jmjonesat_private wrote: > I have heard that there's another project dealing with ACLs, but I wonder > if these are NOT Linux Security and if they ARE, shouldn't we give some > thought thereto? ACLs are one form of "extended attributes". File system attributes are things like user and group ownership and mode bits attached to each file and directory in the file system. Many classical security models depend on having more attributes than these attached to files, such as ACLs (lists of subjects that may access the file) or MAC labels. This is all deep in the guts of the file system, and so needs to be owned by the respective developers of the various file systems (EXT3, Reiser, XFS, JFS, etc.). Further, extended attributes depend on a whole bunch of file system commands being able to display and manipulate the extended attributes, e.g. ls and chmod must be able to do something with the extended attributes. Making all this stuff work has WAY too many dependencies for LSM to depend on any of them. At best, we should allow modules to access this functionality, but that's problematic, because the functionality is specific to the file system, and thus may not be there depending on which file system is in use. Does anyone know whether the VFS layer provides sufficient information to abstractly access extended attribute information? If so, great. If not, then we'll have an ugly mess connecting an LSM module to a file system-specific extended attribute facility. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Jul 28 2001 - 20:09:04 PDT