IBM 10 SP1 EAL4 Server User Manual


 
Figure 5-12: The task structure
The kernel maintains a circular doubly-linked list of all existing process descriptors. The head of the list is the
init_task descriptor referenced by the first element of the task array. The init_task descriptor
belongs to process 0 or the swapper, the ancestor of all processes.
5.2.2 Process creation and destruction
The SLES kernel provides these system calls for creating a new process: clone(), fork(), and
vfork(). When a new process is created, resources owned by the parent process are duplicated in the child
process. Because this duplication is done using memory regions and demand paging, the object reuse
requirement is satisfied.
The vfork() system call differs from fork() by sharing the address space of its parent. To prevent the
parent from overwriting data needed by the child, the execution of the parent is blocked until the child exits or
executes a new program. Lightweight processes are created using the clone() system call, which allows
both the parent and the child to share many per-process kernel data structures such as paging tables, open file
tables, and signal dispositions.
5.2.2.1 Control of child processes
The child process inherits the parent’s security-relevant credentials, including uid, euid, gid, and egid.
Because these credentials are used for access control decisions, the child is given the same level of access to
objects as the parent. The credentials of a child changes when it starts executing a new program or issues
suitable system calls, which are listed as follows:
5.2.2.2 DAC controls
5.2.2.2.1 setuid()and setgid()
These set the effective user and group ID of the current process. If the effective user ID of the caller is root,
then the real and saved user and group IDs are also set.
5.2.2.2.2 seteuid()and setegid()
These set the effective user and group ID of the current process. Normal user processes may only set the
effective user and group ID to the real user and group ID, the effective user and group ID, or the saved user
and group ID.
5.2.2.2.3 setreuid()and setregid()
These set the real and effective user and group IDs of the current process. Normal users may only set the real
user and group ID to the real user and group ID or the effective user and group ID, and can only set the
effective user and group ID to the real user and group ID, the effective user and group ID or the saved user
and group ID. If the real user and group ID is set or the effective user and group ID is set to a value not equal
to the previous real user and group ID, the saved user and group ID is set to the new effective user and group
ID.
57