z/OS UNIX System Services File System Interface Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


PFS support for multilevel security

z/OS UNIX System Services File System Interface Reference
SA23-2285-00

To support multilevel security, a PFS must provide the following capabilities:
  • vn_link:
    If a link is attempted to a character special file, and there is a security label on the file or on the directory for the new link, the vn_link call will fail with EPERM. If the ZCredSeclablActive flag is on, the following checks should be done:
    1. If zCredSeclablRequired is on and the object has no security label, the zCredROSeclabel should be used as the object security label for all subsequent checks.
    2. If the directory for the new link has a security label of SYSMULTI, no further security label checking is necessary.
    3. If the directory for the new link has no security label, or has a security label other than SYSMULTI, a check for equality must be done between the security label of the directory and the security label of the file. If the values are equal, no further security label checking is necessary.
    4. If the equality check fails, a dominance check must be made to check that the security label of the directory and the security label of the file are equivalent. The call to check security label equivalence should look like this: 
      RACROUTE REQUEST=DIRAUTH,RSECLABEL=(x),TYPE=EQUALMAC,USERSECLABEL=(y)
      where x and y are registers that contain the addresses for the security labels.
  • vn_readdir:
    If the ZCredSeclablActive flag is set, the following checks should be done:
    1. If zCredSeclablRequired is on and the directory has no security label, the zCredROSeclabel should be used as the object security label for all subsequent checks.
    2. If the directory has a security label of SYSMULTI, a dominance for read should be made between the user's security label and the security label of each entry in the directory. The user's security label is passed in the ZCredSeclabel field. If the security label of the directory entry is SYSMULTI or SYSLOW, the dominance check can be bypassed. If the dominance check fails, the directory entry should be excluded from the output buffer. The dominance check should look like this: 
      RACROUTE REQUEST=DIRAUTH,RSECLABEL=(x),ACCESS=READ,USERSECLABEL=(y)
      where x and y are registers that contain the addresses for the security labels.
    Note:
    1. The PFS may cache object security labels to avoid rechecking for labels that have already passed the dominance check. A good cache is likely to result in a single check for each unique security label per readdir call.
    2. No indication will be returned from the PFS if some names were excluded from the output buffer.
    3. Discrepancy between the apparent number of entries in a directory and the number that can be read is acceptable.
    4. The LFS will not filter names based on security label when it does a readdir2 for a PFS that does not support security labels. Any PFS that supports security labels must also support readdir2.
    5. When the index method is used to read a directory, the meaning of the index is not the relative name in the directory, but the relative name that the user can access. For example, if the request is to return entries beginning with entry 10, the PFS must start at the first entry and verify dominance on each name until the 10th name that the user is permitted to see is found, and start returning names that can be seen from that point.
  • vn_readlink:
    If the zCredSeclablActive flag is set, the following checks should be done:
    1. If zCredSeclablRequired is on and the directory has no security label, the zCredROSeclabel should be used as the object security label for all subsequent checks. If this flag is on, and the resulting object security label continues to be null because no value was provided by zCredROSeclabel, vn_readlink should return with a failure of EACCES.
    2. A dominance check should be performed between the user's security label and the security label of the symbolic link. The user's security label is passed in the zCredSeclabel field. If the security label of the directory entry is SYSMULTI or SYSLOW, the dominance check can be bypassed. If the dominance check fails, the vn_readlink should return with a failure of EPERM. The dominance check should look like this: 
      RACROUTE REQUEST=DIRAUTH,RSECLABEL=(x),ACCESS=READ,USERSECLABEL=(y)
      where x and y are registers that contain the addresses for the security labels.
  • vn_setattr:

    If the AttrSeclabelChg flag is set, a call to the SAF callable service IRRSSB00 should be made to set the security label for the file. The new security label is passed in the zCredSeclabel field, which is passed to SAF. The PFS does not have to access the new or the old security label.

Parent topic: Physical file systems

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014