![[LWN Logo]](/images/lwn.banner.gif)
Date: Sun, 07 May 2000 01:17:40 +0200
From: Andreas Gruenbacher <a.gruenbacher@bestbits.at>
To: Linux ACL Developers List <acl-devel@bestbits.at>
Subject: [ACL-Devel] Re: Extended attributes implementation -- some docs
This is a multi-part message in MIME format.
--------------899A113C071253D325A3B707
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This should become some sort of design document :-)
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, a.gruenbacher@computer.org
Contact information: http://www.bestbits.at/~ag/
--------------899A113C071253D325A3B707
Content-Type: text/plain; charset=us-ascii;
name="ext_attr.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ext_attr.txt"
EXTENDED FILESYSTEM ATTRIBUTES
Andreas Gruenbacher <a.gruenbacher@computer.org>
7 May 2000
TABLE OF CONTENTS
-----------------
OVERVIEW
WHY DO WE NEED THIS?
BACKGROUND
EXTENDED ATTRIBUTES
ISSUES
VFS IMPLEMENTATION DESIGN
FILESYSTEM IMPLEMENTATION CHOICES
EXT2 EXTENDED ATTRIBUTES
...
REFERENCES
OVERVIEW
--------
...
WHY DO WE NEED THIS?
--------------------
Linux is currently behind other commercial and free flavors of
UNIX-like operating systems as far as advanced security concepts are
concerned. For high security ratings several mechanisms are mandated.
These mechanisms require security objects to be associated with files.
Since Linux does not currently include support for storing such
objects, these advanced security mechanisms did not develop very well
so far. By including extended attributes in the kernel, these
mechanisms will become stable faster, which will allow Linux to be
used in areas in which it currently is inappropriate.
Capabilities are already part of the kernel, but suffers from not
being able to associate capabilities with executables (there are even
several hacks available to work around this limitation, such as
elfcap). There is also a mostly complete Posix ACL implementation,
etc.
BACKGROUND
----------
There are two common approaches for associating additional information
with files/directories. The one implemented by SGI Irix and Compaq
(Digital) Tru64 is similar to the design described here.
Limited-length attributes are associated with inodes.
The other approach is to associate arbitrary-length resources
("forks") with inodes. This approach is used by the Apple Macintosh
HFS filesystem [and which others?].
Fixed-length attributes are accessed as atomic objects. They can be
implemented fast, with little overhead. For extending the kernel
security functionality, this approach seems most appropriate.
Forks are accessed like regular files. In other words, these resources
are similar to a directory behind a regular file. While kernel
security extensions could be implemented atop forks, this involves
additional overheads. The real users of forks would probably be in
userspace.
Forks are an additional level of abstraction that can be be achived in
userspace with a modified design. Implementing them would simply
extend the filesystem namespace. HFS forks also are mapped to regular
files in Linux, rather than inventing a new interface.
Extended attributes, on the other hand, seem very much what is needed
to store the additional system objects required for the projects
mentioned. The same mechanism, once implemented, can also be made
available for storing small amounts of user space information.
EXTENDED ATTRIBUTES
-------------------
Extended attributes are name/value pairs associated permanently with
files and directories, similar to the environment strings associated
with a process. That is, an attribute may be defined or undefined. If
an attribute is defined, its value may be empty or non-empty. Names
are zero-terminated strings. Values are arbitrary binary data.
Attributes are small chunks of information accessed as atomic objects.
Reading retrieves the whole value of an attribute and stores it in a
buffer. Writing replaces the previous value, if that attribute was
previously defined. If it was not, the new attribute is added.
User and system attributes are supported. System attribute names begin
with a '$' character (e.g., "$acl"). Attributes names beginning with
an alphabetic character denote user attributes (e.g., "charset").
Processes that have search access to a directory also have access to
the list of attribute names of files in that directory. Access to the
values of user attributes is subject to the same permissions as access
to the file's contents. Access to system attribute values depends on
the name of the attribute. Both reading/writing and the accepted
values may be restricted.
System attributes will be used to store system security objects such
as Access Control Lists, Mandatory Access Control labels and
Capabilities. Other uses are not precluded. User objects may be used
to store small amounts of additional information such as the character
sets of files, checksums, etc. Storing bigger items such as thumbnails
is currently not possible. However, this is a possible future
extension.
ISSUES
------
Extended attributes are intended to be used for system objects such as
Access Control Lists, Mandatory Access Control labels, Capabilities,
possibly some sort of auditing information, etc.
These attributes need to be retrieved fast. Objects such as Access
Control Lists (ACLs) and Mandatory Access Control (MAC) labels
participate in access control decisions.
Writing extended attributes is not extremely time critical, since
updates to security settings are much less frequent. (The read/write
ratio may be comparable, but probably is higher than the read/write
ratio of regular files).
Values are typically small. The size is in the order of several
hundred bytes or less. This allows attributes to be simply copied in
one piece.
Extended attributes can be associated with files and directories. A
consequent extension is to also allow extended attributes to be
associated with processes. This simplifies handling of Capabilities
and per-process ACLs, for example (both types of objects may also be
associated with processes---for ACLs, that's similar to the umask).
VFS IMPLEMENTATION DESIGN
-------------------------
The system call and VFS layer consists of three system calls
ext_attr_path, ext_attr_fd, and ext_attr_proc, for manipulating
extended attributes of a files (pathname and open file) and processes.
These system calls are used to manipulate both user and system
attributes. Semantic restrictions are checked in the VFS. Two
downcalls to the physical filesystem (for setting and retrieving) do
the actual filesystem work.
For user attributes, access control is performed in the VFS.
For system attributes, a separate handler is used for each named
system attribute defined that implements all restrictions specific to
that system attribute. This may affect access control as well as the
values accepted.
FILESYSTEM IMPLEMENTATION CHOICES
---------------------------------
...
EXT2 EXTENDED ATTRIBUTES
------------------------
Currently, extended attributes are only supported on the Extended
Second (ext2) Filesystem. Other filesystems may support extended
attributes in the future. On ext2, all attributes for one file are
currently limited to one disk block. For a filesystem with a block
size of 1024 bytes this amounts to two access control list with >50
entries each (which is more than necessary), or several smaller
objects. All the system security objects will probably fit on one disk
block very easily. The on-disk structures and algorithms are designed
so that this restriction may be removed later. Attribute descriptions
and/or their values may be moved to additional disk blocks when
necessary.
In each ext2 inode, we have the i_file_acl field, reserved for Access
Control Lists. I have used this field for storing the block number on
which the extended attributes of an inode are stored instead (ACLs are
stored as extended attributes).
Extended attributes are stored on `plain' disk blocks, which are not
part of any files. The disk block layout is similar to the layout used
for directories. After the attribute block header, entry headers
follow. The size of entry headers varies with the length of the
attribute name.
The attribute values are on the same block as their attribute entry
descriptions, aligned to the end of the attribute block. This allows
for additional attributes to be added more easily.
A list of attribute names associated with a file can be retrieved. The
filesystem handler returns a string of names separated by null
characters, terminated by two null characters at the end of the list.
The attribute blocks currently not counted in quotas properly. If an
extended attribute block is allocated for an inode, this should be
reflected in the st_blocks field of struct stat (for the stat() system
call).
The mechanism implemented does not scale well to a massive number of
attributes. This is no problem. I don't see any reason for storing
very many attributes for a single inode.
WHY NOT THE ``QUOTA DESIGN''?
-----------------------------
- difficult to retrieve a list of all attributes
- probably slower
- declaring attributes is ugly
+ needs only minimal modifications to filesystems
IMPROVEMENTS
------------
- compact storage of common names uning table lookup (trivial)
- reference counting attribute blocks (requires hashing attribute blocks)
- enlarge size limits
REFERENCES
----------
...
--------------899A113C071253D325A3B707--
-------------------------------------------------------------------------
Linux ACL Developers List --- http://acl.bestbits.at/acl-devel/
To unsubscribe, send a message with `unsubscribe acl-devel'
in the message body to majordomo@bestbits.at.
-------------------------------------------------------------------------