The document summarizes key aspects of the Linux kernel organization and functionality. It discusses process management facilities, security features like access control and auditing, memory management using paging and segmentation, generic I/O interfaces, filesystem support for files and directories, terminal handling, interprocess communication using sockets, and network communication support using protocols. Device management, file systems anchored as trees with mounts and unmounts, and inter-process communication domains are also outlined.
The document summarizes key aspects of the Linux kernel organization and functionality. It discusses process management facilities, security features like access control and auditing, memory management using paging and segmentation, generic I/O interfaces, filesystem support for files and directories, terminal handling, interprocess communication using sockets, and network communication support using protocols. Device management, file systems anchored as trees with mounts and unmounts, and inter-process communication domains are also outlined.
The document summarizes key aspects of the Linux kernel organization and functionality. It discusses process management facilities, security features like access control and auditing, memory management using paging and segmentation, generic I/O interfaces, filesystem support for files and directories, terminal handling, interprocess communication using sockets, and network communication support using protocols. Device management, file systems anchored as trees with mounts and unmounts, and inter-process communication domains are also outlined.
The document summarizes key aspects of the Linux kernel organization and functionality. It discusses process management facilities, security features like access control and auditing, memory management using paging and segmentation, generic I/O interfaces, filesystem support for files and directories, terminal handling, interprocess communication using sockets, and network communication support using protocols. Device management, file systems anchored as trees with mounts and unmounts, and inter-process communication domains are also outlined.
• Terminal-handling support: the pseudo-terminal interface and terminal line disciplines
• Interprocess-communication facilities: sockets
• Support for network communication: communication protocols and generic network facilities, such as routing Table 2.1 Table 2.2 Process Management • Multi-Tasking • Process Context – User level state • Address space state • Runtime env • Kernel state – Scheduling parameters – Resource controls – Id info Process Management • Process Identifier (PID) – Used by Kernel and User to reference a process • New process (child) is cloned from an existing (parents) process. – fork – Inherits properties of the parent • Think extends in OOP. – Implies that the new process will execute in the resource env of the parent. • Address space • Permissions etc. Fig 2.1
• execve – execute new process from a file.
– Overlay will get parameters from memory address space of parent. • exit – terminates and returns info back to parent. – Implies that if parent exits so must all children – Implies that process priority of parent is inherited by child. Security • A self-protecting Trusted Computing Base (TCB) guarantees enough system integrity to implement features such as multiple users and key storage. • Strong process isolation using virtual memory ensures that the kernel is protected from user code, and that user processes are protected from one another • Identification and instrumentation of security-relevant operations throughout the kernel to implement access control, resource limits, and event auditing • A coherent privilege model, internal to the kernel, that allows exceptional operations (such as system administration, device-driver implementations) to occur in a structured way despite being outside the regular access-control model • Design abstractions that facilitate future security models, as well as security localization in downstream products; for example, clean separation of policy and mechanism, object-oriented • structure (subject to the limitations of C), and a user space capability-system model providing protection, rather than policy, as the primitive for application compartmentalization • Cryptographic primitives, such as secure random number generation and a library of encryption and signature functions, that can support many different higher-level operatingsystem features and applications • Process Credentials – UID – user id – GID – group id – Passed to processes to allow execution access. – Setuid & Setgid allow processes to run at elevated priveledges. • Privilege Model – Up to 200 privilege model • Old model consisted of 2 – 0 root – other • Jails – Virtualization which limits a group or processes • Limited file system • Memory • Access to system-calls • Can provide duplication of file systems into the Jail • Mandatory Access Control –MAC – Similar to Windows security policy system – Policies are associated to processes to govern access rights. • Cryptography – Kernel has built in Random number generator • Sys-call – Unidirectional hashes • Memory Mgmt – All processes run in a segmented system • Stack, code, heap – Enforces restrictions rwx • Each segment is paged to VM – Allows for memory overlays between kernel and processes, for data transfer. – Kernel memory is non-paged • Accessed from a dedicated pool – Malloc and free • Descriptors – Can be thought of as a file handle or pointer • Contains meta info about resource – Security info etc. – 7 types of IO • File • Pipe – STD out to STD in between processes • Fifo – named Pipe, which has file system control • Socket – named data stream which can be created between 2 processes, Network capable. • PosIX IPC – message queue, shared memory, semaphores • Event Queue – queue of events which control several processes. • Process descriptors – meta security and control data for a set of processes. Devices • Devices must operate dynamically. – Connected and disconnected. – PnP system – Requires OS to load and unload drivers as required. – When a new device is added Kernel must initiate a configuration process. File Systems • Anchored as a tree with a root. – chroot can set the current root for a process. – Only executable by superuser priveledge. • Processes can be restricted to sub-trees of the file system. – Any process can chdir to traverse the tree. – Root file system can link any device with a file system to it. • mount • unmount • Each directory of the file system can have 3 levels of access. – Owner, Group, Everyone – Each of above set to rwx using chmod – Access control lists further can restrict access to specific users. NFS • Network File System. – Required so multiple users can access a common resource. • servers – Provides file locking, caching, and access right control. Inter-process Communications • 3 types of domains – Local • Processes running on the local machine – IPv4 and IPv6 • Allows for communications over a network • Sockets provide connection streams between processes. – Binding a name to a socket creates a file – Binding an IP creates a network tunnel. The End
