838 1788 w (A device stream shares its label with the device it is attached to.)12 2554 1 970 1944 t 10 B f ( and mem)2 422(3.4.4. Null)1 459 2 720 2184 t 10 R f (The null device)2 651 1 970 2340 t 10 CW f (/dev/null)1661 2340 w 10 R f (has constant label)2 742 1 2242 2340 t 10 B f (y)3025 2340 w 10 R f (. The)1 246 1 3075 2340 t 10 I f (stat)3362 2340 w 10 R f (system call returns dummy data for)5 1492 1 3548 2340 t 10 CW f (/dev/null)720 2460 w 10 R f (.)1260 2460 w 10 S1 f ()720 2616 w 720 2616 m 100 build_rh 820 2616 m 10 R f (This plugs covert channels through the mode bits of)8 2076 1 970 2616 t 10 CW f (/dev/null)3071 2616 w 10 R f (.)3611 2616 w (The memory devices,)2 862 1 970 2772 t 10 CW f (/dev/mem)1857 2772 w 10 R f (and)2362 2772 w 10 CW f (/dev/kmem)2531 2772 w 10 R f (, have constant label)3 815 1 3071 2772 t 10 B f (n)3911 2772 w 10 R f (.)3967 2772 w 10 B f ( files)1 197(3.4.5. Process)1 596 2 720 3012 t 10 R f (For each file)2 516 1 970 3168 t 10 I f (f)1517 3168 w 10 R f (in)1576 3168 w 10 CW f (/proc)1685 3168 w 10 R f (Priv \()1 208 1 2016 3168 t 10 I f (f)2248 3168 w 10 R f (\))2300 3168 w 10 S f (=)2390 3168 w 10 R f (Priv \()1 208 1 2494 3168 t 10 I f (p)2710 3168 w 10 R f (\), where)1 332 1 2768 3168 t 10 I f (p)3132 3168 w 10 R f ( Cap)1 193( If)1 123(is the corresponding process.)3 1180 3 3214 3168 t 7 R f (nochk)4721 3188 w 10 R f (\()4908 3168 w 10 I f (p)4949 3168 w 10 R f (\))5007 3168 w (was ever true,)2 572 1 720 3288 t 10 I f (L)1325 3288 w 10 R f (\()1389 3288 w 10 I f (f)1446 3288 w 10 R f (\))1498 3288 w 10 S f (=)1588 3288 w 10 UnivMath6 f (\301)1692 3288 w 10 R f (, otherwise)1 445 1 1775 3288 t 10 I f (L)2252 3288 w 10 R f (\()2316 3288 w 10 I f (f)2373 3288 w 10 R f (\))2425 3288 w 10 S f (=)2515 3288 w 10 I f (L)2619 3288 w 10 R f (\()2683 3288 w 10 I f (p)2724 3288 w 10 R f ( process file disappears with the process, regard-)7 1988(\). The)1 270 2 2782 3288 t (less of whether it was trusted.)5 1187 1 720 3408 t (The virtual directory)2 840 1 720 3564 t 10 CW f (/proc)1593 3564 w 10 R f (has a)1 210 1 1926 3564 t 10 B f (rigid)2169 3564 w 10 R f ( a pro-)2 276( Creating)1 402(bottom label and has universal read permission.)6 1954 3 2408 3564 t (cess does not count as writing in)6 1299 1 720 3684 t 10 CW f (/proc)2044 3684 w 10 R f (.)2344 3684 w 10 S1 f ()720 3840 w 720 3840 m 100 build_rh 820 3840 m 10 R f (The top label for Cap)4 854 1 970 3840 t 7 R f (nochk)1835 3860 w 10 R f (processes prevents leaks through debuggers.)4 1771 1 2039 3840 t 10 S1 f ()720 3996 w 720 3996 m 100 build_rh 820 3996 m 10 R f ( the rate of process creation, unrelated processes can communicate covertly through)11 3462(By modulating)1 608 2 970 3996 t 10 CW f (/proc)970 4116 w 10 R f (at a rate of a few bits per second.)8 1315 1 1295 4116 t 10 S1 f ()720 4272 w 720 4272 m 100 build_rh 820 4272 m 10 R f (When Cap)1 433 1 970 4272 t 7 R f (nochk)1414 4292 w 10 R f (\()1601 4272 w 10 I f (p)1642 4272 w 10 R f (\) is true upon)3 557 1 1700 4272 t 10 I f (exec,)2291 4272 w 10 R f (our implementation divorces the file privileges as well as the)9 2514 1 2526 4272 t ( that of the process. The divorce happens when the inode is created, which occurs on)15 3483(file label from)2 587 2 970 4392 t ( changes in process privilege are not reflected in the file.)10 2268( Subsequent)1 512(demand, not at process creation.)4 1290 3 970 4512 t ( labeled)1 318(Thus, the privileges of a process file)6 1486 2 970 4632 t 10 UnivMath6 f (\301)2804 4632 w 10 R f ( unless)1 280( But)1 200(may not agree with those of the process.)7 1643 3 2917 4632 t (the file has capability Cap)4 1043 1 970 4752 t 7 R f (setlic)2024 4772 w 10 R f (, its privileges dominate those of the process.)7 1801 1 2181 4752 t 10 B f ( descriptor files)2 660(3.4.6. File)1 436 2 720 4992 t 10 R f (The files)1 363 1 970 5148 t 10 CW f (/dev/fd/*)1369 5148 w 10 R f (,)1909 5148 w 10 CW f (/dev/tty)1970 5148 w 10 R f (,)2450 5148 w 10 CW f (/dev/stdin)2511 5148 w 10 R f (, etc, when referred to by file descriptor, share)8 1929 1 3111 5148 t ( referred to by name, these files have the constant)9 2005( When)1 291( to.)1 131(labels with the file descriptors they correspond)6 1893 4 720 5268 t (label)720 5388 w 10 B f (y)939 5388 w 10 R f (.)989 5388 w 10 B f ( directories)1 479(3.4.7. Blind)1 510 2 720 5628 t 10 R f ( file mode)2 429(A new)1 274 2 720 5784 t 10 CW f (S_IBLIND)1460 5784 w 10 R f ( process can read a blind directory.)6 1465( No)1 184(designates a directory as ``blind.'')4 1414 3 1977 5784 t ( processes can change blind)4 1152( trusted)1 309( Only)1 262(Only the owner of a file can remove it from a blind directory.)12 2597 4 720 5904 t (mode.)720 6024 w 10 S1 f ()720 6180 w 720 6180 m 100 build_rh 820 6180 m 10 R f (Blind mode is special pleading to preserve the semantics of)9 2399 1 970 6180 t 10 CW f (/tmp)3397 6180 w 10 R f (\261 a compromise for compatibility.)4 1375 1 3665 6180 t ( creates a file from some prearranged alphabet of names and)10 2433(It affords an 80bps covert channel: High)6 1637 2 970 6300 t ( rates are explained at \2473.5.\))5 1127( \(Bit)1 206(Low tests whether the names are there.)6 1554 3 970 6420 t 10 S1 f ()720 6576 w 720 6576 m 100 build_rh 820 6576 m 10 R f ( of known name in)4 769(Trusted processes that place temporaries)4 1634 2 970 6576 t 10 CW f (/tmp)3403 6576 w 10 R f (\(or anywhere else\) must take care)5 1367 1 3673 6576 t ( untrusted user of a trusted process)6 1434( example, an)2 525( For)1 198(to prevent improper access by other processes.)6 1913 4 970 6696 t (that wrote and later reopened a file might replace the file in the interim.)13 2855 1 970 6816 t cleartomark showpage saveobj restore %%EndPage: 18 18 %%Page: 19 19 /saveobj save def mark 19 pagesetup 10 R f (- 19 -)2 216 1 2772 480 t 10 B f ( files)1 197(3.4.8. Log)1 442 2 720 840 t 10 R f ( records are written to special files,)6 1573(Security audit)1 586 2 970 996 t 10 CW f (/dev/log*)3183 996 w 10 R f ( so written are actually)4 1025(. Data)1 292 2 3723 996 t ( nominated by the privileged)4 1165(appended to an associated ``repository'' file)5 1784 2 720 1116 t 10 I f (syslog)3698 1116 w 10 R f ( log)1 157( A)1 126(system call, \2473.6.8.)2 780 3 3977 1116 t ( informa-)1 381( Identifying)1 500(file can be written by any process regardless of label and can be read by no process.)16 3439 3 720 1236 t ( forged and histories can be recon-)6 1421(tion is automatically attached to each record written, so data cannot be)11 2899 2 720 1356 t ( repository file are silently discarded as on)7 1743( writes on a)3 481(structed. Direct)1 646 3 720 1476 t 10 CW f (/dev/null)3622 1476 w 10 R f ( files are)2 357(. Repository)1 521 2 4162 1476 t (protected by normal access control.)4 1416 1 720 1596 t (A distinguished log file,)3 988 1 970 1752 t 10 CW f (/dev/log00)1990 1752 w 10 R f ( in addition to data volun-)5 1076(receives mandatory audit records)3 1342 2 2622 1752 t ( mask, which)2 530( intensity of mandatory auditing is controlled in each process by an audit)12 2920( The)1 206(teered by writes.)2 664 4 720 1872 t (is inherited across)2 721 1 720 1992 t 10 I f (fork)1466 1992 w 10 R f (and)1652 1992 w 10 I f (exec)1821 1992 w 10 R f (; see \2473.6.8.)2 480 1 1997 1992 t (Every file)1 397 1 970 2148 t 10 I f (f)1393 2148 w 10 R f (has a poison class)3 716 1 1447 2148 t 10 I f (PC)2190 2148 w 10 R f (\()2326 2148 w 10 I f (f)2383 2148 w 10 R f ( poison class is normally invisible; it can be set or interro-)11 2340(\). The)1 265 2 2435 2148 t (gated only with capability Cap)4 1243 1 720 2268 t 7 R f (log)1974 2288 w 10 R f ( each system call that mentions file)6 1428(. At)1 179 2 2072 2268 t 10 I f (f)3708 2268 w 10 R f (in a pathname, the poison mask)5 1275 1 3765 2268 t 10 I f (PM)720 2388 w 10 R f ([)872 2388 w 10 I f (PC)913 2388 w 10 R f (\()1049 2388 w 10 I f (f)1106 2388 w 10 R f ( is OR-ed into the process audit mask)7 1496(\) ])1 74 2 1158 2388 t 10 I f (AM)2753 2388 w 10 R f (\()2905 2388 w 10 I f (p)2946 2388 w 10 R f (\).)3004 2388 w 10 S1 f ()720 2544 w 720 2544 m 100 build_rh 820 2544 m 10 R f ( file)1 159( covert channels via writing on a log)7 1456( Unlimited)1 456(Data written on log files escape the formal policy.)8 1999 4 970 2544 t ( nominate)1 397( prudent administrative countermeasure is to)5 1783( A)1 123(and reading from its repository are possible.)6 1767 4 970 2664 t (as repositories only files labeled)4 1287 1 970 2784 t 10 UnivMath6 f (\301)2282 2784 w 10 R f (or)2390 2784 w 10 B f (n)2498 2784 w 10 R f (; external media make particularly safe repositories.)6 2070 1 2554 2784 t 10 S1 f ()720 2940 w 720 2940 m 100 build_rh 820 2940 m 10 R f ( Thus)1 252( stipulate extra logging when particular files are touched.)8 2292(Poison classes allow administrators to)4 1526 3 970 2940 t ( low-value audit data from)4 1091(sensitive activities can be watched carefully without incurring a flood of)10 2979 2 970 3060 t (routine activities.)1 694 1 970 3180 t 10 B f ( behavior of old system calls)5 1197(3.5. Security)1 555 2 720 3420 t 10 S1 f ()720 3576 w 720 3576 m 100 build_rh 820 3576 m 10 R f ( to the research Tenth)4 868(Bit-per-second \(bps\) estimates of covert channel bandwidth given below pertain)9 3202 2 970 3576 t ( bandwidth could be held to the same level on)9 1924( The)1 215( a DEC VAX-11/750.)3 901(Edition \(v10\) running on)3 1030 4 970 3696 t (faster machines by inserting a delay of about 100ms when)9 2321 1 970 3816 t 10 I f (exec)3316 3816 w 10 R f (is invoked with no arguments.)4 1208 1 3517 3816 t 10 S1 f ()720 3972 w 720 3972 m 100 build_rh 820 3972 m 10 R f ( open)1 222(Many reasonable estimates can be made with only a few basic constants and measurements: the)14 3848 2 970 3972 t ( process can do per second \(about 10\), the number of)10 2204(file limit \(128 in v10\), the number of forks a)9 1866 2 970 4092 t ( can create or open per second \(about 80\), and the number of message round trips per)16 3495(files a process)2 575 2 970 4212 t ( covert channels presuppose a population of)6 1782( Some)1 283( pipes \(about 80\).)3 714(second possible across a pair of)5 1291 4 970 4332 t ( take 1000 as a population estimate, on the premise that a)11 2341( We)1 193( identifiable from content.)3 1058(files readily)1 478 4 970 4452 t (much larger population would call attention to itself.)7 2104 1 970 4572 t 10 S1 f ()720 4728 w 720 4728 m 100 build_rh 820 4728 m 10 R f ( exam-)1 275( For)1 190( some care must be taken to achieve fast process-switching rates.)10 2601(In making measurements)2 1004 4 970 4728 t (ple, in v10 it often helps to insert)7 1357 1 970 4848 t 10 I f (nap)2357 4848 w 10 R f ( real time, not user)4 762( general it is)3 506( In)1 138(calls instead of busy-waits.)3 1097 4 2537 4848 t ( because of overlaps, time measurements)5 1670( Also,)1 271( time, that counts.)3 735(and system)1 453 4 970 4968 t 10 I f (x)4131 4968 w 10 R f (and)4207 4968 w 10 I f (y)4383 4968 w 10 R f (often combine)1 581 1 4459 4968 t ( \()1 41(as sup)1 247 2 970 5088 t 10 I f (x)1266 5088 w 10 R f (,)1318 5088 w 10 I f (y)1375 5088 w 10 R f (\) rather than as)3 595 1 1427 5088 t 10 I f (x)2047 5088 w 10 S f (+)2140 5088 w 10 I f (y)2244 5088 w 10 R f (.)2288 5088 w 10 S1 f ()720 5244 w 720 5244 m 100 build_rh 820 5244 m 10 R f ( often need synchronization: Low tells High, ``I got it,'' and then High sends another)14 3423(Covert channels)1 647 2 970 5244 t ( rules allow Low to pipe to High, which make this easy.)11 2234(message. The)1 568 2 970 5364 t 10 B f (3.5.1. acct\(f\))1 545 1 720 5604 t 10 R f (The writing of shell accounting records is immune to label checks.)10 2660 1 720 5760 t 10 S1 f ()720 5916 w 720 5916 m 100 build_rh 820 5916 m 10 R f ( must assure that the file is appropriately)7 1665( It)1 117( can nominate the accounting file.)5 1383(Only a trusted process)3 905 4 970 5916 t (protected, perhaps by label)3 1087 1 970 6036 t 10 UnivMath6 f (\301)2086 6036 w 10 R f (, by label)2 375 1 2169 6036 t 10 B f (n)2572 6036 w 10 R f ( we have)2 360( Otherwise)1 463(, or by write-only transmission off line.)6 1589 3 2628 6036 t ( from the)2 386(a 1000bps channel: High renames an executable file and executes it; Low reads the name)14 3684 2 970 6156 t (accounting file.)1 621 1 970 6276 t 10 B f ( m\), fchmod\(d, m\))3 768(3.5.2. chmod\(f,)1 655 2 720 6516 t 10 R f (There are two new)3 765 1 720 6672 t 10 I f (modes,)1517 6672 w 10 R f (append-only,)1829 6672 w 10 CW f (S_IAPPEND)2385 6672 w 10 R f (, and blind)2 441 1 2925 6672 t 10 CW f (S_IBLIND)3399 6672 w 10 R f (, the latter being useful only)5 1161 1 3879 6672 t (with directories.)1 649 1 720 6792 t (If)720 6948 w 10 I f (f)811 6948 w 10 R f (\(or)864 6948 w 10 I f (f)1005 6948 w 10 R f (\()1049 6948 w 10 I f (d)1090 6948 w 10 R f (\)\) is a directory and if blind mode is changed and)10 1963 1 1148 6948 t 10 S f (\330)3136 6948 w 10 R f (Cap)3215 6948 w 7 R f (extern)3387 6968 w 10 R f (\()3578 6948 w 10 I f (p)3619 6948 w 10 R f (\) then error)2 448 1 3677 6948 t 10 CW f (EPRIV)4150 6948 w 10 R f (.)4450 6948 w 10 S1 f ()720 7104 w 720 7104 m 100 build_rh 820 7104 m 10 R f ( blind directory.)2 643(If unprivileged processes could change blind mode, High could create files in a virgin)13 3427 2 970 7104 t (Later, Low could turn blind mode off and read the names.)10 2312 1 970 7224 t cleartomark showpage saveobj restore %%EndPage: 19 19 %%Page: 20 20 /saveobj save def mark 20 pagesetup 10 R f (- 20 -)2 216 1 2772 480 t 10 B f ( u, g\), fchown\(d, u, g\))5 903(3.5.3. chown\(f,)1 644 2 720 840 t 10 R f (If)720 996 w 10 I f (f)819 996 w 10 R f ( 02000\) and either the new userid or the new groupid)10 2208(has setuid or setgid permission \(mode 04000 or)7 1952 2 880 996 t (differs from the old then error)5 1194 1 720 1116 t 10 CW f (ECONC)1939 1116 w 10 R f (.)2239 1116 w (If userid of)2 443 1 720 1272 t 10 I f (p)1188 1272 w 10 R f (is not superuser)2 627 1 1263 1272 t (If userid of)2 443 1 970 1428 t 10 I f (p)1438 1428 w 10 R f (does not own)2 533 1 1513 1428 t 10 I f (f)2071 1428 w 10 R f (then)2124 1428 w 10 B f (error)2321 1428 w 10 CW f (ECONC)2572 1428 w 10 R f (.)2872 1428 w (If the new userid is not the same as the old then)11 1900 1 970 1584 t 10 B f (error)2895 1584 w 10 CW f (ECONC)3146 1584 w 10 R f (.)3446 1584 w ( as the old nor the same as the effective groupid of the process)13 2538(If the new groupid is neither the same)7 1532 2 970 1740 t (then)970 1860 w 10 B f (error)1167 1860 w 10 CW f (ECONC)1418 1860 w 10 R f (.)1718 1860 w 10 S1 f ()720 2016 w 720 2016 m 100 build_rh 820 2016 m 10 R f ( by using)2 373( However,)1 443(These rules have little bearing on the security policy.)8 2140 3 970 2016 t 10 I f (chmod)3954 2016 w 10 R f (or)4248 2016 w 10 I f (chown,)4359 2016 w 10 R f (the supe-)1 367 1 4673 2016 t ( visible)1 297( gambit should be highly)4 1019( This)1 234(ruser can circumvent discretionary denial of write permission.)7 2520 4 970 2136 t (in an audit trail.)3 633 1 970 2256 t 10 B f (3.5.4. close\(d\))1 602 1 720 2496 t 10 R f (If)720 2652 w 10 I f (d)811 2652 w 10 R f (refers to a stream perform)4 1035 1 886 2652 t 10 CW f (ioctl\(d, FIONPX, 0\))2 1140 1 1946 2652 t 10 R f (, but do not wait; see \2473.7.2.2.)6 1208 1 3086 2652 t (If the file has been read and)6 1107 1 720 2808 t 10 I f (L)1852 2808 w 10 R f (\()1916 2808 w 10 I f (p)1957 2808 w 10 R f (\))2015 2808 w 10 S f (\243)2097 2808 w 10 I f (L)2193 2808 w 10 R f (\()2257 2808 w 10 I f (f)2314 2808 w 10 R f (\), update the file access time.)5 1161 1 2366 2808 t 10 S1 f ()720 2964 w 720 2964 m 100 build_rh 820 2964 m 10 R f ( times are)2 408(To avoid the elaboration of a safe-to-write-access-time bit in every file descriptor, access)12 3662 2 970 2964 t ( High reads a file; Low)5 988( access-time check reduces a covert channel:)6 1866( The)1 219(not continually updated.)2 997 4 970 3084 t ( rate at which files can be opened, to about 50bps;)10 2039( bandwidth is limited, by the)5 1160( The)1 208(spots the access.)2 663 4 970 3204 t (the check is a cheap frill.)5 997 1 970 3324 t 10 S1 f ()720 3480 w 720 3480 m 100 build_rh 820 3480 m 10 R f (A narrow \()2 461 1 970 3480 t 10 S f (<)1431 3480 w 10 R f (100bps\) covert channel using)3 1209 1 1486 3480 t 10 I f (close)2732 3480 w 10 R f ( closes pipes, which Low detects)5 1374(: High selectively)2 729 2 2937 3480 t (with)970 3600 w 10 CW f (EPIPE)1173 3600 w 10 R f (.)1473 3600 w 10 B f ( m\))1 141(3.5.5. creat\(f,)1 581 2 720 3840 t 10 R f (If)720 3996 w 10 I f (f)811 3996 w 10 R f (exists, perform only the RD part of the WRD \(write directory\) check.)11 2769 1 864 3996 t (If)720 4152 w 10 I f (f)811 4152 w 10 R f (is a log file \(\2473.4.8\) then error)6 1203 1 864 4152 t 10 CW f (ECONC)2092 4152 w 10 R f (.)2392 4152 w (Otherwise, if)1 521 1 720 4308 t 10 I f (f)1266 4308 w 10 R f (is new)1 258 1 1319 4308 t (Set)970 4464 w 10 I f (L)1123 4464 w 10 R f (\()1187 4464 w 10 I f (f)1244 4464 w 10 R f (\) :)1 110 1 1296 4464 t 10 S f (=)1422 4464 w (^)1526 4464 w 10 R f (.)1592 4464 w ( \()1 41(Set Priv)1 320 2 970 4620 t 10 I f (f)1355 4620 w 10 R f (\) :)1 110 1 1407 4620 t 10 S f (=)1533 4620 w 10 R f (0.)1637 4620 w (Set)970 4776 w 10 I f (F)1123 4776 w 10 R f (\()1192 4776 w 10 I f (f)1249 4776 w 10 R f (\) :)1 110 1 1301 4776 t 10 S f (=)1427 4776 w 10 B f (loose)1531 4776 w 10 R f (.)1742 4776 w (Perform the)1 474 1 970 4932 t 10 I f (W)1469 4932 w 10 R f (\()1560 4932 w 10 I f (f)1617 4932 w 10 R f (\) check.)1 315 1 1669 4932 t (Otherwise)720 5088 w (If the mode of)3 568 1 970 5244 t 10 I f (f)1563 5244 w 10 R f (includes)1616 5244 w 10 CW f (S_IAPPEND)1974 5244 w 10 R f (, do not truncate)3 649 1 2514 5244 t 10 I f (f)3188 5244 w 10 R f (.)3216 5244 w (If the size of)3 501 1 970 5400 t 10 I f (f)1496 5400 w 10 R f (is nonzero, check)2 695 1 1549 5400 t 10 I f (W)2269 5400 w 10 R f (\()2360 5400 w 10 I f (f)2417 5400 w 10 R f (\).)2469 5400 w (Set)720 5556 w 10 I f (L)873 5556 w 10 R f (\()937 5556 w 10 I f (s)978 5556 w 10 R f (\) :)1 110 1 1025 5556 t 10 S f (=)1151 5556 w (^)1255 5556 w 10 R f (.)1321 5556 w (Clear the safe-to-read and safe-to-write bits for the new file descriptor.)10 2822 1 720 5712 t 10 S1 f ()720 5868 w 720 5868 m 100 build_rh 820 5868 m 10 R f (Notionally file labels and seek pointers begin at)7 1934 1 970 5868 t 10 S f (^)2933 5868 w 10 R f (. However,)1 469 1 2999 5868 t 10 I f (creat)3497 5868 w 10 R f (writes mode bits into a new file,)6 1309 1 3731 5868 t (so the label rises immediately to)5 1291 1 970 5988 t 10 I f (L)2286 5988 w 10 R f (\()2350 5988 w 10 I f (p)2391 5988 w 10 R f (\).)2449 5988 w 10 S1 f ()720 6144 w 720 6144 m 100 build_rh 820 6144 m 10 R f (The)970 6144 w 10 I f (W)1163 6144 w 10 R f (\()1254 6144 w 10 I f (f)1311 6144 w 10 R f ( unrelated processes:)2 859(\) check on non-empty files closes an 80bps covert channel between)10 2818 2 1363 6144 t ( honest use, the label would)5 1125( In)1 137(Low writes in a file; High optionally truncates it; Low detects which.)11 2808 3 970 6264 t (probably rise anyway since)3 1089 1 970 6384 t 10 I f (creat)2084 6384 w 10 R f (is almost always followed by)4 1166 1 2314 6384 t 10 I f (write.)3505 6384 w 10 B f (3.5.6. dup\()1 476 1 720 6624 t 10 I f (d)1196 6624 w 10 B f (\), dup2\()1 334 1 1246 6624 t 10 I f (d)1580 6624 w 10 B f (,)1630 6624 w 10 I f (d)1655 6624 w 10 B f (\))1705 6624 w 10 S1 f ()720 6780 w 720 6780 m 100 build_rh 820 6780 m 10 R f (Covert channel: High opens some files, uses)6 1821 1 970 6780 t 10 I f (dup)2824 6780 w 10 R f ( more file descriptors, forks,)4 1167(2 to selectively create)3 891 2 2982 6780 t (and)970 6900 w 10 I f (exec)1152 6900 w 10 R f ( use by attempting to read from)6 1326( infers which file descriptors are in)6 1469( Low)1 246(s a low process.)3 671 4 1328 6900 t ( of each possible file descrip-)5 1187(them, thus learning one bit of information from the presence or absence)11 2883 2 970 7020 t ( High picks among files that have read permission, no read permission, or a high label, the four)17 3817(tor. If)1 253 2 970 7140 t ( bandwidth can be achieved)4 1128( similar)1 307( A)1 126(possible outcomes for each file descriptor yield about 250bps.)8 2509 4 970 7260 t cleartomark showpage saveobj restore %%EndPage: 20 20 %%Page: 21 21 /saveobj save def mark 21 pagesetup 10 R f (- 21 -)2 216 1 2772 480 t ( among a vocabulary of files which Low distinguishes by reading inode number or)13 3402(by High picking)2 668 2 970 840 t (permission bits with)2 812 1 970 960 t 10 I f (fstat)1807 960 w 10 R f (.)1980 960 w 10 B f ( arg, env\), umask\(m\))3 885(3.5.7. exec\(f,)1 548 2 720 1200 t 10 R f (This description pertains to all flavors of)6 1626 1 720 1356 t 10 I f (exec)2371 1356 w 10 R f (.)2547 1356 w (Let)720 1512 w 10 I f (p)878 1512 w 10 R f (be the executor process and let)5 1227 1 953 1512 t 10 I f (q)2205 1512 w 10 R f (be the new process.)3 781 1 2280 1512 t (If)720 1668 w 10 I f (arg)811 1668 w 10 R f (and)975 1668 w 10 I f (env)1144 1668 w 10 R f (are empty and no file descriptors have numbers greater than 3)10 2466 1 1307 1668 t (Set)970 1824 w 10 I f (L)1123 1824 w 10 R f (\()1187 1824 w 10 I f (q)1228 1824 w 10 R f (\) :)1 110 1 1286 1824 t 10 S f (=)1412 1824 w (^)1516 1824 w 10 R f (.)1582 1824 w (If)970 1980 w 10 I f (L)1061 1980 w 10 R f (\()1125 1980 w 10 I f (p)1166 1980 w 10 R f (\))1224 1980 w 10 S f (\271)1306 1980 w (^)1402 1980 w 10 R f (set)1493 1980 w 10 I f (umask)1629 1980 w 10 R f (:)1925 1980 w 10 S f (=)1969 1980 w 10 R f (022.)2073 1980 w (Otherwise set)1 546 1 720 2136 t 10 I f (L)1291 2136 w 10 R f (\()1355 2136 w 10 I f (q)1396 2136 w 10 R f (\) :)1 110 1 1454 2136 t 10 S f (=)1580 2136 w 10 I f (L)1684 2136 w 10 R f (\()1748 2136 w 10 I f (p)1789 2136 w 10 R f (\).)1847 2136 w (Perform the R\()2 599 1 720 2292 t 10 I f (f)1319 2292 w 10 R f (\) check \(\2473.1.5\) in)3 734 1 1347 2292 t 10 I f (q)2106 2292 w 10 R f (, disregarding Cap)2 735 1 2156 2292 t 7 R f (nochk)2902 2312 w 10 R f (\()3089 2292 w 10 I f (q)3130 2292 w 10 R f (\) and)1 202 1 3188 2292 t 10 I f (F)3415 2292 w 10 R f (\()3484 2292 w 10 I f (q)3525 2292 w 10 R f (\).)3583 2292 w (Clear all safe-to-read and safe-to-write bits in)6 1817 1 720 2448 t 10 I f (q)2562 2448 w 10 R f (.)2612 2448 w (Set all exempt bits in)4 845 1 720 2604 t 10 I f (q)1590 2604 w 10 R f (.)1640 2604 w (Set)720 2760 w 10 I f (F)873 2760 w 10 R f (\()942 2760 w 10 I f (q)983 2760 w 10 R f (\) :)1 110 1 1041 2760 t 10 S f (=)1167 2760 w 10 B f (false)1271 2760 w 10 R f (.)1465 2760 w (Set process licenses.)2 818 1 720 2916 t (If)970 3072 w 10 I f (T)1061 3072 w 10 R f (\()1125 3072 w 10 I f (f)1182 3072 w 10 R f ( \()1 41(\) set Lic)2 327 2 1234 3072 t 10 I f (q)1610 3072 w 10 R f (\) :)1 110 1 1668 3072 t 10 S f (=)1794 3072 w 10 R f (Lic \()1 174 1 1898 3072 t 10 I f (p)2080 3072 w 10 R f (\).)2138 3072 w ( \()1 41(Otherwise, set Lic)2 729 2 970 3228 t 10 I f (q)1748 3228 w 10 R f (\) :)1 110 1 1806 3228 t 10 S f (=)1932 3228 w 10 R f (0.)2036 3228 w ( \()1 41(Set Cap)1 314 2 970 3384 t 10 I f (q)1333 3384 w 10 R f (\) per \2473.3.)2 410 1 1391 3384 t (Set)720 3540 w 10 I f (C)873 3540 w 10 R f (\()948 3540 w 10 I f (q)989 3540 w 10 R f (\) :)1 110 1 1047 3540 t 10 S f (=)1173 3540 w 10 I f (C)1277 3540 w 10 R f (\()1352 3540 w 10 I f (p)1393 3540 w 10 R f (\).)1451 3540 w (Set)720 3696 w 10 I f (AM)873 3696 w 10 R f (\()1025 3696 w 10 I f (q)1066 3696 w 10 R f (\) :)1 110 1 1124 3696 t 10 S f (=)1250 3696 w 10 I f (AM)1354 3696 w 10 R f (\()1506 3696 w 10 I f (p)1547 3696 w 10 R f (\))1605 3696 w 10 S f (\332)1687 3696 w 10 I f (SAM)1788 3696 w 10 R f (.)1982 3696 w (Set)720 3852 w 10 I f (L)873 3852 w 10 R f (\()937 3852 w 10 I f (C)978 3852 w 10 R f (\()1053 3852 w 10 I f (q)1094 3852 w 10 R f ( :)1 77(\) \))1 74 2 1152 3852 t 10 S f (=)1319 3852 w 10 I f (L)1423 3852 w 10 R f (\()1487 3852 w 10 I f (C)1528 3852 w 10 R f (\()1603 3852 w 10 I f (p)1644 3852 w 10 R f (\) \).)1 99 1 1702 3852 t (Check R\()1 380 1 720 4008 t 10 I f (f)1100 4008 w 10 R f (\) in process)2 460 1 1128 4008 t 10 I f (q)1613 4008 w 10 R f (.)1663 4008 w 10 S1 f ()720 4164 w 720 4164 m 100 build_rh 820 4164 m 10 R f (The pex state \(\2473.7.1.1\) of open files persists across)8 2071 1 970 4164 t 10 I f (exec.)3066 4164 w 10 S1 f ()720 4320 w 720 4320 m 100 build_rh 820 4320 m 10 R f (It is understood that no data will pass across)8 1765 1 970 4320 t 10 I f (exec)2760 4320 w 10 R f ( undocumented channel appears in)4 1384( This)1 229(in registers.)1 466 3 2961 4320 t (some versions of)2 677 1 970 4440 t 9 R f (UNIX)1670 4440 w 10 R f (, including v10.)2 628 1 1895 4440 t 10 S1 f ()720 4596 w 720 4596 m 100 build_rh 820 4596 m 10 R f ( to a pro-)3 375(Various covert channels arise from the ``drop-on-exec'' feature, which gives a bottom label)12 3695 2 970 4596 t ( channels involve inferring the values of freely)7 1907( These)1 295(cess when there is no memory via arguments.)7 1868 3 970 4716 t ( by inode number or content\), current directory \(by)8 2061(settable uarea information: open files \(identifiable)5 2009 2 970 4836 t ( keep the bandwidth down, drop-on-exec pertains)6 2018( To)1 168( program text file \(by content\).)5 1266(inode number\),)1 618 4 970 4956 t ( descriptors \(standard input, standard output,)5 1819(only to processes that have at most the four default file)10 2251 2 970 5076 t (standard error, and control stream\) open.)5 1626 1 970 5196 t 10 S1 f ()970 5352 w 970 5352 m 100 build_rh 1070 5352 m 10 R f (\(1\) Parent High opens three low files before)7 1796 1 1220 5352 t 10 I f (fork)3047 5352 w 10 R f (and)3240 5352 w 10 I f (exec)3416 5352 w 10 R f (; child Low identifies them by)5 1243 1 3592 5352 t 10 I f (fstat)4867 5352 w 10 R f ( is the widest known covert chan-)6 1378( This)1 234( file \(230bps\).)2 575(and writes the results in the fourth open)7 1633 4 1220 5472 t (nel.)1220 5592 w (\(2\) High executes a sequence of low files, which record the sequence \(100bps\).)12 3163 1 1220 5712 t (\(3\) Parent High sets current directory; child Low records it \(80bps\).)10 2703 1 1220 5832 t 10 S1 f ()720 5988 w 720 5988 m 100 build_rh 820 5988 m 10 R f ( directly writable and readable by)5 1363(The permission mask, being)3 1139 2 970 5988 t 10 I f (umask,)3502 5988 w 10 R f (could provide a direct channel)4 1228 1 3812 5988 t ( channel is closed by censoring the mask to a fixed value.)11 2296( That)1 233(on drop-on-exec.)1 681 3 970 6108 t 10 S1 f ()720 6264 w 720 6264 m 100 build_rh 820 6264 m 10 R f ( could do)2 398( untrusted code could inherit licenses, it)6 1662( If)1 128(Licenses are inheritable only by trusted code.)6 1882 4 970 6264 t ( Then)1 256( code along with bogus arguments.)5 1398(nothing bad directly, but it could pass the licenses to trusted)10 2416 3 970 6384 t (all trusted code would have to contain defenses against the possibility.)10 2811 1 970 6504 t 10 B f ( d, f, m\), fmount5\(n, d, f, m, Cp\))8 1363(3.5.8. fmount\(n,)1 700 2 720 6744 t 10 R f (Let)720 6900 w 10 I f (FS)878 6900 w 10 R f (be)1014 6900 w 10 I f (FS)1133 6900 w 10 R f (\()1252 6900 w 10 I f (f)1309 6900 w 10 R f (\()1353 6900 w 10 I f (d)1394 6900 w 10 R f (\) \).)1 99 1 1452 6900 t (If the system call is)4 777 1 720 7056 t 10 I f (fmount,)1522 7056 w 10 R f (set)1850 7056 w 10 I f (C)1986 7056 w 10 R f (\()2061 7056 w 10 I f (FS)2102 7056 w 10 R f ( \()1 41(\) and Priv)2 394 2 2221 7056 t 10 I f (FS)2664 7056 w 10 R f ( default ceiling)2 601( The)1 206( their default values.)3 818(\) to)1 136 4 2783 7056 t 10 I f (C)4570 7056 w 10 R f (\()4645 7056 w 10 I f (FS)4686 7056 w 10 R f (\) is)1 126 1 4805 7056 t 10 UnivMath6 f (\301)4957 7056 w 10 R f (on all file system types except network file systems, where it is)11 2569 1 720 7176 t 10 S f (^)3318 7176 w 10 R f ( \()1 41( default privilege mask Priv)4 1126(. The)1 234 3 3384 7176 t 10 I f (FS)4793 7176 w 10 R f (\) is)1 128 1 4912 7176 t (all zeros.)1 360 1 720 7296 t cleartomark showpage saveobj restore %%EndPage: 21 21 %%Page: 22 22 /saveobj save def mark 22 pagesetup 10 R f (- 22 -)2 216 1 2772 480 t (If the sysem call is)4 749 1 720 840 t 10 I f (fmount5,)1494 840 w 10 R f (set)1872 840 w 10 I f (C)2008 840 w 10 R f (\()2083 840 w 10 I f (FS)2124 840 w 10 R f ( \()1 41(\) and Priv)2 394 2 2243 840 t 10 I f (FS)2686 840 w 10 R f (\) from the values pointed to by)6 1232 1 2805 840 t 10 I f (Cp)4062 840 w 10 R f (.)4179 840 w 10 B f ( setpgrp\(q, n\))2 575(3.5.9. getpgrp\(q\),)1 755 2 720 1080 t 10 R f (If)720 1236 w 10 I f (q)811 1236 w 10 S f (=)910 1236 w 10 R f (0 set)1 186 1 1014 1236 t 10 I f (q)1225 1236 w 10 R f (:)1316 1236 w 10 S f (=)1360 1236 w 10 I f (p)1464 1236 w 10 R f (.)1514 1236 w (Otherwise, if)1 521 1 720 1392 t 10 I f (q)1266 1392 w 10 S f (\271)1357 1392 w 10 I f (p)1453 1392 w 10 R f (then)1528 1392 w 10 B f (error)1725 1392 w 10 R f (.)1951 1392 w (If the operation is)3 707 1 720 1548 t 10 I f (setpgrp)1452 1548 w 10 R f (and)1777 1548 w 10 I f (n)1946 1548 w 10 S f (\271)2037 1548 w 10 I f (p)2133 1548 w 10 R f (and)2208 1548 w 10 S f (\330)2377 1548 w 10 R f (Cap)2456 1548 w 7 R f (uarea)2628 1568 w 10 R f (then)2812 1548 w 10 B f (error)3009 1548 w 10 R f (.)3235 1548 w 10 S1 f ()720 1704 w 720 1704 m 100 build_rh 820 1704 m 10 R f (The call)1 328 1 970 1704 t 10 CW f (setpgrp\(p, p\))1 784 1 1327 1704 t 10 R f (\(or)2140 1704 w 10 CW f (setpgrp\(0, p\))1 784 1 2285 1704 t 10 R f ( similar to the)3 568(\) is)1 129 2 3069 1704 t 10 CW f (TIOCSETPGRP)3796 1704 w 10 I f (ioctl)4486 1704 w 10 R f (call; and)1 346 1 4694 1704 t ( requirement for privilege to set)5 1297( The)1 211(is quite common in practice.)4 1159 3 970 1824 t 10 I f (n)3668 1824 w 10 R f (arbitrarily avoids untrusted data)3 1291 1 3749 1824 t (flow through the process group.)4 1273 1 970 1944 t 10 S1 f ()720 2100 w 720 2100 m 100 build_rh 820 2100 m 10 R f ( As)1 172( another process would necessitate special label checks.)7 2299(The ability to set the process group on)7 1599 3 970 2100 t ( control'' shells,)2 664( \(``Job)1 294( worth the trouble.)3 756(that ability is not used in v10 software it was deemed not)11 2356 4 970 2220 t ( have never caught on in v10 \261 partly because windows largely subsume job)13 3185(which use the ability,)3 885 2 970 2340 t (control.\))970 2460 w 10 B f ( o, n\))2 214(3.5.10. lseek\(d,)1 650 2 720 2700 t 10 R f (This call is equivalent to, and checked like,)7 1728 1 720 2856 t 10 I f (seek\(d, o, n\))2 487 1 2473 2856 t 10 R f (followed by)1 480 1 2985 2856 t 10 I f (tell\(d\))3490 2856 w 10 R f (; see \2473.5.14 and \2473.5.18.)4 1024 1 3734 2856 t 10 S1 f ()720 3012 w 720 3012 m 100 build_rh 820 3012 m 10 R f ( to stop a wide channel: High sets a shared seek pointer; Low reads it)14 2790(Seek pointers must be protected)4 1280 2 970 3012 t ( a seek pointer had the)5 955( If)1 128( proportionately more with many shared pointers\).)6 2083(\(3000bps for one file,)3 904 4 970 3132 t ( it would be impossible to read strictly up because the requirements)11 3112(same label as its file)4 958 2 970 3252 t 10 I f (L)970 3372 w 10 R f (\()1034 3372 w 10 I f (f)1091 3372 w 10 R f (\))1143 3372 w 10 S f (\243)1225 3372 w 10 I f (L)1321 3372 w 10 R f (\()1385 3372 w 10 I f (p)1426 3372 w 10 R f (\))1484 3372 w 10 S f (=)1574 3372 w 10 I f (L)1678 3372 w 10 R f (\()1742 3372 w 10 I f (s)1783 3372 w 10 R f (\) \()1 106 1 1830 3372 t 10 I f (read)1936 3372 w 10 R f (changes the seek pointer\) would degenerate to)6 1935 1 2159 3372 t 10 I f (L)4134 3372 w 10 R f (\()4198 3372 w 10 I f (f)4255 3372 w 10 R f (\))4307 3372 w 10 S f (=)4397 3372 w 10 I f (L)4501 3372 w 10 R f (\()4565 3372 w 10 I f (p)4606 3372 w 10 R f (\). Hence)1 376 1 4664 3372 t (seek pointers have separate labels.)4 1371 1 970 3492 t 10 B f ( m\), mknod\(f, m, a\))4 824(3.5.11. mkdir\(f,)1 683 2 720 3732 t 10 R f (Set)720 3888 w 10 I f (L)873 3888 w 10 R f (\()937 3888 w 10 I f (f)994 3888 w 10 R f (\) :)1 110 1 1046 3888 t 10 S f (=)1172 3888 w (^)1276 3888 w 10 R f (, except where specified differently for special files, \2473.4.)8 2299 1 1342 3888 t ( \()1 41(Set Priv)1 320 2 720 4044 t 10 I f (f)1105 4044 w 10 R f (\) :)1 110 1 1157 4044 t 10 S f (=)1283 4044 w 10 R f (0.)1387 4044 w (Set)720 4200 w 10 I f (F)873 4200 w 10 R f (\()942 4200 w 10 I f (f)999 4200 w 10 R f (\))1051 4200 w 10 S f (=)1141 4200 w 10 B f (loose)1245 4200 w 10 R f (.)1456 4200 w (Perform the)1 474 1 720 4356 t 10 I f (W)1219 4356 w 10 R f (\()1310 4356 w 10 I f (f)1367 4356 w 10 R f (\) check.)1 315 1 1419 4356 t (If the operation is)3 725 1 720 4512 t 10 I f (mknod,)1476 4512 w 10 R f (set the groupid of)3 720 1 1798 4512 t 10 I f (f)2549 4512 w 10 R f (to be the same as the groupid of the containing directory; if)11 2432 1 2608 4512 t (this differs from the groupid of)5 1240 1 720 4632 t 10 I f (p)1985 4632 w 10 R f (delete setgid from the mode of)5 1223 1 2060 4632 t 10 I f (f)3308 4632 w 10 R f (.)3336 4632 w 10 S1 f ()720 4788 w 720 4788 m 100 build_rh 820 4788 m 10 R f ( labels begin at)3 626(Notionally file)1 593 2 970 4788 t 10 S f (^)2222 4788 w 10 R f ( mode bits are written into a new file, so the label rises)12 2279(. However,)1 473 2 2288 4788 t (immediately to)1 603 1 970 4908 t 10 I f (L)1598 4908 w 10 R f (\()1662 4908 w 10 I f (p)1703 4908 w 10 R f (\).)1761 4908 w 10 S1 f ()720 5064 w 720 5064 m 100 build_rh 820 5064 m 10 R f (A blind directory \(\2473.4.7\) cannot be created directly, because)8 2478 1 970 5064 t 10 I f (mkdir)3478 5064 w 10 R f (heeds only the 9 file permission)5 1299 1 3741 5064 t (bits in)1 248 1 970 5184 t 10 I f (m)1243 5184 w 10 R f (.)1315 5184 w 10 B f (3.5.12. nice\(n\))1 619 1 720 5424 t 10 S1 f ()720 5580 w 720 5580 m 100 build_rh 820 5580 m 10 R f (In some systems \(not v10\))4 1071 1 970 5580 t 10 I f (nice)2070 5580 w 10 R f ( the)1 152(returns a value and could be used as a covert channel, at least by)13 2623 2 2265 5580 t (superuser.)970 5700 w 10 B f ( b, n\); dirread\(d, b, n\))5 934(3.5.13. read\(d,)1 633 2 720 5940 t 10 R f (If)720 6096 w 10 I f (d)811 6096 w 10 R f (refers to a blind directory, then)5 1236 1 886 6096 t 10 B f (error)2147 6096 w 10 R f (.)2373 6096 w 10 B f ( o, n\))2 214(3.5.14. seek\(d,)1 622 2 720 6336 t 10 R f (This call is like)3 614 1 720 6492 t 10 I f (lseek,)1359 6492 w 10 R f (but returns an integer, \2611 for failure and 0 for success.)10 2161 1 1608 6492 t (If)720 6648 w 10 I f (n)811 6648 w 10 S f (\271)902 6648 w 10 R f (1 or)1 158 1 998 6648 t 10 I f (o)1181 6648 w 10 S f (\271)1272 6648 w 10 R f (0 check)1 307 1 1368 6648 t 10 I f (P)1700 6648 w 10 R f (\()1769 6648 w 10 I f (f)1826 6648 w 10 R f (\()1870 6648 w 10 I f (d)1911 6648 w 10 R f ( \2473.1.11.)1 350(\) \),)1 99 2 1969 6648 t (Let file descriptor)2 715 1 720 6804 t 10 I f (d)1460 6804 w 10 R f (name \()1 274 1 1535 6804 t 10 I f (p)1817 6804 w 10 R f (,)1875 6804 w 10 I f (s)1932 6804 w 10 R f (,)1979 6804 w 10 I f (f)2044 6804 w 10 R f (\).)2096 6804 w (If)720 6960 w 10 I f (n)811 6960 w 10 S f (=)910 6960 w 10 R f (0 check WS\()2 515 1 1014 6960 t 10 I f (d)1529 6960 w 10 R f (\) \(\2473.1.8\) as if)3 568 1 1579 6960 t 10 I f (L)2172 6960 w 10 R f (\()2236 6960 w 10 I f (s)2277 6960 w 10 R f (\) were equal to)3 595 1 2324 6960 t 10 S f (^)2944 6960 w 10 R f (.)3010 6960 w (If)720 7116 w 10 I f (n)811 7116 w 10 S f (=)910 7116 w 10 R f (1 check WS\()2 515 1 1014 7116 t 10 I f (d)1529 7116 w 10 R f (\).)1579 7116 w (If)720 7272 w 10 I f (n)811 7272 w 10 S f (=)910 7272 w 10 R f (2 check WS\()2 515 1 1014 7272 t 10 I f (d)1529 7272 w 10 R f (\) as if)2 227 1 1579 7272 t 10 I f (L)1831 7272 w 10 R f (\()1895 7272 w 10 I f (s)1936 7272 w 10 R f (\) were equal to)3 595 1 1983 7272 t 10 I f (L)2603 7272 w 10 R f (\()2667 7272 w 10 I f (f)2724 7272 w 10 R f (\).)2776 7272 w cleartomark showpage saveobj restore %%EndPage: 22 22 %%Page: 23 23 /saveobj save def mark 23 pagesetup 10 R f (- 23 -)2 216 1 2772 480 t 10 S1 f ()720 840 w 720 840 m 100 build_rh 820 840 m 10 R f (Do not disturb)2 582 1 970 840 t 10 I f (d)1579 840 w 10 R f (if some process other than)4 1056 1 1656 840 t 10 I f (p)2764 840 w 10 R f ( seeking relative)2 660( On)1 175( it.)1 109(has process-exclusive access to)3 1255 4 2841 840 t ( state of)2 320(to the beginning, the previous)4 1203 2 970 960 t 10 I f (s)2520 960 w 10 R f ( seeking to)2 437( On)1 174(is forgotten, so its previous label is irrelevant.)7 1843 3 2586 960 t (the end, the new value of)5 1003 1 970 1080 t 10 I f (s)1998 1080 w 10 R f (depends on the size of)4 887 1 2062 1080 t 10 I f (f)2974 1080 w 10 R f (, but not on the old value of)7 1105 1 3002 1080 t 10 I f (s)4132 1080 w 10 R f (.)4171 1080 w 10 S1 f ()720 1236 w 720 1236 m 100 build_rh 820 1236 m 10 R f (This function, resurrected from earlier)4 1566 1 970 1236 t 9 R f (UNIX)2569 1236 w 10 R f (systems, avoids unnecessary label inflation that could)6 2211 1 2829 1236 t (happen with)1 491 1 970 1356 t 10 I f (lseek)1486 1356 w 10 R f (; see \2473.5.10.)2 530 1 1685 1356 t 10 S1 f ()720 1512 w 720 1512 m 100 build_rh 820 1512 m 10 R f ( file with a trusted process may by moving the seek pointer)11 2416(An untrusted process that shares an open)6 1654 2 970 1512 t ( a process could influence downward)5 1542( this way)2 387( In)1 146(be able to insert information into trusted writes.)7 1995 4 970 1632 t ( exclusive access over)3 910( be safe, trusted processes should assert)6 1625( To)1 169(writes or writes above its ceiling.)5 1366 4 970 1752 t (possibly shared file descriptors; see \2473.7.2.1.)5 1795 1 970 1872 t 10 B f ( rd, wd, t\))3 419(3.5.15. select\(n,)1 671 2 720 2112 t 10 R f (Delete any descriptor)2 869 1 720 2268 t 10 I f (d)1622 2268 w 10 R f (such that)1 366 1 1705 2268 t 10 I f (X)2105 2268 w 10 R f (\()2174 2268 w 10 I f (f)2231 2268 w 10 R f (\()2275 2268 w 10 I f (d)2316 2268 w 10 R f (\) \))1 74 1 2374 2268 t 10 S f (=)2505 2268 w 10 I f (X)2609 2268 w 10 R f (\()2678 2268 w 10 I f (f)2735 2268 w 10 S f (\242)2785 2263 w 10 R f (\()2826 2268 w 10 I f (d)2867 2268 w 10 R f (\) \))1 74 1 2925 2268 t 10 S f (=)3056 2268 w 10 B f (pexed)3160 2268 w 10 R f (and)3444 2268 w 10 I f (H)3622 2268 w 10 R f (\()3702 2268 w 10 I f (f)3759 2268 w 10 R f (\()3803 2268 w 10 I f (d)3844 2268 w 10 R f (\) \))1 74 1 3902 2268 t 10 S f (\271)4025 2268 w 10 I f (p)4121 2268 w 10 R f (from the sets)2 534 1 4205 2268 t 10 I f (rd)4773 2268 w 10 R f (and)4896 2268 w 10 I f (wd)720 2388 w 10 R f (.)837 2388 w (If)720 2544 w 10 I f (X)811 2544 w 10 R f (\()880 2544 w 10 I f (f)937 2544 w 10 S f (\242)987 2539 w 10 R f (\()1028 2544 w 10 I f (d)1069 2544 w 10 R f ( for some file descriptor)4 959(\) \))1 74 2 1127 2544 t 10 I f (d)2185 2544 w 10 R f (changes while waiting in)3 996 1 2260 2544 t 10 I f (select,)3281 2544 w 10 R f (report)3558 2544 w 10 I f (d)3821 2544 w 10 R f (as ready; see \2473.7.2.)3 809 1 3896 2544 t 10 S1 f ()720 2700 w 720 2700 m 100 build_rh 820 2700 m 10 R f ( ready in)2 387(A file held in process-exclusive state by other processes is not)10 2659 2 970 2700 t 10 I f (p)4060 2700 w 10 R f ( file in an impure)4 764(. A)1 166 2 4110 2700 t (process-exclusive state may need attention.)4 1727 1 970 2820 t 10 S1 f ()720 2976 w 720 2976 m 100 build_rh 820 2976 m 10 R f ( \(1\) High writes on one of several pipes; Low uses)10 2103(Covert channels:)1 682 2 970 2976 t 10 I f (select)3789 2976 w 10 R f (to discover which; High)3 990 1 4050 2976 t ( several pipes; High reads from one; Low uses)8 1892( Low fills)2 401( \(2\))1 172(empties the pipe by reading it.)5 1240 4 970 3096 t 10 I f (select)4705 3096 w 10 R f (to)4962 3096 w (discover which.)1 632 1 970 3216 t 10 B f ( fp\), kill\(p, s\))3 548(3.5.16. signal\(s,)1 673 2 720 3456 t 10 R f (Let)720 3612 w 10 I f (L)878 3612 w 10 R f (be the label of the signal source.)6 1289 1 959 3612 t (If a signal would be caught and)6 1253 1 720 3768 t 10 I f (L)1998 3768 w 10 S f (\243)2095 3768 w 10 I f (/ L)1 138 1 2109 3768 t 10 R f (\()2255 3768 w 10 I f (p)2296 3768 w 10 R f (\) then the signal is ignored.)5 1088 1 2354 3768 t (If a core image is required, it will be made as if by)12 2027 1 720 3924 t 10 I f (creat)2773 3924 w 10 R f (and)3004 3924 w 10 I f (write.)3174 3924 w 10 R f (However, if Cap)2 666 1 3457 3924 t 7 R f (nochk)4134 3944 w 10 R f (\()4321 3924 w 10 I f (p)4362 3924 w 10 R f (\) was ever true,)3 620 1 4420 3924 t ( condition, ``Cap)2 690( The)1 210( made.)1 271(no core image will be)4 889 4 720 4044 t 7 R f (nochk)2791 4064 w 10 R f (\()2978 4044 w 10 I f (p)3019 4044 w 10 R f (\) was ever true,'' is inherited across)6 1456 1 3077 4044 t 10 I f (fork)4563 4044 w 10 R f (but not)1 286 1 4754 4044 t (across)720 4164 w 10 I f (exec.)994 4164 w 10 S1 f ()720 4320 w 720 4320 m 100 build_rh 820 4320 m 10 R f ( them is technically difficult,)4 1184( Stopping)1 420( a covert channel of only 100bps.)6 1376(Downward signals provide)2 1090 4 970 4320 t (so we have not done so in our experimental system.)9 2064 1 970 4440 t 10 S1 f ()720 4596 w 720 4596 m 100 build_rh 820 4596 m 10 R f (A process with capability)3 1051 1 970 4596 t 10 I f (Tnocheck)2057 4596 w 10 R f (is trusted, and hence can be counted on not to spill its secrets)12 2565 1 2475 4596 t (across)970 4716 w 10 I f (exec)1244 4716 w 10 R f (even if it relinquishes trustedness.)4 1357 1 1445 4716 t 10 B f ( biasclock\(m\))1 569(3.5.17. stime\(t\),)1 676 2 720 4956 t 10 S1 f ()720 5112 w 720 5112 m 100 build_rh 820 5112 m 10 R f ( channel is highly)3 729( The)1 212( communicate to an unrelated process.)5 1565(By diddling the clock, a superuser can)6 1564 4 970 5112 t (exposed; superusers have better ways to cheat.)6 1859 1 970 5232 t 10 B f (3.5.18. tell\(d\))1 580 1 720 5472 t 10 R f (Return, as a long, the current value of the seek pointer.)10 2187 1 720 5628 t 10 S1 f ()720 5784 w 720 5784 m 100 build_rh 820 5784 m 10 R f (This call is resurrected from earlier)5 1404 1 970 5784 t 9 R f (UNIX)2397 5784 w 10 R f (systems; see \2473.5.14.)2 847 1 2647 5784 t 10 B f (3.5.19. vswapon\(f\))1 797 1 720 6024 t 10 R f (Legitimate values of)2 821 1 720 6180 t 10 I f (f)1566 6180 w 10 R f (, which are built into v10, must be confined to nonremovable media.)11 2736 1 1594 6180 t 10 S1 f ()720 6336 w 720 6336 m 100 build_rh 820 6336 m 10 R f ( device, because suitable devices)4 1318(No privilege has been required for this system call that sets the swap)12 2752 2 970 6336 t (are automatically labeled)2 1019 1 970 6456 t 10 B f (n)2022 6456 w 10 R f ( prevent an untrusted)3 861( conventions have been relied on to)6 1462(. Compile-time)1 639 3 2078 6456 t (superuser program from diverting swaps to a removable device.)8 2547 1 970 6576 t 10 B f ( vtimes\(b\))1 424(3.5.20. times\(b\),)1 699 2 720 6816 t 10 S1 f ()720 6972 w 720 6972 m 100 build_rh 820 6972 m 10 R f ( per second may be communicated from child to parent through)10 2700(A fraction of a bit)4 775 2 970 6972 t 10 I f (times)4486 6972 w 10 R f (, around)1 343 1 4697 6972 t (10bps through)1 575 1 970 7092 t 10 I f (vtimes.)1570 7092 w cleartomark showpage saveobj restore %%EndPage: 23 23 %%Page: 24 24 /saveobj save def mark 24 pagesetup 10 R f (- 24 -)2 216 1 2772 480 t 10 B f ( rmdir\(f\))1 379(3.5.21. unlink\(f\),)1 729 2 720 840 t 10 R f (If)720 996 w 10 I f (T)811 996 w 10 R f (\()875 996 w 10 I f (f)932 996 w 10 R f (\) then)1 230 1 984 996 t 10 B f (error)1239 996 w 10 R f (.)1465 996 w (If)720 1152 w 10 I f (f)811 1152 w 10 R f (is in a blind directory and userid of)7 1401 1 864 1152 t 10 I f (p)2290 1152 w 10 R f (is not the owner of)4 749 1 2365 1152 t 10 I f (f)3139 1152 w 10 R f (then)3192 1152 w 10 B f (error)3389 1152 w 10 R f (.)3615 1152 w (If)720 1308 w 10 S f (\330)811 1308 w 10 R f (Cap)890 1308 w 7 R f (nochk)1062 1328 w 10 R f (\()1249 1308 w 10 I f (p)1290 1308 w 10 R f (\) and)1 202 1 1348 1308 t 10 I f (L)1575 1308 w 10 R f (\()1639 1308 w 10 I f (f)1696 1308 w 10 R f (\))1748 1308 w 10 S f (\243)1830 1308 w 10 I f (/ C)1 149 1 1844 1308 t 10 R f (\()2001 1308 w 10 I f (p)2042 1308 w 10 R f (\) then)1 230 1 2100 1308 t 10 B f (error)2355 1308 w 10 R f (.)2581 1308 w 10 S1 f ()720 1464 w 720 1464 m 100 build_rh 820 1464 m 10 R f ( deter spoofing by file substitu-)5 1277( To)1 166( unlink a trusted file.)4 850(No process, not a even trusted process, may)7 1777 4 970 1464 t (tion in)1 260 1 970 1584 t 10 CW f (/tmp)1256 1584 w 10 R f ( process may not delete files)5 1139( A)1 123(, only a file's owner may delete it from a blind directory.)11 2282 3 1496 1584 t (that it can't see data in.)5 926 1 970 1704 t 10 S1 f ()720 1860 w 720 1860 m 100 build_rh 820 1860 m 10 R f (Covert channel: Low creates a bunch of files and places links to them in the blind directory)16 3772 1 970 1860 t 10 CW f (/tmp)4775 1860 w 10 R f (.)5015 1860 w (High unlinks them selectively; Low detects the change in link count and replenishes the links.)14 3755 1 970 1980 t 10 S1 f ()720 2136 w 720 2136 m 100 build_rh 820 2136 m 10 R f (A)970 2136 w 10 I f (W)1081 2136 w 10 R f ( a)1 83( But)1 209(check on unlink would narrow the covert channel.)7 2099 3 1203 2136 t 10 I f (W)3633 2136 w 10 R f ( have a nasty side)4 764(check would)1 521 2 3755 2136 t ( combination of untrusted processes could)5 1799(effect: innocently created files could get stuck so no)8 2271 2 970 2256 t ( and freezes the label of, a file in a directory that)11 2021( example, suppose Low creates,)4 1297( For)1 196(remove them.)1 556 4 970 2376 t ( cannot remove the file because it can't see the)9 1927( Low)1 240( ceiling.)1 329(High subsequently raises above Low's)4 1574 4 970 2496 t ( that can see the directory, will fail a W check because the file's)13 2574( or any other process)4 835(directory. High,)1 661 3 970 2616 t ( directory can't be deleted)4 1097( The)1 219( Low, the file's owner, can loosen the label.)8 1869( Only)1 265(label is frozen.)2 620 5 970 2736 t ( from the superuser in)4 884( might get help)3 606( \(High)1 284( file and directory are stuck.)5 1124( Both)1 246(because the file is in it.)5 926 6 970 2856 t ( guarantee that an unprivileged superuser can see all files that High)11 2702(unfreezing the file, but there is no)6 1368 2 970 2976 t (can.\))970 3096 w 10 B f ( exit\(s\))1 285(3.5.22. wait\(b\),)1 655 2 720 3336 t 10 R f (Let)720 3492 w 10 I f (q)878 3492 w 10 R f (be the exiting process.)3 893 1 953 3492 t ( the exit or the termination code of)7 1489(If either)1 332 2 720 3648 t 10 I f (q)2581 3648 w 10 R f (is nonzero and)2 612 1 2671 3648 t 10 I f (L)3323 3648 w 10 R f (\()3387 3648 w 10 I f (q)3428 3648 w 10 R f (\))3486 3648 w 10 S f (\243)3568 3648 w 10 I f (/ L)1 138 1 3582 3648 t 10 R f (\()3728 3648 w 10 I f (p)3769 3648 w 10 R f (\), the status reported by)4 1000 1 3827 3648 t 10 I f (wait)4867 3648 w 10 R f (shows exit code 0 and termination code)6 1581 1 720 3768 t 10 CW f (SIGTERM)2326 3768 w 10 R f (.)2746 3768 w 10 S1 f ()720 3924 w 720 3924 m 100 build_rh 820 3924 m 10 R f (The status is censored to prevent downward data flow; a 10bps covert channel remains.)13 3487 1 970 3924 t 10 B f ( b, n\))2 220(3.5.23. write\(d,)1 660 2 720 4164 t 10 R f ( mode of)2 369(If the file)2 383 2 720 4320 t 10 I f (d)1504 4320 w 10 R f (includes)1586 4320 w 10 CW f (S_IAPPEND)1951 4320 w 10 R f ( Incre-)1 294(, write at the end of file, regardless of the seek pointer.)11 2255 2 2491 4320 t (ment the seek pointer by the number of bytes written.)9 2136 1 720 4440 t (If)720 4596 w 10 I f (f)811 4596 w 10 R f (\()855 4596 w 10 I f (d)896 4596 w 10 R f (\) is nominated as a log file \(\2473.6.8\) then error)9 1816 1 954 4596 t 10 I f (ECONC)2795 4596 w 10 R f (.)3129 4596 w 10 B f ( system calls.)2 552(3.6. New)1 388 2 720 4836 t ( d, f, m, Cp\))4 508(3.6.1. fmount5\(n,)1 750 2 720 5076 t 10 R f (See \2473.5.8.)1 444 1 720 5232 t 10 B f ( Lp\), fgetflab\(d, Lp\))3 853(3.6.2. getflab\(f,)1 660 2 720 5472 t 10 R f ( label)1 224( The)1 210( label on a file, specified either by file name or file descriptor.)12 2532(These two system calls return the)5 1354 4 720 5628 t 10 I f (L)720 5748 w 10 R f (\()784 5748 w 10 I f (f)841 5748 w 10 R f ( \()1 41(\) and privileges Priv)3 813 2 893 5748 t 10 I f (f)1771 5748 w 10 R f (\) are placed in the location)5 1061 1 1823 5748 t 10 I f (Lp)2909 5748 w 10 R f (points to.)1 373 1 3040 5748 t 10 B f ( Cp\))1 186(3.6.3. getplab\(Lp,)1 773 2 720 5988 t 10 R f (Return the label, ceiling and privilege vector of the current process.)10 2694 1 720 6144 t (If pointer)1 374 1 720 6300 t 10 I f (Cp)1119 6300 w 10 R f (is not zero)2 416 1 1261 6300 t (Check RS\()1 436 1 970 6456 t 10 I f (C)1406 6456 w 10 R f (\()1481 6456 w 10 I f (p)1522 6456 w 10 R f (\)\).)1580 6456 w (If the check succeeds, place)4 1109 1 970 6612 t 10 I f (C)2104 6612 w 10 R f (\()2179 6612 w 10 I f (p)2220 6612 w 10 R f (\) and a zero privilege vector in the location pointed to.)10 2171 1 2278 6612 t (Otherwise place)1 645 1 970 6768 t 10 B f (n)1640 6768 w 10 R f (in the location pointed to.)4 1025 1 1721 6768 t (If pointer)1 374 1 720 6924 t 10 I f (Lp)1119 6924 w 10 R f (is not zero, place)3 676 1 1250 6924 t 10 I f (L)1951 6924 w 10 R f (\()2015 6924 w 10 I f (p)2056 6924 w 10 R f ( \()1 41(\) and Priv)2 394 2 2114 6924 t 10 I f (p)2557 6924 w 10 R f (\) in the location pointed to.)5 1083 1 2615 6924 t (If the RS\()2 394 1 720 7080 t 10 I f (C)1114 7080 w 10 R f (\()1189 7080 w 10 I f (p)1230 7080 w 10 R f (\)\) check failed then)3 772 1 1288 7080 t 10 B f (error)2085 7080 w 10 R f (.)2311 7080 w 10 S1 f ()720 7236 w 720 7236 m 100 build_rh 820 7236 m 10 R f (The system calls)2 692 1 970 7236 t 10 I f (setplab)1700 7236 w 10 R f (and)2027 7236 w 10 I f (getplab)2209 7236 w 10 R f ( enforce the)2 498( To)1 175( the ceiling label.)3 730(mediate data flow through)3 1090 4 2547 7236 t cleartomark showpage saveobj restore %%EndPage: 24 24 %%Page: 25 25 /saveobj save def mark 25 pagesetup 10 R f (- 25 -)2 216 1 2772 480 t ( the absence of such enforcement,)5 1421( In)1 147(formal policy on this flow the ceiling label itself is labeled.)10 2502 3 970 840 t (5000bps could be passed downward on this channel.)7 2097 1 970 960 t 10 B f ( Cp\))1 186(3.6.4. labmount\(d,)1 801 2 720 1200 t 10 R f (Return the ceiling of the file system in which file descriptor)10 2386 1 720 1356 t 10 I f (d)3131 1356 w 10 R f (resides.)3206 1356 w (If)720 1512 w 10 I f (f)811 1512 w 10 R f (\()855 1512 w 10 I f (d)896 1512 w 10 R f (\) is in a file system place)6 993 1 954 1512 t 10 I f (C)1972 1512 w 10 R f (\()2047 1512 w 10 I f (FS)2088 1512 w 10 R f (\()2207 1512 w 10 I f (f)2264 1512 w 10 R f (\()2308 1512 w 10 I f (d)2349 1512 w 10 R f ( in the location)3 597(\) \) \))2 115 2 2407 1512 t 10 I f (Cp)3144 1512 w 10 R f (points to.)1 373 1 3286 1512 t (Otherwise place)1 645 1 720 1668 t 10 B f (y)1390 1668 w 10 R f (in the location pointed to.)4 1025 1 1465 1668 t 10 B f ( code\))1 252(3.6.5. nochk\(fd,)1 684 2 720 1908 t 10 R f (If)720 2064 w 10 I f (code)811 2064 w 10 S f (=)1048 2064 w 10 R f (0 mark file descriptor)3 862 1 1152 2064 t 10 I f (fd)2039 2064 w 10 R f (not exempt and clear safe-to-read and safe-to-write bits in)8 2310 1 2142 2064 t 10 I f (fd)4477 2064 w 10 R f (.)4555 2064 w (Otherwise, mark)1 665 1 720 2220 t 10 I f (fd)1410 2220 w 10 R f (exempt.)1513 2220 w (Return 0 or 1 according as)5 1056 1 720 2376 t 10 I f (fd)1801 2376 w 10 R f (was not or was exempt before.)5 1219 1 1904 2376 t 10 S1 f ()720 2532 w 720 2532 m 100 build_rh 820 2532 m 10 R f ( The)1 206( are turned on by default \(\2473.5.7\), although the opposite convention would be better.)13 3383(Exempt bits)1 481 3 970 2532 t (present convention allows some administrative programs that need Cap)8 2892 1 970 2652 t 7 R f (nochk)3873 2672 w 10 R f (privilege to be identical)3 958 1 4082 2652 t (with those on ordinary)3 902 1 970 2772 t 9 R f (UNIX)1895 2772 w 10 R f (systems.)2145 2772 w 10 B f ( Lp\), fsetflab\(d, Lp\))3 842(3.6.6. setflab\(f,)1 649 2 720 3012 t 10 R f ( to)1 114( description applies)2 797( The)1 215(These two system calls set the label on a file.)9 1893 4 720 3168 t 10 I f (setflab)3775 3168 w 10 R f (;)4042 3168 w 10 I f (fsetflab)4106 3168 w 10 R f (is to)1 181 1 4437 3168 t 10 I f (setflab)4654 3168 w 10 R f (as)4957 3168 w 10 I f (fchmod)720 3288 w 10 R f (is to)1 170 1 1039 3288 t 10 I f (chmod.)1234 3288 w 10 R f (The proposed new privilege vector Priv, fixity)6 1850 1 1575 3288 t 10 I f (F)3450 3288 w 10 R f (, and label)2 413 1 3511 3288 t 10 I f (L)3949 3288 w 10 R f (are pointed to by)3 674 1 4030 3288 t 10 I f (Lp)4729 3288 w 10 R f (.)4835 3288 w (If userid of)2 443 1 720 3444 t 10 I f (p)1188 3444 w 10 R f (is not superuser or owner of)5 1117 1 1263 3444 t 10 I f (f)2405 3444 w 10 R f (then)2458 3444 w 10 B f (error)2655 3444 w 10 CW f (EPERM)2906 3444 w 10 R f (.)3206 3444 w (If)720 3600 w 10 I f (f)811 3600 w 10 R f (is a process file then)4 815 1 864 3600 t 10 B f (error)1704 3600 w 10 R f (.)1930 3600 w 10 S1 f ()720 3756 w 720 3756 m 100 build_rh 820 3756 m 10 R f (Prevent violations of the ceiling or increases in privilege of the process.)11 2862 1 970 3756 t (Check privilege:)1 663 1 720 3912 t (If Cap)1 252 1 970 4068 t 7 R f (setpriv)1233 4088 w 10 R f (\()1440 4068 w 10 I f (p)1481 4068 w 10 R f (\) the check succeeds.)3 841 1 1539 4068 t (Otherwise, if)1 525 1 970 4224 t 10 I f (F)1524 4224 w 10 S f (\271)1626 4224 w 10 I f (F)1722 4224 w 10 R f (\()1791 4224 w 10 I f (f)1848 4224 w 10 R f (\) and userid of)3 591 1 1900 4224 t 10 I f (p)2520 4224 w 10 R f (is not the superuser or the same as the owner of)10 1936 1 2599 4224 t 10 I f (f)4564 4224 w 10 R f (, then error)2 448 1 4592 4224 t 10 CW f (ECONC)970 4344 w 10 R f (.)1270 4344 w (Otherwise, if)1 521 1 970 4500 t 10 I f (T)1516 4500 w 10 R f (\()1580 4500 w 10 I f (f)1637 4500 w 10 R f (\) then)1 230 1 1689 4500 t 10 B f (error)1944 4500 w 10 R f (.)2170 4500 w (Otherwise, if Priv is nonzero then)5 1348 1 970 4656 t 10 B f (error)2343 4656 w 10 R f (.)2569 4656 w (Otherwise, the check succeeds.)3 1243 1 970 4812 t (If the privilege check succeeds, check labels: the following label check:)10 2862 1 720 4968 t (If)970 5124 w 10 I f (L)1061 5124 w 10 S f (=)1166 5124 w 10 B f (y)1270 5124 w 10 R f (then)1345 5124 w 10 B f (error)1542 5124 w 10 R f (.)1768 5124 w (Otherwise, if)1 521 1 970 5280 t 10 I f (L)1516 5280 w 10 S f (=)1621 5280 w 10 B f (n)1725 5280 w 10 R f (If)1220 5436 w 10 I f (L)1311 5436 w 10 R f (\()1375 5436 w 10 I f (f)1432 5436 w 10 R f (\))1484 5436 w 10 S f (\243)1566 5436 w 10 I f (C)1662 5436 w 10 R f (\()1737 5436 w 10 I f (p)1778 5436 w 10 R f (\) the check succeeds.)3 841 1 1836 5436 t (Otherwise)1220 5592 w 10 B f (error)1655 5592 w 10 R f (.)1881 5592 w (Otherwise, if)1 521 1 970 5748 t 10 I f (L)1516 5748 w 10 R f (\()1580 5748 w 10 I f (f)1637 5748 w 10 R f (\))1689 5748 w 10 S f (=)1779 5748 w 10 B f (n)1883 5748 w 10 R f (and Cap)1 330 1 1964 5748 t 7 R f (extern)2305 5768 w 10 R f (\()2496 5748 w 10 I f (p)2537 5748 w 10 R f (\) the check succeeds.)3 841 1 2595 5748 t (Otherwise, if)1 521 1 970 5904 t 10 I f (L)1516 5904 w 10 R f (\()1580 5904 w 10 I f (f)1637 5904 w 10 R f (\))1689 5904 w 10 S f (\243)1771 5904 w 10 I f (/ L)1 138 1 1785 5904 t 10 R f (then)1948 5904 w 10 B f (error)2145 5904 w 10 R f (.)2371 5904 w (Otherwise, if Cap)2 707 1 970 6060 t 7 R f (nochk)1688 6080 w 10 R f (\()1875 6060 w 10 I f (p)1916 6060 w 10 R f (\) the check succeeds.)3 841 1 1974 6060 t (Otherwise, if)1 521 1 970 6216 t 10 I f (L)1516 6216 w 10 R f (\()1580 6216 w 10 I f (p)1621 6216 w 10 R f (\))1679 6216 w 10 S f (\243)1761 6216 w 10 I f (L)1857 6216 w 10 S f (\243)1954 6216 w 10 I f (C)2050 6216 w 10 R f (\()2125 6216 w 10 I f (p)2166 6216 w 10 R f (\) the check succeeds.)3 841 1 2224 6216 t (Otherwise)970 6372 w 10 B f (error)1405 6372 w 10 R f (.)1631 6372 w (If the label check succeeds, check fixity: the following fixity check:)10 2708 1 720 6528 t (If)970 6684 w 10 I f (F)1061 6684 w 10 R f (\()1130 6684 w 10 I f (f)1187 6684 w 10 R f (\))1239 6684 w 10 S f (=)1329 6684 w 10 B f (constant)1433 6684 w 10 R f (then)1819 6684 w 10 B f (error)2016 6684 w 10 R f (.)2242 6684 w (Otherwise, if)1 521 1 970 6840 t 10 I f (F)1516 6840 w 10 S f (=)1626 6840 w 10 B f (constant)1730 6840 w 10 R f (then)2116 6840 w 10 B f (error)2313 6840 w 10 R f (.)2539 6840 w (Otherwise, if)1 521 1 970 6996 t 10 I f (F)1516 6996 w 10 S f (=)1626 6996 w 10 B f (rigid)1730 6996 w 10 R f (and)1961 6996 w 10 I f (f)2130 6996 w 10 R f (is not a stream then)4 777 1 2183 6996 t 10 B f (error)2985 6996 w 10 R f (.)3211 6996 w (Otherwise, if)1 521 1 970 7152 t 10 I f (F)1516 7152 w 10 R f (\()1585 7152 w 10 I f (f)1642 7152 w 10 R f (\))1694 7152 w 10 S f (=)1784 7152 w 10 B f (loose)1888 7152 w 10 R f (the check succeeds.)2 783 1 2124 7152 t (Otherwise, if)1 521 1 970 7308 t 10 I f (F)1516 7308 w 10 R f (\()1585 7308 w 10 I f (f)1642 7308 w 10 R f (\))1694 7308 w 10 S f (=)1784 7308 w 10 B f (frozen)1888 7308 w 10 R f (and userid of)2 521 1 2184 7308 t 10 I f (p)2730 7308 w 10 R f (is the same as the owner of)6 1081 1 2805 7308 t 10 I f (f)3911 7308 w 10 R f (, the check succeeds.)3 833 1 3939 7308 t cleartomark showpage saveobj restore %%EndPage: 25 25 %%Page: 26 26 /saveobj save def mark 26 pagesetup 10 R f (- 26 -)2 216 1 2772 480 t (Otherwise, if)1 521 1 970 840 t 10 I f (F)1516 840 w 10 R f (\()1585 840 w 10 I f (f)1642 840 w 10 R f (\))1694 840 w 10 S f (=)1784 840 w 10 B f (rigid)1888 840 w 10 R f (and Cap)1 330 1 2119 840 t 7 R f (extern)2460 860 w 10 R f (\()2651 840 w 10 I f (p)2692 840 w 10 R f (\) the check succeeds.)3 841 1 2750 840 t (Otherwise)970 996 w 10 B f (error)1405 996 w 10 R f (.)1631 996 w (If the fixity check succeeds, change the label:)7 1817 1 720 1152 t (If)970 1308 w 10 I f (F)1061 1308 w 10 R f (\()1130 1308 w 10 I f (f)1187 1308 w 10 R f (\))1239 1308 w 10 S f (=)1329 1308 w 10 B f (rigid)1433 1308 w 10 R f (then set)1 308 1 1664 1308 t 10 I f (F)1997 1308 w 10 R f (:)2099 1308 w 10 S f (=)2143 1308 w 10 B f (rigid)2247 1308 w 10 R f (.)2453 1308 w (If)970 1464 w 10 I f (L)1064 1464 w 10 R f (\()1128 1464 w 10 I f (f)1185 1464 w 10 R f (\))1237 1464 w 10 S f (\271)1319 1464 w 10 I f (L)1415 1464 w 10 R f (, and if)2 286 1 1471 1464 t 10 I f (f)1785 1464 w 10 R f ( openings of)2 502(is an external medium, then block all input/output activity for all)10 2615 2 1841 1464 t 10 I f (f)4987 1464 w 10 R f (,)5015 1464 w (drain its output buffers, and flush its input buffers.)8 2015 1 970 1584 t (Set)970 1740 w 10 I f (F)1123 1740 w 10 R f (\()1192 1740 w 10 I f (f)1249 1740 w 10 R f (\) :)1 110 1 1301 1740 t 10 S f (=)1427 1740 w 10 I f (F)1531 1740 w 10 R f (.)1592 1740 w (If)970 1896 w 10 I f (L)1088 1896 w 10 R f (\()1152 1896 w 10 I f (f)1209 1896 w 10 R f (\))1261 1896 w 10 S f (\271)1343 1896 w 10 I f (L)1439 1896 w 10 R f ( \()1 41(or Priv)1 302 2 1547 1896 t 10 I f (f)1914 1896 w 10 R f (\))1966 1896 w 10 S f (\271)2048 1896 w 10 R f (Priv, then set)2 579 1 2144 1896 t 10 I f (L)2776 1896 w 10 R f (\()2840 1896 w 10 I f (f)2897 1896 w 10 R f (\) :)1 110 1 2949 1896 t 10 S f (=)3075 1896 w 10 I f (L)3179 1896 w 10 R f ( \()1 41(and Priv)1 364 2 3288 1896 t 10 I f (f)3717 1896 w 10 R f (\) :)1 110 1 3769 1896 t 10 S f (=)3895 1896 w 10 R f (Priv and propagate with)3 1041 1 3999 1896 t (CHF\()970 2016 w 10 I f (f)1198 2016 w 10 R f (\); see \2473.2.2.)2 513 1 1226 2016 t (Unblock input/output \(if blocked\).)3 1377 1 970 2172 t 10 S1 f ()720 2328 w 720 2328 m 100 build_rh 820 2328 m 10 R f ( also can be removed only by)6 1224( Trustedness)1 536( be marked trusted only with trusted tools.)7 1751(Processes can)1 559 4 970 2328 t (trusted tools, not to forestall security breaches, but to preserve the tools themselves.)12 3343 1 970 2448 t 10 S1 f ()720 2604 w 720 2604 m 100 build_rh 820 2604 m 10 R f ( processes may downgrade)3 1087( Trusted)1 360( processes can upgrade anything.)4 1336( Trusted)1 360(Labels can only go up.)4 927 5 970 2604 t ( capability)1 440( labels of external are rigid; their labels can change only with)11 2684( The)1 227(only by copying.)2 719 4 970 2724 t (Cap)970 2844 w 7 R f (extern)1142 2864 w 10 R f (; see \2473.4.2.)2 480 1 1325 2844 t 10 S1 f ()720 3000 w 720 3000 m 100 build_rh 820 3000 m 10 I f (Setflab)970 3000 w 10 R f (on a file labeled)3 652 1 1277 3000 t 10 B f (n)1958 3000 w 10 R f ( file may be down-)4 774( A)1 127(, usually an external medium, renews the file \(\2472.5\).)8 2125 3 2014 3000 t (graded by setting its label to)5 1130 1 970 3120 t 10 B f (n)2125 3120 w 10 R f (and then using capability Cap)4 1188 1 2206 3120 t 7 R f (extern)3405 3140 w 10 R f (to set the label away from)5 1034 1 3613 3120 t 10 B f (n)4672 3120 w 10 R f (.)4728 3120 w 10 B f ( Cp\))1 186(3.6.7. setplab\(Lp,)1 762 2 720 3360 t 10 R f ( proposed label)2 614( The)1 206(This system call sets the label, privilege, and ceiling of the current process.)12 3010 3 720 3516 t 10 I f (L)4577 3516 w 10 R f (, privilege)1 407 1 4633 3516 t (Priv, capability Cap, license Lic and fixity)6 1771 1 720 3636 t 10 I f (F)2529 3636 w 10 R f ( by)1 137(are pointed to)2 575 2 2628 3636 t 10 I f (Lp)3377 3636 w 10 R f (; the proposed ceiling by)4 1036 1 3483 3636 t 10 I f (Cp)4556 3636 w 10 R f ( zero)1 208(. A)1 159 2 4673 3636 t (pointer designates a proposed value equal to the current value.)9 2489 1 720 3756 t (Check privilege:)1 663 1 720 3912 t ( \()1 41(If Cap is not bitwise less than or equal to Cap)10 1821 2 970 4068 t 10 I f (p)2840 4068 w 10 R f (\) then)1 230 1 2898 4068 t 10 B f (error)3153 4068 w 10 R f (.)3379 4068 w ( \()1 41(Otherwise, if Lic is bitwise less than or equal to Lic)10 2067 2 970 4224 t 10 I f (p)3086 4224 w 10 R f (\) the check succeeds.)3 841 1 3144 4224 t (Otherwise, if Cap)2 707 1 970 4380 t 7 R f (setlic)1688 4400 w 10 R f (\()1853 4380 w 10 I f (p)1894 4380 w 10 R f (\) the check succeeds.)3 841 1 1952 4380 t (Otherwise)970 4536 w 10 B f (error)1405 4536 w 10 R f (.)1631 4536 w (If the privilege check succeeds, check labels:)6 1797 1 720 4692 t (If)970 4848 w 10 I f (L)1061 4848 w 10 S f (=)1166 4848 w 10 B f (y)1270 4848 w 10 R f (or if)1 169 1 1345 4848 t 10 I f (L)1539 4848 w 10 S f (=)1644 4848 w 10 B f (n)1748 4848 w 10 R f (or if)1 169 1 1829 4848 t 10 I f (C)2023 4848 w 10 S f (=)2139 4848 w 10 B f (y)2243 4848 w 10 R f (or if)1 169 1 2318 4848 t 10 I f (C)2512 4848 w 10 S f (=)2628 4848 w 10 B f (n)2732 4848 w 10 R f (then)2813 4848 w 10 B f (error)3010 4848 w 10 R f (.)3236 4848 w (Otherwise, if)1 521 1 970 5004 t 10 I f (L)1516 5004 w 10 S f (\243)1613 5004 w 10 I f (/ C)1 149 1 1627 5004 t 10 R f (then)1801 5004 w 10 B f (error)1998 5004 w 10 R f (.)2224 5004 w (Otherwise, if)1 521 1 970 5160 t 10 I f (L)1516 5160 w 10 R f (\()1580 5160 w 10 I f (p)1621 5160 w 10 R f (\))1679 5160 w 10 S f (\243)1761 5160 w 10 I f (/ L)1 138 1 1775 5160 t 10 R f (and)1938 5160 w 10 S f (\330)2107 5160 w 10 R f (Cap)2186 5160 w 7 R f (setlic)2358 5180 w 10 R f (\()2523 5160 w 10 I f (p)2564 5160 w 10 R f (\) then)1 230 1 2622 5160 t 10 B f (error)2877 5160 w 10 R f (.)3103 5160 w (Otherwise, if)1 521 1 970 5316 t 10 I f (C)1516 5316 w 10 S f (\243)1624 5316 w 10 I f (/ C)1 149 1 1638 5316 t 10 R f (\()1795 5316 w 10 I f (p)1836 5316 w 10 R f (\) and)1 202 1 1894 5316 t 10 S f (\330)2121 5316 w 10 R f (Cap)2200 5316 w 7 R f (setlic)2372 5336 w 10 R f (\()2537 5316 w 10 I f (p)2578 5316 w 10 R f (\) then)1 230 1 2636 5316 t 10 B f (error)2891 5316 w 10 R f (.)3117 5316 w (Otherwise the check succeeds.)3 1218 1 970 5472 t (If the label check succeeds then)5 1265 1 720 5628 t (If)970 5784 w 10 I f (F)1061 5784 w 10 S f (=)1171 5784 w 10 B f (rigid)1275 5784 w 10 R f (or)1506 5784 w 10 I f (F)1614 5784 w 10 S f (=)1724 5784 w 10 B f (constant)1828 5784 w 10 R f (then)2214 5784 w 10 B f (error)2411 5784 w 10 R f (.)2637 5784 w (Set)970 5940 w 10 I f (F)1123 5940 w 10 R f (\()1192 5940 w 10 I f (p)1233 5940 w 10 R f (\) :)1 110 1 1291 5940 t 10 S f (=)1417 5940 w 10 I f (F)1521 5940 w 10 R f (.)1582 5940 w (If)970 6096 w 10 I f (L)1061 6096 w 10 R f (\()1125 6096 w 10 I f (p)1166 6096 w 10 R f (\))1224 6096 w 10 S f (\271)1306 6096 w 10 I f (L)1402 6096 w 10 R f (set)1483 6096 w 10 I f (L)1619 6096 w 10 R f (\()1683 6096 w 10 I f (p)1724 6096 w 10 R f (\) :)1 110 1 1782 6096 t 10 S f (=)1908 6096 w 10 I f (L)2012 6096 w 10 R f (and propagate with)2 765 1 2093 6096 t 10 I f (CHP)2883 6096 w 10 R f ( see \2473.2.1.)2 452(\( \);)1 110 2 3091 6096 t (If the process loses capability Cap)5 1382 1 970 6252 t 7 R f (nochk)2363 6272 w 10 R f (or)2570 6252 w 10 I f (C)2681 6252 w 10 R f (\()2756 6252 w 10 I f (p)2797 6252 w 10 R f (\))2855 6252 w 10 S f (\243)2937 6252 w 10 I f (/ C)1 149 1 2951 6252 t 10 R f (then clear all safe-to-read and safe-to-write bits)6 1912 1 3128 6252 t (in)970 6372 w 10 I f (p)1073 6372 w 10 R f (.)1123 6372 w ( \()1 41(Set Priv)1 320 2 970 6528 t 10 I f (p)1339 6528 w 10 R f (\) :)1 110 1 1397 6528 t 10 S f (=)1523 6528 w 10 R f (Priv.)1627 6528 w (Set)970 6684 w 10 I f (C)1123 6684 w 10 R f (\()1198 6684 w 10 I f (p)1239 6684 w 10 R f (\) :)1 110 1 1297 6684 t 10 S f (=)1423 6684 w 10 I f (C)1527 6684 w 10 R f (.)1594 6684 w (If)970 6840 w 10 I f (Cp)1061 6840 w 10 R f (is not zero set)3 552 1 1203 6840 t 10 I f (L)1780 6840 w 10 R f (\()1844 6840 w 10 I f (C)1885 6840 w 10 R f (\()1960 6840 w 10 I f (p)2001 6840 w 10 R f (\) \).)1 99 1 2059 6840 t (If)1220 6996 w 10 S f (\330)1311 6996 w 10 R f (Cap)1390 6996 w 7 R f (setlic)1562 7016 w 10 R f (\()1727 6996 w 10 I f (p)1768 6996 w 10 R f (\) set)1 169 1 1826 6996 t 10 I f (L)2020 6996 w 10 R f (\()2084 6996 w 10 I f (C)2125 6996 w 10 R f (\()2200 6996 w 10 I f (p)2241 6996 w 10 R f ( :)1 77(\) \))1 74 2 2299 6996 t 10 S f (=)2466 6996 w 10 I f (L)2570 6996 w 10 R f (\()2634 6996 w 10 I f (p)2675 6996 w 10 R f (\).)2733 6996 w (Otherwise, set)1 571 1 1220 7152 t 10 I f (L)1816 7152 w 10 R f (\()1880 7152 w 10 I f (C)1921 7152 w 10 R f (\()1996 7152 w 10 I f (p)2037 7152 w 10 R f ( :)1 77(\) \))1 74 2 2095 7152 t 10 S f (=)2262 7152 w (^)2366 7152 w 10 R f (.)2432 7152 w 10 S1 f ()720 7308 w 720 7308 m 100 build_rh 820 7308 m 10 R f ( and ceiling)2 472( Label)1 279(The label of an untrusted process can only go up; the ceiling can only come down.)15 3319 3 970 7308 t cleartomark showpage saveobj restore %%EndPage: 26 26 %%Page: 27 27 /saveobj save def mark 27 pagesetup 10 R f (- 27 -)2 216 1 2772 480 t ( R\()1 126( the ceiling passes the label of open files, subsequent)9 2126( If)1 118(may never cross.)2 677 4 970 840 t 10 I f (f)4017 840 w 10 R f (\) checks \(\2473.1.5\) or W\()4 934 1 4045 840 t 10 I f (f)4979 840 w 10 R f (\))5007 840 w (checks \(\2473.1.7\) will fail.)3 976 1 970 960 t 10 S1 f ()720 1116 w 720 1116 m 100 build_rh 820 1116 m 10 I f (Setplab)970 1116 w 10 R f ( \()1 41( license Cap)2 492(does not observe the)3 821 3 1296 1116 t 10 I f (f)2674 1116 w 10 R f (\) of the file being executed or the maximum license Lic)10 2238 1 2726 1116 t 7 R f (0)4969 1076 w 10 R f (;)5012 1116 w (these are used only for initializing after)6 1569 1 970 1236 t 10 I f (exec.)2564 1236 w 10 S1 f ()720 1392 w 720 1392 m 100 build_rh 820 1392 m 10 R f (The bits in the ceiling are labeled \(by)7 1538 1 970 1392 t 10 I f (L)2540 1392 w 10 R f (\()2604 1392 w 10 I f (C)2645 1392 w 10 R f (\()2720 1392 w 10 I f (p)2761 1392 w 10 R f ( and to some extent)4 809( \) because the ceiling is readable)6 1338(\) \))1 74 3 2819 1392 t ( not labeled, a lowish process with an all-ones)8 1903( the ceiling were)3 689( If)1 125(writable by an untrusted process.)4 1353 4 970 1512 t (ceiling could leak more than 5000bps by twiddling the ceiling.)9 2504 1 970 1632 t 10 B f ( n, x\))2 214(3.6.8. syslog\(c,)1 633 2 720 1872 t 10 R f ( Argument)1 461( security auditing.)2 731(Change or inquire about)3 983 3 970 2028 t 10 I f (n)3176 2028 w 10 R f (is an integer, which may also be interpreted)7 1783 1 3257 2028 t (as a file descriptor,)3 759 1 720 2148 t 10 I f (d)1504 2148 w 10 R f (, or as a process id,)5 762 1 1554 2148 t 10 I f (q)2341 2148 w 10 R f (.)2391 2148 w (Switch on)1 403 1 720 2304 t 10 I f (c)1148 2304 w 10 R f (into)1217 2304 w (Case)970 2460 w 10 CW f (LOGON)1189 2460 w 10 R f (: nominate file)2 583 1 1489 2460 t 10 I f (f)2097 2460 w 10 R f (\()2141 2460 w 10 I f (d)2182 2460 w 10 R f (\) as the repository for the log file with minor device number)11 2399 1 2240 2460 t 10 I f (x)4664 2460 w 10 R f (, \2473.4.8.)1 325 1 4708 2460 t (Case)970 2616 w 10 CW f (LOGOFF)1189 2616 w 10 R f (: turn off logging on device)5 1096 1 1549 2616 t 10 I f (x)2670 2616 w 10 R f (.)2714 2616 w (Case)970 2772 w 10 CW f (LOGGET)1189 2772 w 10 R f (: return poison mask)3 819 1 1549 2772 t 10 I f (PM)2393 2772 w 10 R f ([)2545 2772 w 10 I f (n)2586 2772 w 10 R f (].)2644 2772 w 10 I f (PM)2752 2772 w 10 R f ( means the system audit mask)5 1191([ 4 ])2 132 2 2904 2772 t 10 I f (SAM)4252 2772 w 10 R f (.)4446 2772 w (Case)970 2928 w 10 CW f (LOGSET)1189 2928 w 10 R f (: set)1 164 1 1549 2928 t 10 I f (PM)1738 2928 w 10 R f ([)1890 2928 w 10 I f (n)1931 2928 w 10 R f (] :)1 110 1 1989 2928 t 10 S f (=)2115 2928 w 10 I f (x)2219 2928 w 10 R f (.)2263 2928 w 10 I f (PM)2338 2928 w 10 R f ( means)1 280([ 4 ])2 132 2 2490 2928 t 10 I f (SAM)2927 2928 w 10 R f (.)3121 2928 w (Case)970 3084 w 10 CW f (LOGFGET)1189 3084 w 10 R f (: return poison class)3 802 1 1609 3084 t 10 I f (PC)2436 3084 w 10 R f (\()2572 3084 w 10 I f (f)2629 3084 w 10 R f (\()2673 3084 w 10 I f (d)2714 3084 w 10 R f (\) \).)1 99 1 2772 3084 t (Case)970 3240 w 10 CW f (LOGFSET)1189 3240 w 10 R f (: set)1 164 1 1609 3240 t 10 I f (PC)1798 3240 w 10 R f (\()1934 3240 w 10 I f (f)1991 3240 w 10 R f (\()2035 3240 w 10 I f (d)2076 3240 w 10 R f ( :)1 77(\) \))1 74 2 2134 3240 t 10 S f (=)2301 3240 w 10 I f (x)2405 3240 w 10 R f (.)2449 3240 w (Case)970 3396 w 10 CW f (LOGPGET)1189 3396 w 10 R f (: return process audit mask)4 1076 1 1609 3396 t 10 I f (AM)2710 3396 w 10 R f (\()2862 3396 w 10 I f (q)2903 3396 w 10 R f (\).)2961 3396 w (Case)970 3552 w 10 CW f (LOGPSET)1189 3552 w 10 R f (: set)1 164 1 1609 3552 t 10 I f (AM)1798 3552 w 10 R f (\()1950 3552 w 10 I f (q)1991 3552 w 10 R f (\) :)1 110 1 2049 3552 t 10 S f (=)2175 3552 w 10 I f (x)2279 3552 w 10 R f (.)2323 3552 w ( classes are)2 448( The)1 205(Each bit of an audit mask designates a class of mandatory audit records.)12 2875 3 720 3708 t 10 CW f (N)970 3864 w 10 R f (uses of file names \(calls to)5 1062 1 1220 3864 t 10 I f (namei)2307 3864 w 10 R f (in the kernel\))2 532 1 2576 3864 t 10 CW f (S)970 3984 w 10 R f (seek calls)1 385 1 1220 3984 t 10 CW f (U)970 4104 w 10 R f (writes to the ``uarea'')3 866 1 1220 4104 t 10 CW f (I)970 4224 w 10 R f (accesses of inode contents:)3 1078 1 1220 4224 t 10 I f (stat)2323 4224 w 10 R f (\(2\),)2468 4224 w 10 I f (utime)2634 4224 w 10 R f (\(2\), etc.)1 307 1 2856 4224 t 10 CW f (D)970 4344 w 10 R f (possession and use of file descriptors:)5 1512 1 1220 4344 t 10 I f (open)2757 4344 w 10 R f (\(2\),)2951 4344 w 10 I f (close)3117 4344 w 10 R f (\(2\),)3322 4344 w 10 I f (read)3488 4344 w 10 R f (\(2\),)3671 4344 w 10 I f (write)3837 4344 w 10 R f (\(2\), etc.)1 307 1 4043 4344 t 10 CW f (P)970 4464 w 10 R f (process history:)1 630 1 1220 4464 t 10 I f (exec)1875 4464 w 10 R f (\(2\),)2051 4464 w 10 I f (fork)2217 4464 w 10 R f (\(2\),)2378 4464 w 10 I f (kill)2544 4464 w 10 R f (\(2\),)2672 4464 w 10 I f (exit)2838 4464 w 10 R f (\(2\))2982 4464 w 10 CW f (L)970 4584 w 10 R f (explicit changes of labels:)3 1040 1 1220 4584 t 10 I f (setflab)2285 4584 w 10 R f (\(2\),)2552 4584 w 10 I f (setplab)2718 4584 w 10 R f (\(2\))3007 4584 w 10 CW f (A)970 4704 w 10 R f (all changes of labels)3 812 1 1220 4704 t 10 CW f (X)970 4824 w 10 R f (uses of privilege)2 660 1 1220 4824 t 10 CW f (E ELAB)1 490 1 970 4944 t 10 R f (error returns)1 495 1 1485 4944 t 10 CW f (T)970 5064 w 10 R f (uses of a traced file or process)6 1207 1 1220 5064 t (The format of audit records varies with the kind of action recorded.)11 2688 1 720 5220 t 10 S1 f ()720 5376 w 720 5376 m 100 build_rh 820 5376 m 10 R f ( the process)2 503(Writing of audit records is immune to label checking; the only security check is that)14 3567 2 970 5376 t (which sets)1 422 1 970 5496 t 10 CW f (LOGON)1420 5496 w 10 R f (is trusted and has been able to open file)8 1599 1 1748 5496 t 10 I f (d)3375 5496 w 10 R f (. Whether)1 421 1 3425 5496 t 10 I f (d)3874 5496 w 10 R f (is open for reading or writ-)5 1088 1 3952 5496 t ( persists after file)3 690( Logging)1 389(ing does not matter.)3 794 3 970 5616 t 10 I f (d)2868 5616 w 10 R f ( files may share repositories.)4 1145( Log)1 211(is closed.)1 372 3 2943 5616 t 10 S1 f ()720 5772 w 720 5772 m 100 build_rh 820 5772 m 10 R f ( the trusted nominating process to assure that the repository is protected so that logg-)14 3447(It is the duty of)4 623 2 970 5772 t (ging records cannot be read in violation of the security policy, \2473.4.8.)11 2782 1 970 5892 t 10 B f ( rp, wp\))2 336(3.6.9. unsafe\(n,)1 667 2 720 6132 t 10 R f (This system call queries and selectively clears safe-to-read and safe-to-write bits.)10 3239 1 720 6288 t (Two bit strings,)2 635 1 720 6444 t 10 I f (rs)1382 6444 w 10 R f (and)1487 6444 w 10 I f (ws)1658 6444 w 10 R f (, pointed to by)3 584 1 1764 6444 t 10 I f (rp)2375 6444 w 10 R f (and)2491 6444 w 10 I f (wp)2662 6444 w 10 R f (are indexed as in)3 679 1 2806 6444 t 10 I f (select.)3512 6444 w 10 R f ( actual safe-to-read bits)3 942(Let the)1 282 2 3816 6444 t (and safe-to-write bits of all file descriptors constitute strings)8 2440 1 720 6564 t 10 I f (rd)3189 6564 w 10 R f (and)3306 6564 w 10 I f (wd)3478 6564 w 10 R f ( the first)2 339(. Only)1 278 2 3595 6564 t 10 I f (n)4240 6564 w 10 R f (bits of each string)3 722 1 4318 6564 t (are considered.)1 603 1 720 6684 t (Do simultaneously)1 753 1 720 6840 t (Set)970 6996 w 10 I f (rs)1123 6996 w 10 R f (:)1242 6996 w 10 S f (=)1286 6996 w 10 I f (rd)1390 6996 w 10 R f (and)1504 6996 w 10 I f (ws)1673 6996 w 10 R f (:)1820 6996 w 10 S f (=)1864 6996 w 10 I f (wd)1968 6996 w 10 R f (.)2085 6996 w (If Cap)1 252 1 970 7152 t 7 R f (nochk)1233 7172 w 10 R f (\()1420 7152 w 10 I f (p)1461 7152 w 10 R f (\) then set)2 366 1 1519 7152 t 10 I f (rd)1910 7152 w 10 R f (:)2040 7152 w 10 S f (=)2084 7152 w 10 I f (rd &)1 175 1 2188 7152 t 10 S f (\330)2371 7152 w 10 I f (rs)2450 7152 w 10 R f (and)2553 7152 w 10 I f (wd)2722 7152 w 10 R f (:)2880 7152 w 10 S f (=)2924 7152 w 10 I f (wd &)1 203 1 3028 7152 t 10 S f (\330)3239 7152 w 10 I f (ws)3318 7152 w 10 R f (.)3424 7152 w 10 S1 f ()720 7308 w 720 7308 m 100 build_rh 820 7308 m 10 R f (Covert channel: High has pipe to Low; High raises level; Low uses)11 2903 1 970 7308 t 10 I f (unsafe)3918 7308 w 10 R f ( The)1 226(to discover it.)2 589 2 4225 7308 t cleartomark showpage saveobj restore %%EndPage: 27 27 %%Page: 28 28 /saveobj save def mark 28 pagesetup 10 R f (- 28 -)2 216 1 2772 480 t ( when High hits its ceiling, so not many bits\320probably less than 20\320can be trans-)14 3393(channel runs dry)2 677 2 970 840 t ( trusted processes, which are expected to be its principal user;)10 2514( call might be restricted to)5 1066(mitted. The)1 490 3 970 960 t (see \2473.2.5.)1 427 1 970 1080 t 10 B f ( requests)1 380(3.7. Ioctl)1 394 2 720 1320 t ( requests)1 380(3.7.1. Changed)1 659 2 720 1560 t ( FIORCVFD, r\))2 679(3.7.1.1. ioctl\(d,)1 647 2 720 1800 t 10 R f (An extra field added to the)5 1132 1 970 1956 t 10 CW f (passfd)2140 1956 w 10 R f (structure pointed to by)3 941 1 2538 1956 t 10 I f (r)3517 1956 w 10 R f (returns the capabilities)2 930 1 3594 1956 t 10 I f (T)4562 1956 w 10 R f (\()4626 1956 w 10 I f (q)4667 1956 w 10 R f ( the)1 161(\) of)1 154 2 4725 1956 t (sending process)1 635 1 720 2076 t 10 I f (q)1380 2076 w 10 R f (.)1430 2076 w 10 B f ( TIOCSPGRP, r\))2 736(3.7.1.2. ioctl\(d,)1 647 2 720 2316 t 10 R f ( be associated with the process group pointed to)8 1962(If the third argument is not a null pointer \(the stream is to)12 2358 2 720 2472 t (by)720 2592 w 10 I f (r)845 2592 w 10 R f (\):)884 2592 w (If userid of)2 443 1 970 2748 t 10 I f (p)1438 2748 w 10 R f (is not superuser then error)4 1042 1 1513 2748 t 10 CW f (EPERM)2580 2748 w 10 R f (.)2880 2748 w (Otherwise, if)1 521 1 970 2904 t 10 S f (\330)1516 2904 w 10 R f (Cap)1595 2904 w 7 R f (uarea)1767 2924 w 10 R f (\()1934 2904 w 10 I f (p)1975 2904 w 10 R f (\) then)1 230 1 2033 2904 t 10 B f (error)2288 2904 w 10 R f (.)2514 2904 w 10 S1 f ()720 3060 w 720 3060 m 100 build_rh 820 3060 m 10 R f ( writable, is subject to the security policy. As the)9 2014(The process group of a stream, being readable and)8 2056 2 970 3060 t (practical uses of this system call are akin to those of)10 2200 1 970 3180 t 10 I f (setpgrp,)3207 3180 w 10 R f (it is protected in the same way; see)7 1472 1 3568 3180 t (\2473.5.9.)970 3300 w 10 B f ( requests for process-exclusive access)4 1574(3.7.2. New)1 463 2 720 3540 t 10 R f ( requests)1 353(In these)1 313 2 970 3696 t 10 I f (f)1662 3696 w 10 R f (is the file)2 374 1 1716 3696 t 10 I f (f)2116 3696 w 10 R f (\()2160 3696 w 10 I f (d)2201 3696 w 10 R f (\);)2259 3696 w 10 I f (f)2346 3696 w 10 S f (\242)2396 3691 w 10 R f (is the other end when)4 858 1 2455 3696 t 10 I f (f)3339 3696 w 10 R f (is a pipe end; and)4 703 1 3393 3696 t 10 I f (r)4122 3696 w 10 R f (is a pointer, which, if)4 853 1 4187 3696 t (nonzero, points to a structure that is filled in on non-error returns as follows:)13 3057 1 720 3816 t 10 CW f ( {)1 120(struct pexclude)1 990 2 970 4032 t ( /*)1 270(int oldnear;)1 720 2 1480 4152 t 10 R f (previous value of)2 693 1 2530 4152 t 10 I f (X)3299 4152 w 10 R f (\()3368 4152 w 10 I f (f)3425 4152 w 10 R f (\))3477 4152 w 10 CW f (*/)3570 4152 w ( new value of)3 780( /*)1 270(int newnear;)1 720 3 1480 4272 t 10 I f (X)3310 4272 w 10 R f (\()3379 4272 w 10 I f (f)3436 4272 w 10 R f (\))3488 4272 w 10 CW f (*/)3581 4272 w ( /*)1 330(int farpid;)1 660 2 1480 4392 t 10 R f (0 if)1 187 1 2530 4392 t 10 I f (f)2801 4392 w 10 R f (not pipe or)2 433 1 2921 4392 t 10 I f (X)3430 4392 w 10 R f (\()3499 4392 w 10 I f (f)3556 4392 w 10 S f (\242)3606 4387 w 10 R f (\))3647 4392 w 10 S f (=)3728 4392 w 10 B f (unpexed)3823 4392 w 10 CW f (*/)4245 4392 w (/*)2350 4512 w 10 R f (otherwise)2530 4512 w 10 I f (H)2994 4512 w 10 R f (\()3074 4512 w 10 I f (f)3131 4512 w 10 S f (\242)3181 4507 w 10 R f (\))3222 4512 w 10 CW f (*/)3315 4512 w ( /*)1 330(int farcap;)1 660 2 1480 4632 t 10 R f (if)2530 4632 w 10 CW f (farpid)2667 4632 w 10 S f (\271)3103 4632 w 10 R f ( \()1 41( Cap)1 237(0 ,)1 83 3 3234 4632 t 10 I f (H)3603 4632 w 10 R f (\()3683 4632 w 10 I f (f)3740 4632 w 10 S f (\242)3790 4627 w 10 R f (\) \))1 74 1 3831 4632 t 10 CW f (*/)3965 4632 w ( /*)1 330(int faruid;)1 660 2 1480 4752 t 10 R f (if)2530 4752 w 10 CW f (farpid)2667 4752 w 10 S f (\271)3103 4752 w 10 R f ( of)1 108( userid)1 320(0 ,)1 83 3 3234 4752 t 10 I f (H)3821 4752 w 10 R f (\()3901 4752 w 10 I f (f)3958 4752 w 10 S f (\242)4008 4747 w 10 R f (\))4049 4752 w 10 CW f (*/)4142 4752 w (};)970 4872 w 10 R f ( neither the requests)3 822(Process-exclusive requests applied to streams skip over line discipline modules;)9 3248 2 970 5088 t ( process-exclusive state is)3 1058( The)1 213( discipline.)1 447(nor their return values can be forged by using the message line)11 2602 4 720 5208 t (inherited across)1 629 1 720 5328 t 10 I f (exec.)1374 5328 w 10 CW f (FIOPX)970 5484 w 10 R f (and)1312 5484 w 10 CW f (FIONPX)1498 5484 w 10 R f ( in)1 121( Changes)1 412(affect the pexity of pipes as described by the following table.)10 2607 3 1900 5484 t (response to a request on file descriptor)6 1613 1 720 5604 t 10 I f (d)2370 5604 w 10 R f (occur at both ends; code pairs in the table represent)9 2156 1 2457 5604 t 10 I f (X)4649 5604 w 10 R f (\()4718 5604 w 10 I f (f)4775 5604 w 10 R f (\) and)1 213 1 4827 5604 t 10 I f (X)720 5724 w 10 R f (\()789 5724 w 10 I f (f)846 5724 w 10 S f (\242)896 5719 w 10 R f (\).)937 5724 w 10 S f (_ ___________________________________)1 1793 1 1983 5804 t 10 R f ( state)1 208(old new)1 965 2 2060 5924 t (state)2033 6044 w 10 CW f (FIOPX FIONPX)1 1085 1 2503 6044 t 10 S f (_ ___________________________________)1 1793 1 1983 6064 t 10 CW f ( 00)1 755(00 10)1 649 2 2064 6184 t ( 01)1 755(01 11)1 649 2 2064 6304 t ( 02)1 665(02 ECONC)1 739 2 2064 6424 t ( 00)1 755(10 10)1 649 2 2064 6544 t ( 00)1 755(20 20)1 649 2 2064 6664 t (11)2064 6784 w 10 S f (\347)2291 6804 w (\347)2291 6704 w (\347)2291 6604 w (\347)2291 6504 w (\347)2291 6404 w (\347)2291 6304 w (\347)2291 6204 w (\347)2291 6104 w (\347)2291 6004 w (\347)2291 5904 w 10 CW f (11)2593 6784 w 10 S f (\347)3016 6804 w (\347)3016 6764 w (\347)3016 6664 w (\347)3016 6564 w (\347)3016 6464 w (\347)3016 6364 w (\347)3016 6264 w (\347)3016 6164 w 10 CW f (02)3348 6784 w 10 S f (_ ___________________________________)1 1793 1 1983 6804 t 10 CW f (0)2033 6924 w 10 S f (=)2133 6924 w 10 B f (unpexed)2228 6924 w 10 R f (,)2590 6924 w 10 CW f (1)2640 6924 w 10 S f (=)2740 6924 w 10 B f (pexed)2835 6924 w 10 R f (,)3085 6924 w 10 CW f (2)3135 6924 w 10 S f (=)3235 6924 w 10 B f (unpexing)3330 6924 w 10 S f ( \347)1 -1793(_ ___________________________________)1 1793 2 1983 6944 t (\347)1983 6904 w (\347)1983 6804 w (\347)1983 6704 w (\347)1983 6604 w (\347)1983 6504 w (\347)1983 6404 w (\347)1983 6304 w (\347)1983 6204 w (\347)1983 6104 w (\347)1983 6004 w (\347)1983 5904 w (\347)3776 6944 w (\347)3776 6904 w (\347)3776 6804 w (\347)3776 6704 w (\347)3776 6604 w (\347)3776 6504 w (\347)3776 6404 w (\347)3776 6304 w (\347)3776 6204 w (\347)3776 6104 w (\347)3776 6004 w (\347)3776 5904 w 10 S1 f ()720 7160 w 720 7160 m 100 build_rh 820 7160 m 10 R f ( requests return)2 631(The process-exclusive)1 896 2 970 7160 t 10 I f (bona fides)1 422 1 2530 7160 t 10 R f ( To)1 169(of the far process for use in establishing trust.)8 1886 2 2985 7160 t ( the duration of exclusivity, a pipe goes)7 1576(help assure that such trust does not unwittingly persist beyond)9 2494 2 970 7280 t cleartomark showpage saveobj restore %%EndPage: 28 28 %%Page: 29 29 /saveobj save def mark 29 pagesetup 10 R f (- 29 -)2 216 1 2772 480 t (into an)1 278 1 970 840 t 10 B f (unpexing)1276 840 w 10 R f (state, state 2 in the table, when one end goes from)10 2021 1 1700 840 t 10 B f (pexed)3749 840 w 10 R f (to)4027 840 w 10 B f (unpexed)4133 840 w 10 R f ( this state)2 384(. In)1 161 2 4495 840 t (the pipe is unusable and it remains so until both ends reach the)12 2503 1 970 960 t 10 B f (unpexed)3498 960 w 10 R f (state.)3885 960 w 10 B f ( FIOPX, r\))2 463(3.7.2.1. ioctl\(d,)1 647 2 720 1200 t 10 CW f (FIOPX)720 1356 w 10 R f (attempts to obtain for)3 858 1 1045 1356 t 10 I f (p)1928 1356 w 10 R f (exclusive access to the file)4 1064 1 2003 1356 t 10 I f (f)3092 1356 w 10 S f (=)3185 1356 w 10 I f (f)3297 1356 w 10 R f (\()3341 1356 w 10 I f (d)3382 1356 w 10 R f (\).)3440 1356 w (If)720 1512 w 10 I f (APX)811 1512 w 10 R f (\()1002 1512 w 10 I f (f)1059 1512 w 10 R f (\))1111 1512 w 10 S f (=)1201 1512 w 10 B f (false)1305 1512 w 10 R f (If)970 1668 w 10 I f (f)1061 1668 w 10 R f (is a directory then error)4 936 1 1114 1668 t 10 CW f (EISDIR)2075 1668 w 10 R f (.)2435 1668 w (Otherwise, error)1 653 1 970 1824 t 10 CW f (EPERM)1648 1824 w 10 R f (.)1948 1824 w (Flush the stream)2 661 1 720 1980 t 10 I f (f)1406 1980 w 10 R f (.)1434 1980 w (Set)720 2136 w 10 I f (H)873 2136 w 10 R f (\()953 2136 w 10 I f (f)1010 2136 w 10 R f (\) :)1 110 1 1062 2136 t 10 S f (=)1188 2136 w 10 I f (p)1292 2136 w 10 R f (.)1342 2136 w (If)720 2292 w 10 I f (f)811 2292 w 10 R f (is not a pipe set)4 622 1 864 2292 t 10 I f (X)1511 2292 w 10 R f (\()1580 2292 w 10 I f (f)1637 2292 w 10 R f (\))1689 2292 w 10 S f (=)1779 2292 w 10 B f (pexed)1883 2292 w 10 R f (and return 0.)2 507 1 2158 2292 t (Now)720 2448 w 10 I f (f)939 2448 w 10 R f (is a pipe.)2 358 1 992 2448 t (Set)720 2604 w 10 I f (X)873 2604 w 10 R f (\()942 2604 w 10 I f (f)999 2604 w 10 R f (\) and)1 202 1 1051 2604 t 10 I f (X)1278 2604 w 10 R f (\()1347 2604 w 10 I f (f)1404 2604 w 10 S f (\242)1454 2599 w 10 R f (\) according to the table in \2473.7.2.)6 1323 1 1495 2604 t (If process)1 390 1 720 2760 t 10 I f (H)1135 2760 w 10 R f (\()1215 2760 w 10 I f (f)1272 2760 w 10 S f (\242)1322 2755 w 10 R f (\) is waiting in)3 553 1 1363 2760 t 10 CW f (FIOPX)970 2916 w 10 R f (, it awakens and returns 0.)5 1045 1 1270 2916 t 10 CW f (FIONPX)970 3072 w 10 R f (, it awakens and returns 1.)5 1045 1 1330 3072 t 10 I f (select,)970 3228 w 10 R f (with)1247 3228 w 10 I f (f)1450 3228 w 10 S f (\242)1500 3223 w 10 R f (among the enabled file descriptors,)4 1400 1 1558 3228 t 10 I f (f)2983 3228 w 10 S f (\242)3033 3223 w 10 R f (becomes ready.)1 620 1 3091 3228 t 10 I f (read)970 3384 w 10 R f (or)1178 3384 w 10 I f (write)1286 3384 w 10 R f (on)1517 3384 w 10 I f (f)1642 3384 w 10 S f (\242)1692 3379 w 10 R f (, it awakens and returns error)5 1163 1 1725 3384 t 10 CW f (ECONC)2913 3384 w 10 R f (.)3213 3384 w (If)720 3540 w 10 I f (X)811 3540 w 10 R f (\()880 3540 w 10 I f (f)937 3540 w 10 R f (\))989 3540 w 10 S f (=)1079 3540 w 10 I f (X)1183 3540 w 10 R f (\()1252 3540 w 10 I f (f)1309 3540 w 10 S f (\242)1359 3535 w 10 R f (\))1400 3540 w 10 S f (=)1490 3540 w 10 B f (pexed)1594 3540 w 10 R f (return 0.)1 338 1 1869 3540 t (Otherwise wait, with timeout, for an answering)6 1886 1 720 3696 t 10 CW f (FIOPX)2631 3696 w 10 R f (or)2956 3696 w 10 CW f (FIONPX)3099 3696 w 10 R f (at the other end.)3 643 1 3484 3696 t (If the wait times out, return 1.)6 1193 1 720 3852 t 10 B f ( FIONPX, r\))2 535(3.7.2.2. ioctl\(d,)1 647 2 720 4092 t 10 R f ( end of a pipe or to terminate exclusive)8 1574(This request is used to reject an exclusive-access request at the other)11 2746 2 720 4248 t (access on a stream)3 739 1 720 4368 t 10 I f (f)1484 4368 w 10 S f (=)1577 4368 w 10 I f (f)1689 4368 w 10 R f (\()1733 4368 w 10 I f (d)1774 4368 w 10 R f (\).)1832 4368 w (Flush the stream)2 661 1 720 4524 t 10 I f (f)1406 4524 w 10 R f (.)1434 4524 w (Set)720 4680 w 10 I f (H)873 4680 w 10 R f (\()953 4680 w 10 I f (f)1010 4680 w 10 R f (\) :)1 110 1 1062 4680 t 10 S f (=)1188 4680 w 10 R f (0.)1292 4680 w (If)720 4836 w 10 I f (f)811 4836 w 10 R f (is not a pipe set)4 622 1 864 4836 t 10 I f (X)1511 4836 w 10 R f (\()1580 4836 w 10 I f (f)1637 4836 w 10 R f (\) :)1 110 1 1689 4836 t 10 S f (=)1815 4836 w 10 B f (unpexed)1919 4836 w 10 R f (and return 0.)2 507 1 2306 4836 t (Now)720 4992 w 10 I f (f)939 4992 w 10 R f (is a pipe.)2 358 1 992 4992 t (Set)720 5148 w 10 I f (X)873 5148 w 10 R f (\()942 5148 w 10 I f (f)999 5148 w 10 R f (\) and)1 202 1 1051 5148 t 10 I f (X)1278 5148 w 10 R f (\()1347 5148 w 10 I f (f)1404 5148 w 10 S f (\242)1454 5143 w 10 R f (\) according to the table in \2473.7.2.)6 1323 1 1495 5148 t (If process)1 390 1 720 5304 t 10 I f (H)1135 5304 w 10 R f (\()1215 5304 w 10 I f (f)1272 5304 w 10 S f (\242)1322 5299 w 10 R f (\) is waiting in)3 553 1 1363 5304 t 10 CW f (FIOPX)970 5460 w 10 R f (, it awakens and returns 1.)5 1045 1 1270 5460 t 10 CW f (FIONPX)970 5616 w 10 R f (, it awakens and returns 0.)5 1045 1 1330 5616 t 10 I f (select)970 5772 w 10 R f (with)1222 5772 w 10 I f (d)1425 5772 w 10 R f (\()1483 5772 w 10 I f (f)1540 5772 w 10 S f (\242)1590 5767 w 10 R f (\) among the enabled file descriptors,)5 1458 1 1631 5772 t 10 I f (d)3114 5772 w 10 R f (\()3172 5772 w 10 I f (f)3229 5772 w 10 S f (\242)3279 5767 w 10 R f (\) becomes ready.)2 678 1 3320 5772 t 10 I f (read)970 5928 w 10 R f (or)1178 5928 w 10 I f (write)1286 5928 w 10 R f (on)1517 5928 w 10 I f (f)1642 5928 w 10 S f (\242)1692 5923 w 10 R f (, it awakens and returns)4 945 1 1725 5928 t 10 CW f (ECONC)2695 5928 w 10 R f (.)2995 5928 w (If)720 6084 w 10 I f (X)811 6084 w 10 R f (\()880 6084 w 10 I f (f)937 6084 w 10 R f (\))989 6084 w 10 S f (=)1079 6084 w 10 I f (X)1183 6084 w 10 R f (\()1252 6084 w 10 I f (f)1309 6084 w 10 S f (\242)1359 6079 w 10 R f (\))1400 6084 w 10 S f (=)1490 6084 w 10 B f (unpexed)1594 6084 w 10 R f (return 0.)1 338 1 1981 6084 t (Otherwise wait, with timeout, for an answering)6 1886 1 720 6240 t 10 CW f (FIOPX)2666 6240 w 10 R f (or)2991 6240 w 10 CW f (FIONPX)3099 6240 w 10 R f (at the other end.)3 643 1 3484 6240 t (If the wait times out, return 1.)6 1193 1 720 6396 t 10 B f ( FIOQX, r\))2 480(3.7.2.3. ioctl\(d,)1 647 2 720 6636 t 10 R f (This request queries pex state without changing it.)7 2009 1 720 6792 t (Return 0.)1 372 1 720 6948 t cleartomark showpage saveobj restore %%EndPage: 29 29 %%Page: 30 30 /saveobj save def mark 30 pagesetup 10 R f (- 30 -)2 216 1 2772 480 t 10 B f ( FIOAPX, r\), ioctl\(d, FIOANPX, r\))5 1489(3.7.2.4. ioctl\(d,)1 647 2 720 840 t 10 R f ( accept pex)2 480( The)1 221(These requests specify whether a stream will accept process-exclusive access requests.)10 3619 3 720 996 t (indicator)720 1116 w 10 I f (APX)1109 1116 w 10 R f (\()1300 1116 w 10 I f (f)1357 1116 w 10 R f (\) is initialized automatically when stream)5 1696 1 1409 1116 t 10 I f (f)3139 1116 w 10 S f (=)3232 1116 w 10 I f (f)3344 1116 w 10 R f (\()3388 1116 w 10 I f (d)3429 1116 w 10 R f ( remains)1 349(\) is first opened \(\2473.4.1\), and)5 1204 2 3487 1116 t (constant until changed by)3 1024 1 720 1236 t 10 CW f (FIOAPX)1769 1236 w 10 R f (or)2154 1236 w 10 CW f (FIOANPX)2262 1236 w 10 R f (or until last close.)3 711 1 2707 1236 t (If)720 1392 w 10 I f (f)811 1392 w 10 R f (is a pipe or is not a stream then error)9 1461 1 864 1392 t 10 CW f (ENOTTY)2350 1392 w 10 R f (.)2710 1392 w (If)720 1548 w 10 S f (\330)811 1548 w 10 R f (Cap)890 1548 w 7 R f (extern)1062 1568 w 10 R f (\()1253 1548 w 10 I f (p)1294 1548 w 10 R f (\) then error)2 448 1 1352 1548 t 10 CW f (ECONC)1825 1548 w 10 R f (.)2125 1548 w (If the request is)3 618 1 720 1704 t 10 CW f (FIOAPX)1363 1704 w 10 R f (set)1748 1704 w 10 I f (APX)1884 1704 w 10 R f (\()2075 1704 w 10 I f (f)2132 1704 w 10 R f (\) :)1 110 1 2184 1704 t 10 S f (=)2310 1704 w 10 B f (true)2414 1704 w 10 R f (.)2591 1704 w (If the request is)3 618 1 720 1860 t 10 CW f (FIOANPX)1363 1860 w 10 R f (set)1808 1860 w 10 I f (APX)1944 1860 w 10 R f (\()2135 1860 w 10 I f (f)2192 1860 w 10 R f (\) :)1 110 1 2244 1860 t 10 S f (=)2370 1860 w 10 B f (false)2474 1860 w 10 R f (.)2668 1860 w 10 B f ( requests for stream identifiers)4 1308(3.7.3. New)1 463 2 720 2100 t 10 R f (The requests)1 511 1 720 2256 t 10 CW f (FIOGSRC)1260 2256 w 10 R f (and)1710 2256 w 10 CW f (FIOSSRC)1884 2256 w 10 R f (get and set stream identifiers, null-terminated strings of at most 32)10 2706 1 2334 2256 t ( stream identifier typically records security-related information about the stream.)9 3227(characters. A)1 550 2 720 2376 t 10 B f ( FIOGSRC, s\))2 603(3.8. ioctl\(d,)1 497 2 720 2616 t 10 R f (Copy the stream identifier of)4 1154 1 720 2772 t 10 I f (d)1899 2772 w 10 R f (into the character array)3 921 1 1974 2772 t 10 I f (s)2920 2772 w 10 R f (.)2959 2772 w 10 B f ( FIOSSRC, s\))2 581(3.9. ioctl\(d,)1 497 2 720 3012 t 10 R f (If)720 3168 w 10 S f (\330)811 3168 w 10 R f (Cap)890 3168 w 7 R f (extern)1062 3188 w 10 R f (then error)1 390 1 1270 3168 t 10 CW f (ECONC)1685 3168 w 10 R f (.)1985 3168 w (Copy the null-terminated string pointed to by)6 1811 1 720 3324 t 10 I f (s)2556 3324 w 10 R f (into the stream identifier of)4 1093 1 2620 3324 t 10 I f (d)3738 3324 w 10 R f (.)3788 3324 w 10 B f ( of ioctl requests)3 696(3.9.1. Table)1 520 2 720 3564 t 10 R f (Let)970 3720 w 10 I f (d)1134 3720 w 10 R f (be the first argument of)4 961 1 1215 3720 t 10 I f (ioctl.)2207 3720 w 10 R f (In default of more careful analysis, requests should be checked)9 2573 1 2467 3720 t (with W\()1 330 1 720 3840 t 10 I f (f)1050 3840 w 10 R f (\()1094 3840 w 10 I f (d)1135 3840 w 10 R f (\)\); requests that return values should also be checked with R\()10 2440 1 1193 3840 t 10 I f (f)3633 3840 w 10 R f (\()3677 3840 w 10 I f (d)3718 3840 w 10 R f (\)\).)3776 3840 w ( covers only new)3 733( It)1 129( of particular requests is intended to be illustrative, not definitive.)10 2794(This table)1 414 4 970 3996 t ( all requests pertinent to network-)5 1375(requests and requests that are documented in the v10 manual, and omits)11 2945 2 720 4116 t ( based on v10, it has little bearing on other versions of)11 2170(ing. Being)1 442 2 720 4236 t 9 R f (UNIX)3355 4236 w 10 R f (.)3580 4236 w (The action entries mean)3 956 1 970 4392 t ( security checks)2 637(\(empty\) no)1 566 2 970 4608 t ( R\()1 125(R check)1 698 2 970 4728 t 10 I f (f)1793 4728 w 10 R f (\()1837 4728 w 10 I f (d)1878 4728 w 10 R f (\)\), \2473.1.5)1 366 1 1936 4728 t ( W\()1 152(W check)1 698 2 970 4848 t 10 I f (f)1820 4848 w 10 R f (\()1864 4848 w 10 I f (d)1905 4848 w 10 R f (\)\), \2473.1.7)1 366 1 1963 4848 t 10 S f (_ ________________________________________)1 2014 1 970 5024 t 10 R f ( Action)1 612( page)1 213(Request Man)1 764 3 1129 5144 t 10 S f (_ ________________________________________)1 2014 1 970 5154 t (_ ________________________________________)1 2014 1 970 5174 t (\347)970 5164 w (\347)970 5124 w (\347)1635 5164 w (\347)1635 5124 w (\347)2181 5164 w (\347)2181 5124 w (\347)2984 5164 w (\347)2984 5124 w 10 CW f (FIOCLEX)1020 5284 w 10 I f (ioctl)1710 5284 w 10 R f (\(2\))1982 5284 w 10 CW f (FIONCLEX)1020 5404 w 10 I f (ioctl)1710 5404 w 10 R f (\(2\))1982 5404 w 10 CW f (FIOACCEPT)1020 5524 w 10 I f (connld)1710 5524 w 10 R f (\(4\))1982 5524 w 10 CW f (FIOREJECT)1020 5644 w 10 I f (connld)1710 5644 w 10 R f (\(4\))1982 5644 w 10 CW f (MTIOCEEOT)1020 5764 w 10 I f (mt)1710 5764 w 10 R f (\(4\))1982 5764 w 10 CW f (MTIOCGET)1020 5884 w 10 I f (mt)1710 5884 w 10 R f (\(4\) R)1 341 1 1982 5884 t 10 CW f (MTIOCIEOT)1020 6004 w 10 I f (mt)1710 6004 w 10 R f (\(4\))1982 6004 w 10 CW f (MTIOCTOP)1020 6124 w 10 I f (mt)1710 6124 w 10 R f (\(4\) W)1 368 1 1982 6124 t 10 CW f (FIOANPX)1020 6244 w 10 I f (pex)1710 6244 w 10 R f (\(4\) \2473.7.2.4)1 599 1 1982 6244 t 10 CW f (FIOAPX)1020 6364 w 10 I f (pex)1710 6364 w 10 R f (\(4\) \2473.7.2.4)1 599 1 1982 6364 t 10 CW f (FIONPX)1020 6484 w 10 I f (pex)1710 6484 w 10 R f (\(4\) \2473.7.2.2)1 599 1 1982 6484 t 10 CW f (FIOPX)1020 6604 w 10 I f (pex)1710 6604 w 10 R f (\(4\) \2473.7.2.1)1 599 1 1982 6604 t 10 CW f (FIOQX)1020 6724 w 10 I f (pex)1710 6724 w 10 R f (\(4\) \2473.7.2.3)1 599 1 1982 6724 t 10 CW f (PIOCGETPR)1020 6844 w 10 I f (proc)1710 6844 w 10 R f (\(4\) R)1 341 1 1982 6844 t 10 CW f (PIOCKILL)1020 6964 w 10 I f (proc)1710 6964 w 10 R f (\(4\) like)1 424 1 1982 6964 t 10 I f (kill)2431 6964 w 10 R f (, \2473.5.16)1 350 1 2559 6964 t 10 CW f (PIOCNICE)1020 7084 w 10 I f (proc)1710 7084 w 10 R f (\(4\) \2473.5.12)1 574 1 1982 7084 t 10 CW f (PIOCOPENT)1020 7204 w 10 I f (proc)1710 7204 w 10 R f (\(4\))1982 7204 w 10 S f (\347)970 7204 w (\347)970 7184 w (\347)970 7084 w (\347)970 6984 w (\347)970 6884 w (\347)970 6784 w (\347)970 6684 w (\347)970 6584 w (\347)970 6484 w (\347)970 6384 w (\347)970 6284 w (\347)970 6184 w (\347)970 6084 w (\347)970 5984 w (\347)970 5884 w (\347)970 5784 w (\347)970 5684 w (\347)970 5584 w (\347)970 5484 w (\347)970 5384 w (\347)970 5284 w (\347)1635 7204 w (\347)1635 7184 w (\347)1635 7084 w (\347)1635 6984 w (\347)1635 6884 w (\347)1635 6784 w (\347)1635 6684 w (\347)1635 6584 w (\347)1635 6484 w (\347)1635 6384 w (\347)1635 6284 w (\347)1635 6184 w (\347)1635 6084 w (\347)1635 5984 w (\347)1635 5884 w (\347)1635 5784 w (\347)1635 5684 w (\347)1635 5584 w (\347)1635 5484 w (\347)1635 5384 w (\347)1635 5284 w (\347)2181 7204 w (\347)2181 7184 w (\347)2181 7084 w (\347)2181 6984 w (\347)2181 6884 w (\347)2181 6784 w (\347)2181 6684 w (\347)2181 6584 w (\347)2181 6484 w (\347)2181 6384 w (\347)2181 6284 w (\347)2181 6184 w (\347)2181 6084 w (\347)2181 5984 w (\347)2181 5884 w (\347)2181 5784 w (\347)2181 5684 w (\347)2181 5584 w (\347)2181 5484 w (\347)2181 5384 w (\347)2181 5284 w (\347)2984 7204 w (\347)2984 7184 w (\347)2984 7084 w (\347)2984 6984 w (\347)2984 6884 w (\347)2984 6784 w (\347)2984 6684 w (\347)2984 6584 w (\347)2984 6484 w (\347)2984 6384 w (\347)2984 6284 w (\347)2984 6184 w (\347)2984 6084 w (\347)2984 5984 w (\347)2984 5884 w (\347)2984 5784 w (\347)2984 5684 w (\347)2984 5584 w (\347)2984 5484 w (\347)2984 5384 w (\347)2984 5284 w cleartomark showpage saveobj restore %%EndPage: 30 30 %%Page: 31 31 /saveobj save def mark 31 pagesetup 10 R f (- 31 -)2 216 1 2772 480 t 10 S f (_ ________________________________________)1 2014 1 970 740 t 10 R f ( Action)1 612( page)1 213(Request Man)1 764 3 1129 860 t 10 S f (_ ________________________________________)1 2014 1 970 870 t (_ ________________________________________)1 2014 1 970 890 t (\347)970 880 w (\347)970 840 w (\347)1635 880 w (\347)1635 840 w (\347)2181 880 w (\347)2181 840 w (\347)2984 880 w (\347)2984 840 w 10 CW f (PIOCREXEC)1020 1000 w 10 I f (proc)1710 1000 w 10 R f (\(4\))1982 1000 w 10 CW f (PIOCRUN)1020 1120 w 10 I f (proc)1710 1120 w 10 R f (\(4\))1982 1120 w 10 CW f (PIOCSEXEC)1020 1240 w 10 I f (proc)1710 1240 w 10 R f (\(4\))1982 1240 w 10 CW f (PIOCSMASK)1020 1360 w 10 I f (proc)1710 1360 w 10 R f (\(4\))1982 1360 w 10 CW f (PIOCSTOP)1020 1480 w 10 I f (proc)1710 1480 w 10 R f (\(4\))1982 1480 w 10 CW f (PIOCWSTOP)1020 1600 w 10 I f (proc)1710 1600 w 10 R f (\(4\))1982 1600 w 10 CW f (UIOCHAR)1020 1720 w 10 I f (ra)1710 1720 w 10 R f (\(4\) R)1 341 1 1982 1720 t 10 CW f (UIOREPL)1020 1840 w 10 I f (ra)1710 1840 w 10 R f (\(4\) W)1 368 1 1982 1840 t 10 CW f (UIORRCT)1020 1960 w 10 I f (ra)1710 1960 w 10 R f (\(4\) R)1 341 1 1982 1960 t 10 CW f (UIOWRCT)1020 2080 w 10 I f (ra)1710 2080 w 10 R f (\(4\) W)1 368 1 1982 2080 t 10 CW f (FIOGSRC)1020 2200 w 10 I f (stream)1710 2200 w 10 R f ( \2473.8)1 200(\(4\) R,)1 366 2 1982 2200 t 10 CW f (FIOINSLD)1020 2320 w 10 I f (stream)1710 2320 w 10 R f (\(4\) W)1 368 1 1982 2320 t 10 CW f (FIOLOOKLD)1020 2440 w 10 I f (stream)1710 2440 w 10 R f (\(4\) R)1 341 1 1982 2440 t 10 CW f (FIONREAD)1020 2560 w 10 I f (stream)1710 2560 w 10 R f (\(4\) R)1 341 1 1982 2560 t 10 CW f (FIOPOPLD)1020 2680 w 10 I f (stream)1710 2680 w 10 R f (\(4\) W)1 368 1 1982 2680 t 10 CW f (FIOPUSHLD)1020 2800 w 10 I f (stream)1710 2800 w 10 R f (\(4\) W)1 368 1 1982 2800 t 10 CW f (FIORCVFD)1020 2920 w 10 I f (stream)1710 2920 w 10 R f ( \2473.7.1.1)1 350(\(4\) R,)1 366 2 1982 2920 t 10 CW f (FIOSNDFD)1020 3040 w 10 I f (stream)1710 3040 w 10 R f (\(4\) W)1 368 1 1982 3040 t 10 CW f (FIOSSRC)1020 3160 w 10 I f (stream)1710 3160 w 10 R f ( \2473.9)1 200(\(4\) W,)1 393 2 1982 3160 t 10 CW f (TIOCEXCL)1020 3280 w 10 I f (stream)1710 3280 w 10 R f (\(4\))1982 3280 w 10 CW f (TIOCFLUSH)1020 3400 w 10 I f (stream)1710 3400 w 10 R f (\(4\) W)1 368 1 1982 3400 t 10 CW f (TIOCGPGRP)1020 3520 w 10 I f (stream)1710 3520 w 10 R f (\(4\))1982 3520 w 10 CW f (TIOCNXCL)1020 3640 w 10 I f (stream)1710 3640 w 10 R f (\(4\))1982 3640 w 10 CW f (TIOCSBRK)1020 3760 w 10 I f (stream)1710 3760 w 10 R f (\(4\) W)1 368 1 1982 3760 t 10 CW f (TIOCSPGRP)1020 3880 w 10 I f (stream)1710 3880 w 10 R f (\(4\) \2473.7.1.2)1 599 1 1982 3880 t 10 CW f (TIOCGDEV)1020 4000 w 10 I f (tty)1710 4000 w 10 R f (\(4\) R)1 341 1 1982 4000 t 10 CW f (TIOCSDEV)1020 4120 w 10 I f (tty)1710 4120 w 10 R f (\(4\) W)1 368 1 1982 4120 t 10 CW f (TIOCGETC)1020 4240 w 10 I f (ttyld)1710 4240 w 10 R f (\(4\) R)1 341 1 1982 4240 t 10 CW f (TIOCGETP)1020 4360 w 10 I f (ttyld)1710 4360 w 10 R f (\(4\) R)1 341 1 1982 4360 t 10 CW f (TIOCSETC)1020 4480 w 10 I f (ttyld)1710 4480 w 10 R f (\(4\) W)1 368 1 1982 4480 t 10 CW f (TIOCSETP)1020 4600 w 10 I f (ttyld)1710 4600 w 10 R f (\(4\) W)1 368 1 1982 4600 t 10 S f (\347)970 4600 w (\347)970 4500 w (\347)970 4400 w (\347)970 4300 w (\347)970 4200 w (\347)970 4100 w (\347)970 4000 w (\347)970 3900 w (\347)970 3800 w (\347)970 3700 w (\347)970 3600 w (\347)970 3500 w (\347)970 3400 w (\347)970 3300 w (\347)970 3200 w (\347)970 3100 w (\347)970 3000 w (\347)970 2900 w (\347)970 2800 w (\347)970 2700 w (\347)970 2600 w (\347)970 2500 w (\347)970 2400 w (\347)970 2300 w (\347)970 2200 w (\347)970 2100 w (\347)970 2000 w (\347)970 1900 w (\347)970 1800 w (\347)970 1700 w (\347)970 1600 w (\347)970 1500 w (\347)970 1400 w (\347)970 1300 w (\347)970 1200 w (\347)970 1100 w (\347)970 1000 w (\347)1635 4600 w (\347)1635 4500 w (\347)1635 4400 w (\347)1635 4300 w (\347)1635 4200 w (\347)1635 4100 w (\347)1635 4000 w (\347)1635 3900 w (\347)1635 3800 w (\347)1635 3700 w (\347)1635 3600 w (\347)1635 3500 w (\347)1635 3400 w (\347)1635 3300 w (\347)1635 3200 w (\347)1635 3100 w (\347)1635 3000 w (\347)1635 2900 w (\347)1635 2800 w (\347)1635 2700 w (\347)1635 2600 w (\347)1635 2500 w (\347)1635 2400 w (\347)1635 2300 w (\347)1635 2200 w (\347)1635 2100 w (\347)1635 2000 w (\347)1635 1900 w (\347)1635 1800 w (\347)1635 1700 w (\347)1635 1600 w (\347)1635 1500 w (\347)1635 1400 w (\347)1635 1300 w (\347)1635 1200 w (\347)1635 1100 w (\347)1635 1000 w (\347)2181 4600 w (\347)2181 4500 w (\347)2181 4400 w (\347)2181 4300 w (\347)2181 4200 w (\347)2181 4100 w (\347)2181 4000 w (\347)2181 3900 w (\347)2181 3800 w (\347)2181 3700 w (\347)2181 3600 w (\347)2181 3500 w (\347)2181 3400 w (\347)2181 3300 w (\347)2181 3200 w (\347)2181 3100 w (\347)2181 3000 w (\347)2181 2900 w (\347)2181 2800 w (\347)2181 2700 w (\347)2181 2600 w (\347)2181 2500 w (\347)2181 2400 w (\347)2181 2300 w (\347)2181 2200 w (\347)2181 2100 w (\347)2181 2000 w (\347)2181 1900 w (\347)2181 1800 w (\347)2181 1700 w (\347)2181 1600 w (\347)2181 1500 w (\347)2181 1400 w (\347)2181 1300 w (\347)2181 1200 w (\347)2181 1100 w (\347)2181 1000 w (\347)2984 4600 w (\347)2984 4500 w (\347)2984 4400 w (\347)2984 4300 w (\347)2984 4200 w (\347)2984 4100 w (\347)2984 4000 w (\347)2984 3900 w (\347)2984 3800 w (\347)2984 3700 w (\347)2984 3600 w (\347)2984 3500 w (\347)2984 3400 w (\347)2984 3300 w (\347)2984 3200 w (\347)2984 3100 w (\347)2984 3000 w (\347)2984 2900 w (\347)2984 2800 w (\347)2984 2700 w (\347)2984 2600 w (\347)2984 2500 w (\347)2984 2400 w (\347)2984 2300 w (\347)2984 2200 w (\347)2984 2100 w (\347)2984 2000 w (\347)2984 1900 w (\347)2984 1800 w (\347)2984 1700 w (\347)2984 1600 w (\347)2984 1500 w (\347)2984 1400 w (\347)2984 1300 w (\347)2984 1200 w (\347)2984 1100 w (\347)2984 1000 w cleartomark showpage saveobj restore %%EndPage: 31 31 %%Page: 32 32 /saveobj save def mark 32 pagesetup 10 R f (- 32 -)2 216 1 2772 480 t 10 B f (References)720 840 w 10 R f ( Bell Laboratories Computing Science Research Center,)6 2238([1] AT&T)1 463 2 889 1056 t 10 I f (UNIX Research System)2 1261 1 3779 1056 t (Programmer's Manual)1 924 1 1080 1176 t 10 R f (, Vol. 1, Saunders, Philadelphia \(1990\).)5 1582 1 2004 1176 t ( V/MLS labeling and mandatory policy alternatives,'')6 2258( C. W. and Weiss, J. D., ``System)7 1465([2] Flink,)1 428 3 889 1356 t 10 I f (AT&T Tech. J.)2 589 1 1080 1476 t 10 B f (67)1694 1476 w 10 R f (, pp. 53-64 \(\).)3 549 1 1794 1476 t ( M., Lund, E., and Salemi, C. A., ``Challenges of)9 2055( D., Ferrigno, J., Green, G. B., Hondo,)7 1597([3] Bendet,)1 499 3 889 1656 t (trust: enhanced security for)3 1089 1 1080 1776 t 8 R f (UNIX)2194 1776 w 10 R f (System V,'')1 483 1 2419 1776 t 10 I f (Proceedings, Winter Uniforum Conference)3 1720 1 2927 1776 t 10 R f (\(1989\).)4672 1776 w ( of Defense Computer Security Center,)5 1558([4] Department)1 662 2 889 1956 t 10 I f ( Trusted Computer Sys-)3 965(Department of Defense)2 936 2 3139 1956 t (tem Evaluation Criteria)2 956 1 1080 2076 t 10 R f (, US Department of Defense, Fort Meade, MD \(15 August 1983\).)10 2612 1 2036 2076 t ( D. E. R.,)3 375([5] Denning,)1 560 2 889 2256 t 10 I f (Cryptography and Data Security)3 1313 1 1849 2256 t 10 R f (, Addison-Wesley, Reading, MA \(1982\).)4 1631 1 3162 2256 t cleartomark showpage saveobj restore %%EndPage: 32 32 %%Trailer done %%Pages: 32 %%DocumentFonts: Universal-MathSix Courier Times-Bold Times-Italic Times-Roman Times-Roman Symbol Helvetica-Bold