credentials.rst - OpenGrok cross reference for /Documentation/security/credentials.rst

Lines Matching +full:per +full:- +full:context
20 	- Tasks
21 	- Files/inodes
22 	- Sockets
23 	- Message queues
24 	- Shared memory segments
25 	- Semaphores
26 	- Keys
40  3. The objective context.
43      indicates the 'objective context' of that object.  This may or may not be
44      the same set as in (2) - in standard UNIX files, for instance, this is the
47      The objective context is used as part of the security calculation that is
61      the file struct will have a subjective context too.
63  5. The subjective context.
66      of its credentials forms the 'subjective context'.  The subjective context
71      group list for when it is acting upon a file - which are quite separate
72      from the real UID and GID that normally form the objective context of the
87      involves taking the subjective context, the objective context and the
103 	 ('read', 'write' and 'execute' - whatever those map to for the object
129 	- Real User ID
130 	- Real Group ID
134      derived from Windows).  These (mostly) define the objective context of
137 	- Effective, Saved and FS User ID
138 	- Effective, Saved and FS Group ID
139 	- Supplementary groups
142      EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID
148 	- Set of permitted capabilities
149 	- Set of inheritable capabilities
150 	- Set of effective capabilities
151 	- Capability bounding set
192 	Per-thread keying
193 	Per-process keyring
194 	Per-session keyring
213      This is a socket-based approach to credential management for networking
219 When a file is opened, part of the opening task's subjective context is
221 struct to use those credentials instead of the subjective context of the task
231 objective security context of that file.  Depending on the type of filesystem,
241 These are compared to the task's subjective security context, and certain
273 To alter anything in the cred struct, the copy-and-replace principle must be
282 longer permit attachment to process-specific keyrings in the requesting
287 ---------------------
305 --------------------------
309 -- which simplifies things greatly.  It can just call::
358 ------------------------------------
376 		f->uid = tcred->uid;
377 		f->gid = tcred->gid;
378 		f->groups = get_group_info(tcred->groups);
404 	__task_cred(task)->uid
405 	__task_cred(task)->euid
418 where 'member' is a non-pointer member of the cred struct.  For instance::
428 --------------------
439 this locks current->cred_replace_mutex and then allocates and constructs a
468 actually commit the new credentials to ``current->cred``, it will release
469 ``current->cred_replace_mutex`` to allow ``ptrace()`` to take place, and it
472 This function is guaranteed to return 0, so that it can be tail-called at the
488 This releases the lock on ``current->cred_replace_mutex`` that
501 			return -ENOMEM;
503 		new->suid = suid;
515 --------------------
519  - ``void put_cred(const struct cred *cred);``
525  - ``const struct cred *get_cred(const struct cred *cred);``
530  - ``struct cred *get_new_cred(struct cred *cred);``
541 ``f_uid`` and ``f_gid``.  Code that used to access ``file->f_uid`` and
542 ``file->f_gid`` should now access ``file->f_cred->fsuid`` and
543 ``file->f_cred->fsgid``.