new mac and cap

Robert Watson robert at cyrus.watson.org
Thu Nov 11 19:23:46 GMT 1999 

On Thu, 11 Nov 1999, Ilmar S. Habibulin wrote:

> On Thu, 11 Nov 1999, Robert Watson wrote:
> 
> > > PS. Robert, when we well have cvs repository?
> > I'm currently at IETF, and will be at a DARPA conference next week.
> > However, sometime over this, I plan to set up a repository, probably based
> > on 3.3-RELEASE so as to give us a stable base.
> I do not upgrade my working pc waiting for the cvs. I'm afraid of only one
> thing - i've tried to build -current and failed. :( Hope that will not
> repeat.

-CURRENT seems to be fairly unstable and broken these days, but should
clear up by Q1 of next year :-).  So in the mean time, 3.3-RELEASE seems
like a decent choice as it is quite stable and a decent base.  This is
pretty much what we're doing for the audit stuff also.  I'll send out
email once CVS is available.

> > I hope to put my ACL code online shortly -- don't have the data in the
> > file system, but have much of the userland libraries, have the kernel and
> > FS interface, etc.
> I just want to look at your approach of storing ACLs implemented in code.
> And maybe implement file mac labels and capabilities in the same way. But
> where do you store ACLs? Load them from some file at runtime(boot)?

Currently I don't bind ACLs to vnodes, although I have a stupidfs in the
pipeline -- a simple ramdisk implementation that is easy to modify. my ACL
code (most recent version) is currently on my notebook hard disk number 2,
unfortunately one without wireless ethernet (I'm sitting in the security
area meeting at IETF in Washington, DC right now :-), so I'll have to
stick it somewhere accessible shortly.  My ACL structure choices look more
like IRIX than Solaris or Linux, as I figure a fixed-size ACL is quite
sufficient for most environments.  I require that all ACLs handed to the
kernel be pre-sorted to reduce computation in the kernel, whereas other
implementations I've seen accept unsorted ACLs going to the kernel.  The
POSIX.1e library interface hides all this from the user, of course.

I'll put up my code, perhaps tomorrow in a very early form afternoon
hopefully.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list