Forced Roles

While initial roles are only set as temporary current roles, forced roles are kept until either another program with initial or forced role is executed or the process actively changes to a compatible role. Certainly, it has to be kept in a process attribute for later use.

All other implicit mechanisms, e.g. when changing the process owner, do not affect the current role while a forced role is set.

Forced roles are useful for those server program encapsulation cases, where a server program must always run with the same privileges for all process owners.

There are several special forced role values which affect implicit role transitions:

role_inherit_user:

Always set the (new) process owner's default role as current role when executing this program or when changing process owner while this program is executed. This can be used for login shells to make sure that the user's default role is used.

role_inherit_process:

Keep the current role when executing this program or changing process owner while this program is executed. This value lets subprograms keep the forced role of their parents in all cases.

role_inherit_parent (default value):

Get forced role setting from filesystem parent object. If there is no parent object, use root dir default value role_inherit_up_mixed. This default value allows to set a forced role for whole directory trees.

role_inherit_up_mixed (root dir default value):

Keep the current role when executing this program, but set it to new owner's default role when changing the process owner. This is the standard role model behaviour as mentioned above.

The forced role default settings make all programs run with the process owner's default role, which is the desired behaviour in most cases.

• forcedrole$_{tn}$(f:file):role := forced role value set for file f at time n
• effforcedrole$_{tn}$(f:file):role := effective forced role of file f at time n, including inheritance from parent filesystem objects

The effective forced role is derived as follows:

$${\mathrm{effforcedrole}_{tn}(\mathrm{f}):=}$$

$$\left\{ \begin{array}{r@{\ :\ }l} \mathrm{if\ forcedrole}_{tn}(\m... ...thrm{inherit\_parent} & \mathrm{forcedrole}_{tn}(\mathrm{f}) \end{array}\right.$$ (19)

Forced roles for program files extend the implicit role transition on execution from rule 18 as follows:⁶

$${\mathrm{execute}_{tn}(\mathrm{p,f}) \Rightarrow\ \mathrm{currentrole}_{tn+1}(\mathrm{p}) :=}$$

$$\left\{ \begin{array}{r@{\ :\ }l} \mathrm{if\ effforcedrole}_{tn}... ...mathrm{p})\\ else & \mathrm{effforcedrole}_{tn}(\mathrm{f}) \end{array}\right.$$ (20)

The effective forced role value from the executed file is copied to the respective process attribute.

$$\mathrm{execute}_{tn}(\mathrm{p,f}) \Rightarrow\ \mathrm{for... ..._{tn+1}(\mathrm{p}) := \mathrm{effforcedrole}_{tn}(\mathrm{f})$$ (21)

The implicit role transition on process owner changes from rule 3 is modified as well:

$${\mathrm{changeowner}_{tn}(\mathrm{p,u}) \Rightarrow\ \mathrm{currentrole}_{tn+1}(\mathrm{p}) :=}$$

$$\left\{ \begin{array}{r@{\ :\ }l} \mathrm{if\ forcedrole}_{tn}(\m... ...}(\mathrm{u})\\ else & \mathrm{forcedrole}_{tn}(\mathrm{p}) \end{array}\right.$$ (22)