Process privilege sets

Edit online

Multiple sets of privileges are defined in the kernel to provide varied controls for privileged operations. Multiple privilege sets allow the operating system to enforce dynamic privilege controls and allow applications to manage least-privilege principles.

Privileges are associated with a process through the following privilege sets:

Limiting Privilege Set (LPS)
Defines the hard limit on privileges for a given process. No privilege escalation in the system can raise process privileges beyond this value. This means that a process cannot acquire any more privileges than this value using any of the defined system interfaces. In other words, the process is restricted to these privileges at any point in time. This also means that the rest of the privilege sets will always be subsets of LPS. Even though LPS cannot be expanded, every process will have the right to reduce the LPS. However, once the LPS is reduced, it cannot be expanded back to its original value. The lowering of the LPS allows a process to restrict the boundaries in regard to associated privileges. For example, a process might reduce the LPS just before running a custom user-provided program. By default, all of the privileges available on the system are set in the LPS for a process.
Maximum Privilege Set (MPS)
The full set of privileges that the process is authorized to use. The MPS can include any privilege in the LPS, but cannot exceed the LPS. The MPS can change during the lifetime of a process for many reasons. The following are some of the reasons:
  • When the current process executes another privileged command and then gains related additional privileges
  • If the process has the right privilege, then it can expand the MPS programmatically in a dynamic manner
Effective Privilege Set (EPS)
The list of privileges which are currently active for the process. The EPS is always a subset of the process' MPS and is used by the kernel to perform access checks in regard to privileged operations. The EPS can be manipulated by the process and can equal the MPS, but cannot exceed the MPS. Dynamic manipulation of the EPS can be performed by the process to enforce least-privilege principles. For example, user-space code can potentially raise the audit privilege bit in the EPS using the priv_raise API before making an audit-related system call or kernel call. The privilege can then be lowered with the priv_lower API when the audit call returns.
Inheritable Privilege Set (IPS)
Privileges which are passed from a parent process to its child processes' MPS and EPS. The IPS can include any privilege in the LPS, but cannot exceed the LPS. The IPS can be set in a process in the following ways:
  • If the process has the proper privilege, it can expand the IPS programmatically through the setppriv system call
  • When a privileged command is run, the privileges specified in the inheritprivs attribute that is associated with the command are assigned into the IPS.
Used Privilege Set (UPS)
Denotes the privileges that have been used for access checks during the life of the process. The UPS can be used to determine the privileges required by the process. When the kernel checks if a process has a given privilege, it stores a successful check in the UPS for the privilege.
Workload Partition Privilege Set (WPS)
A system WPAR can be restricted to not allow all of the privileged operations that are allowed in a global WPAR. The privileged operations allowed in a system WPAR can be controlled through the WPS. The global root can assign a limited set of privileges to a WPAR using WPS. The WPS can be specified in the /etc/wpar/secattrs configuration file or during the start of a WPAR using the /usr/sbin/startwpar command. All processes running in a WPAR have their LPS equal to their WPS.

A system administrator can use administrative commands to list and modify the various privilege sets of a process. The lssecattr command can be used to list the LPS, MPS, EPS, IPS, and UPS. The setsecattr command can be used to modify the LPS, MPS, EPS, and IPS. The UPS cannot be modified with the setsecattr command since the UPS is a read-only attribute.