OSEI 044 Block 3 Unit 1
OSEI 044 Block 3 Unit 1
OSEI 044 Block 3 Unit 1
Structure 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 Introduction Objectives Internal Structure of Linux System Architecture Overview of the Kernel System Supporting Multiple Developers System Data Structure Subsystem Architecture Linux File System More About Kernel Miscellaneous Concerns Let Us Sum Up Check Your Progress: The Key Suggested Reading
1.0
INTRODUCTION
Architecture is the main blood line of any technology. The same is applicable for the operating systems also. The Linux operating system is having its unique architecture. Linux is having kernel and shell as its major components. This unit cover the topics related with the architecture of the Linux operating system and file structure.
1.1
OBJECTIVES
After studying this unit, you should be able to understand: structure of Linux; Linux Kernel ; system data structure; subsystem architecture; and Linux file structure.
Linux Security
1.2
Fig. 1 Shell 1. Shell is the command interpreter which reads the program we type at terminal, line by line and perform the required operations. 2. The shell is the part of Linux O.S that acts as an intermediary between user and the O.S. 3. It develops a shell around the system that converts our instructions into commands, which helps the system to understand and act on it. 4. Linux system provides every user its own copy of shell program which makes him work freely without any interference of other users. Kernel The other component of the Linux O.S is the kernel which makes a direct interface with the hardware components. The Kernel Performs Different Functions
6
The kernel make creation and deletion of processes, schedule the memory management and I/O management of the processor.
It provides a mechanism for synchronization of processes so that processes synchronize their actions. It provides mechanism for inter process communication.
1.3
SYSTEM ARCHITECTURE
The Linux kernel is useful as a whole when participates as one part in a larger system. Following shows a decomposition of the entire Linux operating system:
Fig. 2: Decomposition of Linux System into Major Subsystem The Linux operating system is composed of four major subsystems: 1. User Applications: Depending on the usage of computer system, the set of applications are different to be used. The examples include a word-processing application and a web browser. 2. O.S Services: O.S services are considered as part of the operating system(a windowing system, command line etc) which also includes the programming interface to the kernel(compiler tool and library) 3. Linux kernel: The Linux kernel abstracts and mediates access to the hardware resources including the CPU. 4. Hardware Controllers: The subsystem consists of all the possible physical devices in a Linux installation; for example, the CPU, memory hardware, hard disks, and network hardware. The decomposition given by Garlan and Shaw's Layered style discussed that each subsystem layer can only communicate immediately to adjacent sub layers. The subsystem is dependent from top to bottom, the layers near the top depend on lower layers but the bottom layers are not dependent on higher layers. Purpose of the Kernel A virtual machine interface is being provided to user processes by the kernel. The processes are being installed without any prior knowledge of installed
7
Linux Security
physical hardware on computer. The Linux kernel abstracts all hardware into a consistent virtual interface. Linux supports multitasking which provide transparency to user processes through which each process is able to act as the only process on the computer, having exclusive use of main memory and other hardware resources. Each process is fairly accessing the hardware resources as the kernel actually runs several processes concurrently by maintaining inter process security.
1.4
The Linux kernel is composed of five main subsystems: a. The process scheduler controls the process access to CPU, as it enforces a policy to ensure a fair access, while ensuring that necessary hardware actions are performed by the kernel on time. b. The Memory Manager (MM) allows multiple processes to securely share the machine's main memory system. It also supports virtual memory that allows processes to use more memory than is available in the system. With the use of file system, unused memory is swapped out to persistent storage and swapped in when required. c. By presenting a common file interface to all devices the Virtual File System (VFS) abstracts the details of the variety of hardware devices. The VFS also supports many file system formats that are easily compatible with other operating systems. d. The Network Interface (NET) provides access to several networking standards and a variety of network hardware. e. The Inter-Process Communication (IPC) subsystem process-to-process communication on a single Linux system.
Fig. 3
8
Above fig. 3 (Kernel Subsystem Overview) shows a high-level decomposition of the Linux kernel, where lines are drawn from dependent subsystems to the subsystems they depend on: This diagram shows that the process scheduler is the most central subsystem. All other subsystems are dependent on it since all subsystems need to suspend and resume processes. Usually the subsystem suspends the process that is waiting for a hardware operation to complete, and resume it when the operation is finished. For example, when a process attempts to send a message across the network, the network interface may need to suspend the process until the hardware has completed sending the message successfully. After the message has been sent (or the hardware returns a failure), the network interface then resumes the process with a return code indicating the success or failure of the operation. The other subsystems (memory manager, virtual file system, and inter-process communication) all depend on the process scheduler for similar reasons. The other dependencies are somewhat less obvious, but equally important: When a specific process resumed the process-scheduler subsystem uses the memory manager to adjust the hardware memory map for it. The inter-process communication subsystem which depends on the memory manager to support a shared-memory communication allows two processes to access an area of common memory with to their usual private memory. The network interface is being by the virtual file system to support a network file system (NFS), and it also uses the memory manager to provide a ram disk device. The only reason that the memory manager depends on the process scheduler is to support swapping by the use of virtual file system. The process is suspended by the memory manager when the process accesses swapped out memory. While the manager makes a request to the file system to fetch the memory from persistent storage.
All subsystems in the kernel rely on some common resources that are not shown in any subsystem. These include procedures that all kernel subsystems use to allocate and free memory for the kernel's use, procedures to print warning or error messages, and system debugging routines. These resources will not be referred to explicitly since they are assumed ubiquitously available and used within the kernel layer of Fig. 1. The architectural style at this level resembles the Data Abstraction style discussed by Garlan and Shaw in [Garlan 1994]. Each of the depicted subsystems contains state information that is accessed using a procedural
9
Linux Security
interface, and the subsystems are each responsible for maintaining the integrity of their managed resources.
1.5
The Linux system was developed by a large number of volunteers. The developers and volunteers have an impact on the architecture of the system. With such a large number of geographically dispersed developers, a tightly coupled system would be quite difficult to develop -- developers would be constantly treading on each others code. This is the reason why the architecture of the Linux system has subsystems to fulfill the modifications that are the file systems, hardware interfaces, and network system which are designed to be highly modular. For example, an implementation of Linux can be expected to support many hardware devices which each have distinct interfaces; a naive architecture would put the implementation of all hardware devices into one subsystem. An approach that better supports multiple developers is to separate the code for each hardware device into a device driver that is a distinct module in the file system. Analyzing the credits file gives below Fig. 4 (Division of Developer Responsibilities):
10
Fig. 4
The fig. 4 shows most of the developers who have worked on the Linux kernel, and the areas that they appeared to have implemented. However a few developers who modified many parts of the kernel were not included. Linus Torvalds was the original implementer of most of the kernel subsystems, although subsequent development was done by others. This diagram confirms the large-scale structure of the kernel as outlined earlier. Few developers worked on more than one system. Most of them worked on the system like hardware device drivers, logical file system modules, network device drives and network protocol modules. All these four support the areas of the kernel with the most extensibility. Check Your Progress 1 Note: a) Space is given below for writing your answer. b) Compare your answer with the one given at the end of the Unit. 1) What is the role of shell and kernel in Linux? 2) What are the four major subsystem of Linux operating system? 3) Discuss any two subsystem of Linux operating system? 4) How does Linux support multiple developers?
11
Linux Security
1.6
Task List A block of data is maintained by the process scheduler for each process that is active and these blocks of data are stored in a linked list which is called the task list. A current pointer is always maintained which that indicates the current process that is active. Memory Map Mapping of virtual to physical addresses on a per-process basis and additional information on how to fetch and replace particular pages are stored by the memory manager. This information is stored in a memory-map data structure that is stored in the process scheduler's task list. I-nodes The Virtual File System uses index-nodes (i-nodes) to represent files on a logical file system. The i-node data structure stores the mapping of file block numbers to physical device addresses and can be shared across processes if two processes have the same file open. This sharing is accomplished by both task data blocks pointing to the same i-node. Data Connection All of the data structures are rooted at the task list of the process scheduler. Each process on the system has a data structure containing a pointer to its memory mapping information, and also pointers to the i-nodes representing all of the opened files. Finally, the task data structure also contains pointers to data structures representing the entire opened network connections associated with each task.
1.7
SUBSYSTEM ARCHITECTURE
Process Scheduler Architecture Goals Linux kernel possesses an important subsystem called the process scheduler. It controls CPUs access. The access by user processes as well as access for other kernel subsystems is too controlled by this scheduler. Modules The scheduler is divided into four main modules:
12
The scheduling policy module judges which process has to be accessed and the policy is designed in such away that CPU receives the fair access.
Architecture specific modules are designed so that the details of any computer architecture can be abstracted. These modules can suspend as well as resume a process. Through the processes registration and state information can be preserved and the suspended or resumed operation can be executed by the assembly code. The architecture independent module communicates with the policy module to execute the next process and architecture specific module is called to resume the appropriate process. Memory hard ware is restored for the resumed processes through this module by calling the memory manager.
The system call interface module permits user processes access to only those resources that are explicitly exported by the kernel. This limits the dependency of user processes on the kernel. In this way interface changes rarity in spite of changing implementation of other kernel modules.
Fig. 5: Process Scheduler Subsystem in Context Data Representation The scheduler maintains a data structure and the task list. One entry for each active process is preserved. There are sufficient information to suspend or resume the process along with additional accounting and state information. The data structure is available for public throughout the kernel layer. Dependencies, Data Flow, and Control Flow The process scheduler subsystem depends on the memory manager subsystem due to the process scheduler. Also each kernel subsystem depends on the process scheduler to suspend and resume process when it is waiting for the hardware requests to be completed. These dependencies are carried on the shared task list data structure. All kernel subsystems read and write the data structure representing the current task, leading to bi-directional data flow throughout the system.
13
Linux Security
In addition to the data and control flow within the kernel layer, the O/S services layer provides an interface for user processes to register for timer notification. This corresponds to the implicit execution architectural style. This leads to a flow of control from the scheduler to the user processes. Resuming a dormant process is out of control because the user process can not detect this operation. The dataflow and flows of control is possible due to communication of the scheduler process with the CPU. Memory Manager Architecture Goals The memory manager subsystem is responsible for controlling process access to the hardware memory resources. This is accomplished through a hardware memory-management system that provides a mapping between process memory references and the machine's physical memory. The memory manager subsystem maintains this mapping on a per process basis, so that two processes can access the same virtual memory address and actually use different physical memory locations. Also the memory manager subsystem supports swapping. It stores unused memory pages allowing the computer to support more virtual memory. Modules The memory manager subsystem is composed of three modules: The architecture specific module presents a virtual interface to the memory management hardware The architecture independent manager performs all of the per-process mapping and virtual memory swapping. This module is responsible for determining which memory pages will be evicted when there is a page fault -- there is no separate policy module since it is not expected that this policy will need to change A system call interface is provided to provide restricted access to user processes. This interface allows user processes to allocate and free storage, and also to perform memory mapped file I/O.
Data Representation The memory manager stores a per-process mapping of physical addresses to virtual addresses. This mapping is stored as a reference in the process scheduler's task list data structure the memory manager would fetch and store pages by getting details in the data block. Finally, the memory manager stores permissions and accounting information in this data structure to ensure system security.
14
Fig. 6: Memory Management System Data Flow, Control Flow, and Dependencies The memory manager controls the memory hardware, and receives a notification from the hardware when a page fault occurs. This is due to the fact that there is bi-directional data and control flow between the memory manager modules and the memory manager hardware. Also, the memory manager uses the file system to support swapping and memory mapped I/O. in this way the memory manager calls due to the file system to store and fetch memory pages. Memory manager suspends a process until the memory is swapped back in as it takes certain time after the demand has been made. This requirement causes for the memory manager making procedure calls in to the process scheduler. Virtual File System Architecture Goals The virtual file system presents a consistent view of data as stored on hardware devices. All hardware devices in a computer are represented by using a generic device driver interface. The virtual file system makes the system administrator to mount any of a set of logical file systems on any physical device. Logical file systems provide compatibility with other operating system standards, and allow developers to implement file systems with different policies. The virtual file system has the details of both physical device and logical file system, and makes user processes to access files using a common interface, without necessarily knowing what physical or logical system the file resides on. The virtual file system is also responsible for loading new executable programs and is accomplished by the logical file system module, which allows Linux to support several executable formats.
15
Linux Security
Fig. 7: Virtual File System in Context Modules A device driver module is available for each supported hardware controller. Since there are a large number of incompatible hardware devices, there are a large number of device drivers. The most common extension of a Linux system is the addition of a new device driver. The Device Independent Interface module provides a consistent view of all devices. There is one logical file system module for each supported file system. This module presents all resources while using either a block-oriented or character-oriented file interface. The system call interface provides controlled access to the file system for user processes. The virtual file system exports only specific functionality to user processes. Data Representation All files are presented using i-nodes and its structure contains location information which specifies where the file blocks are the physical device. The i-node also stores pointers to routines in the logical file system module and device driver that will perform required read and write operations. By storing function pointers in this fashion, logical file systems and device drivers can register themselves with the kernel without having the kernel depend on any specific module.
16
Data Flow, Control Flow and Dependencies One specific device driver is a ram disk which allocates an area of main memory and treats it as a persistent-storage device. This device driver uses the memory manager to get its tasks done, and thus there is a dependency, control flow, and data flow between the file system device drivers and the memory manager. The logical file system that is supported is the network file system (as a client only). This file system accesses files on another machine. One of the logical file system modules uses the network subsystem to complete its tasks. This introduces a dependency, control flow, and data flow between the two subsystems. In Memory management architecture, the memory manager uses the virtual file system for memory swapping and memory-mapped I/O. the virtual file system uses the process scheduler to disable processes while waiting for hardware requests to complete, and resume them once the request has been completed. Finally, the system call interface allows user processes to call in to the virtual file system to store or retrieve data. Network Interface Architecture Goals The network subsystem makes Linux systems to connect to other systems over a network. There are a number of possible hardware devices that are supported, and a number of network protocols that can be used. The network subsystem abstracts both of these implementation details so that user processes and other kernel subsystems can access the network without necessarily knowing what physical devices or protocol is being used. Modules Network device drivers communicate with the hardware devices. There is one device driver module for each possible hardware device. The device independent interface module provides a consistent view of all of the hardware devices so that higher levels in the subsystem don't need specific knowledge of the hardware in use. The network protocol modules are responsible for implementing each of the possible network transport protocols. The protocol independent interface module provides an interface that is independent of hardware devices and network protocol. This is the interface module that is used by other kernel subsystems to access the
17
Linux Security
network without having a dependency on particular protocols or hardware. Finally, the system calls interface module restricts the exported routines that user processes can access.
18
Data Representation Each network object is represented as a socket. Sockets are associated with processes in the same way that i-nodes are associated; sockets can be share amongst processes by having both of the task data structures pointing to the same socket data structure. Data Flow, Control Flow and Dependencies The network subsystem uses the process scheduler to suspend and resume processes while waiting for hardware requests to complete (leading to a subsystem dependency and control and data flow). In addition, the network subsystem supplies the virtual file system with the implementation of a logical file system (NFS) leading to the virtual file system depending on the network interface and having data and control flow with it. Inter-Process Communication Architecture The architecture of the inter-process communication subsystem is omitted for brevity since it is not as interesting as the other subsystems. Check Your Progress 2 Note: a) Space is given below for writing your answer. b) Compare your answer with the one given at the end of the Unit. 1) What is I-Node? 2) Explain the term process scheduler architecture? 3) Discuss the goals of memory manager architecture?
19
Linux Security
1.8
A file system is termed to be as a logical division within physical partition. The Linux file system is similar like all UNIX systems which are based on one root directory, i.e. a hierarchical top point with subdirectories under it. Some sub directories act as mount points, where different physical or networked file systems may be included. The hardware is also included into the file hierarchy. Device drivers interface to user applications via an entry in the /dev directory. Process information as well is mapped to the file system through the /proc directory. In this architecture, raw hardware devices are protected from direct access, and the file system has an inbuilt security system giving individual access to files at three levels-- user only, group membership, and world access. Each category has read, executable and writes flags that may be set in any combination.
20
Fig. 9
/bin contains executable programs, known as binaries. Which are essential system files. Many Linux commands are actually programs found in this directory. The /sbin directory is also used to store system binary files. Most of the files in this directory are used for system administration purposes. The /etc directory is very important and contains many of the Linux system configuration files. These files provide all configuration settings to our Linux system. The password file passwd , is found here, as is the list of file systems to mount at startup, fstab. Also, this directory contains the startup scripts for Linux. The /lib directory contains all the shared libraries which are used by various programs. By using these many programs can reuse the same code and these libraries can be stored in a common place, by reducing the size of our program at runtime. The /dev directory contains special files known as the device files, which are used to access all the different types of hardware on our system. For example /dev/lp0 for line printer, /dev/hda0 for hard drive partition and /dev/mouse for reading input from mouse. By organizing access to hardware devices in this way, Linux effectively makes the interface to a hardware device like any other piece of software. The /proc directory is actually a virtual file system. It is used to read process information from memory. The /tmp directory is used to store temporary files that programs create when running. If we have program that creates many large temporary files, we might want to mount the /tmp directory as a separate file system rather than just as a directory on the root file system. The /home directory is the base directory for the user home directories. It is common to mount this directory as a separate file system so that users can have more and more for their files. The /var directory holds files that tend to change in size over time. Typically, various system log files are located below this directory. The /usr directory and its subdirectories are very important to the operation of our Linux system. This directory contains several subdirectories with some of most important programs in our system. Typically, subdirectories of /usr contain the large software packages that we install.
21
Linux Security
Another Representation The files and directories are organized into a single-rooted inverted tree structure The names are case-sensitive, delimited by the /(forward slash) character Each shell and system process has a current directory
Fig. 10
1.9
The Scheduler, the memory manager, the virtual file system, the network interface, and the inter-process communication interface interact with each other using function calls and shared data structures. At the highest level, the architectural style of the Linux kernel is closes to Garlan and Shaw's Data Abstraction style is composed of subsystems that maintain internal representation consistency by using a specific procedural interface. Each of the subsystems is composed of modules that communicate only with adjacent layers. The conceptual architecture of the Linux kernel is at its success; the required factors for this success were the provision for the organization of developers and system extensibility. The Linux kernel architecture was required to support a large number of independent volunteer developers. This requirement
22
implements that the system portions that require the most development are the hardware device drivers and the file and network protocols are implemented in an extensible fashion. The Linux architect chose to make these systems be extensible using a data abstraction technique: each hardware device driver is implemented as a separate module that supports a common interface. In this way, a single developer can add a new device driver, with minimal interaction required with other developers of the Linux kernel. The success of the kernel implementation by a large number of volunteer developers proves the correctness of this strategy. The Linux kernel is the addition of more supported hardware platforms. It supports the extensibility of architecture by separating all hardware-specific code into distinct modules within each subsystem. By this a small group of developers can affect a port of the Linux kernel to new hardware architecture by re-implementing only the machine-specific portions of the kernel. Some Definitions Device Driver A device driver is the code that is required to make an interface with a particular hardware device. Device drivers are part of the kernel, but the Linux kernel has a mechanism that permits dynamic loading of device drivers. I-Node I-nodes, or index nodes, are used in the file system to maintain track of hardware addresses correspond to file system data blocks. Each i-node stores a mapping of file block to physical block and also information for security and accounting purposes. Network File System (NFS) The Network File System is a file system interface that presents files which are stored on a remote computer as a file system on the local machine. Process A process or we can say a task is a program in execution which consists of executable code and dynamic data. The kernel associates enough information with each process to stop and resume it. Ramdisk A ram disk uses an area of main memory as a file system device. This allows frequently accessed files that provide reliably efficient access at all times which is especially useful when using Linux to support hard real-time requirements. For usual cases, the normal file system caching will make the most efficient use of memory to provide reasonably efficient access to files.
23
Linux Security
Swapping Linux supports processes that use memory which exceeds the amount of physical memory on the computer. This is done by the memory manager swapping unused pages of memory to a persistent store; when the memory is later accessed, it is swapped back into the main memory
Types of Linux File System The Linux kernel supports a number of popular file system types: ext2, ext3, Reiserfs and XFS. Currently, ext2 is the only one supported by Debian (an operating system) The ext3 file system is the next generation of the Extended File system, and allows for larger file systems and files, as well as improving performance. The Reiserfs and XFS file systems allow for improved performance when using large file systems, and are suited to specific applications where data concurrency is important, such as file systems which contain high volume databases.
Mounting a File System Incorporating a file system into the existing directory structure is known as mounting the file system. The file system connected directly to your system, that is, a local file system, or it can be part of a remote NFS file system, and it can be on either a non-LVM disk or a logical volume. Mounting a file system associates it with a directory in the existing file system tree. Prior to mounting, the files, although present on the disk, are
24
not accessible to users; once mounted, the file system becomes accessible. The directory in the existing file system where the file is attached is known as the mount point or mount directory for the new file system, and the files in the added file system become part of the existing file system hierarchy.
UnMounting a File System The unmount command detaches the file system(s) from the file hierarchy. A file system is specified by giving the directory where it has been mounted. The special device on which the file system lives may also work, but is obsolete, mainly because it will fail in case this device was mounted on more than one directory. A file system cannot be unmounted when it is 'busy' - for example, when there are open files on it, or when some process has its working directory there, or when a swap file on it is in use. The offending process could even be unmount itself - it opens libc, and libc in its turn may open for example locale files. A lazy unmount avoids this problem. The unmount disables the access to a file system. If you mounted a CD, you will not be able to open the CD tray until you un-mount the CD file system. To un-mount, you only need to know the directory for the mounting point.
I-Node The inode (index node) is a fundamental concept in the Linux and UNIX file system. Each object in the file system is represented by an inode. But what are
25
Linux Security
the objects? Let us try to understand it in simple words. Each and every file under Linux (and UNIX) has following attributes: => File type (executable, block special etc) => Permissions (read, write etc) => Owner => Group => File Size => File access, change and modification time (remember UNIX or Linux never stores file creation time, this is favorite question asked in UNIX/Linux sys admin job interview) => File deletion time => Number of links (soft/hard) => Extended attribute such as append only or no one can delete file including root user (immutability) => Access Control List (ACLs) All the above information stored in an inode. The inode identifies the file and its attributes (as above. Each inode is identified by a unique inode number within the file system. Inode is also known as index number. Check Your Progress 3 Note: a) Space is given below for writing your answer. b) Compare your answer with the one given at the end of the Unit. 1) Write a note on Linux file system. 2) What is swapping?
26
27
Linux Security
The Kernel Performs Different Functions The kernel make creation and deletion of processes, schedule the memory management and I/O management of the processor. It provides a mechanism for synchronization of processes so that processes synchronize their actions. It provides mechanism for inter process communication.
2) The four major subsystem of Linux operating system: i. User Applications: Depending on the usage of computer system, the set of applications are different to be used. The examples include a word-processing application and a web browser. ii. O.S Services: O.S services are considered as part of the operating system(a windowing system, command line etc) which also includes the programming interface to the kernel(compiler tool and library) iii. Linux kernel: The Linux kernel abstracts and mediates access to the hardware resources including the CPU. iv. Hardware Controllers: The subsystem consists of all the possible physical devices in a Linux installation; for example, the CPU, memory hardware, hard disks, and network hardware. 3) The two subsystem of Linux operating system are: i. The process scheduler controls the process access to CPU, as it enforces a policy to ensure a fair access, while ensuring that necessary hardware actions are performed by the kernel on time. ii. The Memory Manager (MM) allows multiple processes to securely share the machine's main memory system. It also supports virtual memory that allows processes to use more memory than is available in the system. With the use of file system, unused memory is swapped out to persistent storage and swapped in when required. 4) The Linux system was developed by a large number of volunteers. The developers and volunteers have an impact on the architecture of the system. With such a large number of geographically dispersed developers, a tightly coupled system would be quite difficult to develop -- developers would be constantly treading on each others code. This is the reason why the architecture of the Linux system has subsystems to fulfill the modifications that are the file systems, hardware interfaces, and network system which are designed to be highly modular. For example, an implementation of Linux can be expected to support many hardware devices which each have distinct interfaces; a naive architecture would put the implementation of all
28
hardware devices into one subsystem. An approach that better supports multiple developers is to separate the code for each hardware device into a device driver that is a distinct module in the file system. Check Your Progress 2 1. The Virtual File System uses index-nodes (i-nodes) to represent files on a logical file system. The i-node data structure stores the mapping of file block numbers to physical device addresses and can be shared across processes if two processes have the same file open. This sharing is accomplished by both task data blocks pointing to the same i-node. 2) Linux kernel possesses an important subsystem called the process scheduler. It controls CPUs access. The access by user processes as well as access for other kernel subsystems is too controlled by this scheduler. Modules The scheduler is divided into four main modules: The scheduling policy module judges which process has to be accessed and the policy is designed in such away that CPU receives the fair access. Architecture specific modules are designed so that the details of any computer architecture can be abstracted. These modules can suspend as well as resume a process. Through the processes registration and state information can be preserved and the suspended or resumed operation can be executed by the assembly code. The architecture independent module communicates with the policy module to execute the next process and architecture specific module is called to resume the appropriate process. Memory hard ware is restored for the resumed processes through this module by calling the memory manager.
3) The memory manager subsystem is responsible for controlling process access to the hardware memory resources. This is accomplished through a hardware memory-management system that provides a mapping between process memory references and the machine's physical memory. The memory manager subsystem maintains this mapping on a per process basis, so that two processes can access the same virtual memory address and actually use different physical memory locations. Also the memory manager subsystem supports swapping. It stores unused memory pages allowing the computer to support more virtual memory. 4) The network subsystem makes Linux systems to connect to other systems over a network. There are a number of possible hardware devices that are
29
Linux Security
supported, and a number of network protocols that can be used. The network subsystem abstracts both of these implementation details so that user processes and other kernel subsystems can access the network without necessarily knowing what physical devices or protocol is being used. Check Your Progress 3 1) The Linux file system is similar like all UNIX systems which are based on one root directory, i.e. a hierarchical top point with subdirectories under it. Some sub directories act as mount points, where different physical or networked file systems may be included. The hardware is also included into the file hierarchy. Device drivers interface to user applications via an entry in the /dev directory. Process information as well is mapped to the file system through the /proc directory. In this architecture, raw hardware devices are protected from direct access, and the file system has an inbuilt security system giving individual access to files at three levels-- user only, group membership, and world access. Each category has read, executable and writes flags that may be set in any combination. 2) Linux supports processes that use memory which exceeds the amount of physical memory on the computer. This is done by the memory manager swapping unused pages of memory to a persistent store; when the memory is later accessed, it is swapped back into the main memory. 3) The Linux kernel supports a number of popular file system types: ext2, ext3, Reiserfs and XFS. Currently, ext2 is the only one supported by Debian (an operating system) The ext3 file system is the next generation of the Extended File system, and allows for larger file systems and files, as well as improving performance. The Reiserfs and XFS file systems allow for improved performance when using large file systems, and are suited to specific applications where data concurrency is important, such as file systems which contain high volume databases.
4) The unmount command detaches the file system(s) from the file hierarchy. A file system is specified by giving the directory where it has been mounted. The special device on which the file system lives may also work, but is obsolete, mainly because it will fail in case this device was mounted on more than one directory. A file system cannot be unmounted when it is
30
'busy' - for example, when there are open files on it, or when some process has its working directory there, or when a swap file on it is in use. The offending process could even be unmount itself - it opens libc, and libc in its turn may open for example locale files. A lazy unmount avoids this problem. The unmount disables the access to a file system. If you mounted a CD, you will not be able to open the CD tray until you un-mount the CD file system. To un-mount, you only need to know the directory for the mounting point.
31