Protection matrixes in Minix
From Erights
Contents |
Minix structure
Minix3 operating system provides classical UNIX-like environment. It provides usual UNIX system calls (fork, exec, exit, kill, open, read, write, etc.) From this point of view, we would have no reason it to prefer it over, say Linux or FreeBSD.
The goal of the Minix project is to improve the internal quality of the operating system implementation. Why and how it is done is described in the Minix book.
The following figure captures the structure of the Minix operating system:
Processes in Layer 1 run in the kernel space. Processes in Layers 2, 3 and 4 run in the user space. All ordinary user space programs that Minix user runs explicitely run in Layer 4. Processes that together actually implements the UNIX-like services run in Layers 1, 2 and 3.
Layer 1 contains:
- the KERNEL task (it implements the scheduler, it provides the inter-process communications mechanisms used by other processes, it is hooked to IRQs, it enforces security policies defined by protection matrices described below, etc)
- the SYSTEM task provides various services to user space processes from layers 2 and 3 that must be performed in the kernel space (I/O operations and such). Minix designers call these services as "kernel calls".
- the clock task is actually a device driver of the PIT (Programmable Interface Timer chip) that would be hard to move to user space so it runs in the kernel space.
Minix designers use the term "task" to refer to processes running in Layer 1.
Layer 2 contains various processes that act as user-space device drivers (DRV).
Layer 3 contains various higher level subsystems:
- "process manager" (PM) implements most of the UNIX services that are related to processes
- "file system" (FS) implements most of the UNIX services that are related to files
- "reincarnation server" (RS) which periodically check (as a heart-beat) whether particular device driver run. It restarts those that crashed (due to segmentation fault, for example).
- "data server" (DS) can be used by device drivers to store their internal state so that restart of the device driver is not visible to observers.
- etc.
Programs explicitely run by Minix user appear in Layer 4.
The following section describe various examples of protection matrixes present internally within Minix. Each of them is enforced by the KERNEL task.
Protection matrix that defines which processes can use which IPC mechanisms
The KERNEL task provides five different IPC primitives:
- send
- receive
- sendrec
- notify
- echo
The following protection matrix defines which (group of) processes can use which particular IPC primitives.
(Group of) processes are subjects. Particular IPC primitives are objects. Operation is invocation of a given IPC primitive.
Protection matrix that defines which processes can talk to which other processes
The operating system is composed from multiple processes:
- SYSTEM (the system task)
- PM (the process manager)
- FS (the file system)
- RS (the reincarnation server)
- MEM (the memory driver)
- LOG (the logging driver)
- TTY (the terminal driver)
- DS (the data server)
- INIT (the init process)
- CLOCK (the clock driver)
The following matrix defines allwed interaction (via IPC primitives) among processes.
In this case, rows are (groups of) subjects and columns are objects. Operation in this case is any IPC primitive.
Protection matrix that defines which processes can use which "kernel calls"
Even though most of the Minix operating system is implemented as a set of user-space processes, there are actions that cannot be done by user space processes. They were refactored to SYSTEM task which runs in the kernel space and, when these services are invoked, it performs them on behalf of the invoker. The SYSTEM task supports the following services:
- sys_fork
- sys_exec
- sys_exit
- sys_nice
- ...
The protection matrix defines which services of the SYSTEM task can be invoked by which processes.
In this case, rows are (groups of) subjects and columns are are objects. Operation in this case is invocation of a particular service of the SYSTEM task.