Operations

 

Monitors need to be able to determine how to authorize an operation intercepted in an IPC. Given that new processes may be loaded with new interfaces, the monitors need a standard mechanism for deriving authorization requirements from interface information. This mechanism must be able to determine whether the operation is a bind or active operation, the type of object to which the operation applies, and which operands need to be authorized and the operations for each. The latter is particularly complex for bind operations because the real authorization requirements for the operation are placed in an operand.

We define a object for representing the authorization semantics of an operation below.

• Definition 1: An operation authorization defines the authorization information for an operation using the following fields:
  • A Type: Flag that determines the mechanism used to authorize the operation
  • Number of Operands: The number of operands in the operation
  • Operand requirements vector: A vector of authorization requirements for each operand consisting of the following fields:
    • O Type: Object type for the operation
    • Ops operand: Index of the operand that defines the operations to be authorized
    • Op vector: A vector of operations to be authorized indexed by the ops operand value above or the default value

The actual operation authorization entry used is retrieved from an operations table accessible to all monitors. This table is updated by the process load server (via add only, so no concurrency problems exist). The server and operation number are used to retrieve the entry. The a type field indicates the operation type (bind or active) and whether the zero operands, the first operand only, or another authorization is required. This enables fastest path code to be used for authorization. The operands requirements vector lists the authorization requirements for each operand. The o type specifies the type of the operand. The ops operand specifies the operand that determines the operations that are to be authorize. In a file open, the second argument determines whether the open is for read, write, and/or append. The ops operand may identify that either: (1) the operation requested is to be authorized; (2) a new set of operations are to be authorized; or (3) the operations to be authorized are determined by the value of an operand. For the third case, the op vector maps the ops operand's value to the operations to be authorized.

This mechanism should suffice for many UNIX system calls and method invocations. For example, in file open and socket connect system calls only one operand needs to be authorized. In an object-oriented system, the first operand refers to the only object being operated upon, so only the operations on that object need to be checked. Other objects are passed as OIDs and cannot be accessed unless one of their methods is invoked (and authorized, if necessary).