* Casey Schaufler (casey@schaufler-ca.com) wrote:
> --- Stephen Smalley <sds@private> wrote:
>
> > The question is whether the kernels of those systems
> > provided:
> > a) only an xattr API to userspace, with the API for
> > getting and setting
> > specific attributes like MAC labels and ACLS done
> > entirely in userspace
> > on top of the kernel xattr API, or
> > b) multiple separate APIs for distinct attributes
> > like ACLs and MAC
> > labels as well as the xattr API.
>
> Security attributes are stored as "root" attributes.
> The xattr interface does not make them generally
> available, even to the owner.
>
> The POSIX P1003.1e interfaces (please read the
> draft sometime, it will help) mac_get_file()
> and mac_set_file() are implemented as system
> calls because they implement a less restrictive
> policy than is required of xattr root attributes.
We store labels as extended attributes in a reserved namespace
("security."). Thus a mac_get_file() is simply a library wrapper
around getxattr. The namespace for security labels is reserved and
security checks for those labels are handled by the security modules.
I don't see what exactly you are taking issue with.
thanks,
-chris
This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 12:00:43 PDT