[ACL-Devel] Re: OT: ACLs for Linux

Linda Walsh law@sgi.com
Wed, 12 Apr 2000 14:34:44 -0700 

Andreas Gruenbacher wrote:
> We can define a one-block format that fits our current needs until a general
> attribute storage mechanism exists. For inclusion into the kernel, this seems
> not good enough (we would get a maximum of about 40 ACL entries on filesystems
> with 1K blocks). The problem I see is that there is really only one 32-bit value
> left per inode that we can grab, so we would have to dump our one-block format,
> breaking compatibility.
---

	Hmmm...We calculate 96 ACLs/1 K block.  1 16-bit mode word, 1 16-bit access
permission word, and 1 32 byte uid or gid.  8 bytes/entry.  Is more needed than
that?  As far as the ACL size limit.  IRIX only supports about 25 ACL's total on
an access list.  None of our customers have needed more than that -- managing
more gets to be hairy and a group is probably more convenient.  Imagine a
user-level group editor that either could allow root only to create groups, but a
group-owner to edit it, or even allowing users to create groups through a SET_CAP
group editor.

> 
> >
> >         Soooo.  Maybe in your header file you can increase the space for CAP's
> > to 48 bytes, and instead of an #if 0 struct mac {}, you can have a char mac_reserve[256];
> > and follow that by ACL's, I'd say we'd be set for the immediate future.
> 
> Yes, not a big problem. I have just uploaded a changed version:
> 
>   <http://acl.bestbits.at/pre/linux-2.2.14-acc-0.6.0-pre9.patch.gz>
> 
> Would you mind to detail what your 256 bytes of MAC data should contain? I don't
> have a clear picture how compartments etc. interact...
---
		1-byte sensitivity type, 1-byte integrity type, 1 byte sensitivity
level, 1 byte integrity level, 1 byte category count, 1 byte division count.  Then
comes categories 1 to N @ 2 bytes each, and then divisions 1 - N at 2 bytes each where
the total number of categories+divisions won't exceed 125.

	Even if we later needed to make all the byte fields (unsigned char) into
unsigned words, that would still allow 122 CAT+DIV.

-l

-- 
Linda A Walsh                    | Trust Technology, Core Linux, SGI
law@sgi.com                      | Voice: (650) 933-5338
-------------------------------------------------------------------------
Linux ACL Developers List ---  http://acl.bestbits.at/acl-devel/

To unsubscribe, send a message with `unsubscribe acl-devel'
in the message body to majordomo@bestbits.at.
-------------------------------------------------------------------------