Re: XFS + RSBAC (fwd)

From: K Mitchell Russell <kmrussel@hsc.vcu.edu>
Subject: Re: XFS + RSBAC (fwd)
Date: Wed, 9 May 2001 15:08:52 -0400 (EDT)

Next Article (by Author): Please renumber syscalls "KORN Andras"
Previous Article (by Author): Re: RSBAC working with SGI XFS 1.0 K Mitchell Russell
Articles sorted by: [Date] [Author] [Subject] 

Here's what I found from my inquiry on the XFS mailing list regarding
the XFS inodes and compatibility with RSBAC.

---------- Forwarded message ----------
From: Steve Lord <lord@sgi.com>
To: K Mitchell Russell <kmrussel@hsc.vcu.edu>
Cc: linux-xfs@oss.sgi.com
Date: Wed, 09 May 2001 14:00:27 -0500
Subject: Re: XFS + RSBAC 

> Colleagues,
> 
> I have patched a kernel with XFS 1.0 and the Rule-Set Based Access
> Controls (www.rsbac.org). This is of particular importance to me for
> using Linux to power medical record repositories, requiring data
> integrity (journaled fs), performance, and security (mandatory access
> controls, role compatibility, ACLs, etc.)
> 
> The system seems to run fine even using RSBAC's 'check on init'
> function. This function caused problems with ReiserFS as ReiserFS works
> internally with 64 bit inode numbers, and RSBAC was removing entries for
> inode, which was making ReiserFS complain. Now my impression is that XFS
> uses 64 bit inodes, but somehow this is more compatible than the
> ReiserFS usage because I am not getting the same errors. Does XFS use 64
> bit inodes? Anyone care to comment?


Yes, XFS does use 64 bit inode numbers, but since the inode numbers are
really an encoded disk address, the top 32 bits of the inode number do not
get used unless you use really big filesystems, and the actual size is
a function of a number of factors, but at least 1 Tbyte, and usually
larger is required to move into the 33rd bit. I have some plans on how to
avoid this as well.

> 
> Finally, there is one part of the patch in RSBAC that is still FS
> dependent, a secure delete function that patches the fs/ext2/namei.c
> (for example) in ext2 by adding the following to ext2_unlink():
> 
> if(inode->i_nlink == 1)
>   rsbac_sec_del(dentry);
> 
> Now they have only implemented this into ext2, vfat, dos, and minix
> fs's, but would be nice for XFS integration as well. Where would such a
> patch work, or does XFS have an interface for this?

linvfs_unlink in fs/xfs/linux/xfs_iops.c, you need to do it after the
validate_fields() calls.

Steve

The XFS release 1.0 patches are available at
ftp://oss.sgi.com/projects/xfs/download/Release-1.0/patches/

Mitchell

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Please renumber syscalls "KORN Andras"
Previous Article (by Author): Re: RSBAC working with SGI XFS 1.0 K Mitchell Russell
Articles sorted by: [Date] [Author] [Subject]

Go to Compuniverse LWGate Home Page.