Mask triggers ------------------------------------ Trigger is used to define interactive security behaviors. Each process has two sysmask mask sets, one active and one latent, and a trigger. Only the active mask set is immediately effective. The trigger is composed of a triggering value and a counter. When defined, the counter contains a positive value. Upon certain recognizable actions of the process, the triggering value is compared with the action. When the two are identical, the counter is decreased by one. When it reaches zero, the latent mask set is added to the active one, changing the security definition. This usually means a security tightening, but as masks can be used for conditional access control via token configurations, the change of behavior may sometimes occur in both ways. Trigger-recognizable actions are system calls, whether successful or not. Attempts to access files or sockets can also be used for trigger, via the tick option. However, the behavior is different according to the type of the access. For exec request, only a successful execve decreases the counter. For other file accesses, only an attempt to open the file for read or write decreases the counter, but this will occur whether the file exists or not, whether the open is accepted or not. The mear fact of checking pathname has no effect on trigger. Note that when the follow option is set, a file access may result in two checkings, one for the submitted pathname, the other for the physical pathname after symlink resolving. The latter has no effect on trigger. For socket access, any matching request decreases the counter. --------------------------------------- Any system call number or its name can be used as a trigger. Besides, the following socket calls can also be used as separate triggers. accept bind connect getpeername getsockname getsockopt listen recv recvfrom recvmsg send sendmsg sendto setsockopt shutdown socket socketpair There is also a special trigger, "tick". It can only be decreased by the tick option in a token definition. -------------------------------------------- A token configuration has other means to declare triggered masks, in the file/socket/call files.