Low Watermark MAC (LOMAC) implementation for Linux

Ilmar S. Habibulin ilmar at ints.ru
Sat Oct 16 17:59:17 GMT 1999 

On Thu, 14 Oct 1999, Robert Watson wrote:

> I'm also interested in how the Solaris folk fit ACLs (and presumably other
> things) into their FFS.  One of the things that I think is important is to
> give ACL/other security-relevant tags the same atomic update properties
> that attribute information in traditional inode structures has--i.e., in
> the event of an untimely power loss, it's not possible to end up with the
> inode but not the associated ACL or MAC data.  Fitting the data into the
> inode directly might be one way to do this, but it's probably desirable to
> have a general extension mechanism (such as XFS-style attributes,
> possibly?) so we don't have to keep modifying the file system.  This can
> result in painful upgrade procedures, divergences in mainstream and secure
> code, etc.

struct dinode {
	u_int16_t	di_mode;	/*   0: IFMT, permissions; see below. */
	int16_t		di_nlink;	/*   2: File link count. */
	union {
		u_int16_t oldids[2];	/*   4: Ffs: old user and group ids. */
		int32_t	  inumber;	/*   4: Lfs: inode number. */
	} di_u;
	u_int64_t	di_size;	/*   8: File byte count. */
	int32_t		di_atime;	/*  16: Last access time. */
	int32_t		di_atimensec;	/*  20: Last access time. */
	int32_t		di_mtime;	/*  24: Last modified time. */
	int32_t		di_mtimensec;	/*  28: Last modified time. */
	int32_t		di_ctime;	/*  32: Last inode change time. */
	int32_t		di_ctimensec;	/*  36: Last inode change time. */
	ufs_daddr_t	di_db[NDADDR];	/*  40: Direct disk blocks. */
	ufs_daddr_t	di_ib[NIADDR];	/*  88: Indirect disk blocks. */
	u_int32_t	di_flags;	/* 100: Status flags (chflags). */
	int32_t		di_blocks;	/* 104: Blocks actually held. */
	int32_t		di_gen;		/* 108: Generation number. */
	u_int32_t	di_uid;		/* 112: File owner. */
	u_int32_t	di_gid;		/* 116: File group. */
	int32_t		di_spare[2];	/* 120: Reserved; currently unused */
	^^^^^^^^^^^^^^^^^^^^^^^^^^^
};
Lets use these free space to store pointers to disk blocks containg
extended attributes. di_spare field is bzero'ed while allocation of the
inode, so null pointer should point to the absense of the extended
attributes. And we can dynamically allocate blocks without
upgrading/reconstructing fs.

> I'm out of town this weekend, but I think the next step in BSD support for
> ACLs/MAC support in the FS is to add support in the VFS/vnode layer for
> requesting and modifying these attributes.  How that interface looks
> depends a bit on whether we have a general-purpose extension mechanism or
> not.  Given the proliferation of various file systems at this point, it
> might make sense to add kernel-level VFS interfaces such as getacl,
> setacl, getmaclabel, setmaclabel, and let the file system decide how to
> store this data.  This might allow the hiding of AFS or Coda ACLs behind a
I suppose to use set_ext_attr/get_ext_attr interface.

> POSIX.1e ACL interface, which would probably be quite desirable, if
> feasible.  There are downsides to this, of course, including that the
> vnode/vfs layer is now aware of a particular kind of ACL interface or MAC
> interface--of course, it already knows about permissions, and in a sense
> it's just passing back and forth binary blobs most of the time for ACLs as
> the FS layer itself enforces the limits, I believe.
> 
> For the MAC data, however, that's a different question,..
It's just another data type.

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list