xfs
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: XFS + RSBAC

from [Steve Lord] [Permanent Link][Original]
To: K Mitchell Russell <kmrussel@xxxxxxxxxxx>
Subject: Re: XFS + RSBAC
From: Steve Lord <lord@xxxxxxx>
Date: Wed, 09 May 2001 14:00:27 -0500
Cc: linux-xfs@xxxxxxxxxxx
In-reply-to: Message from K Mitchell Russell <kmrussel@hsc.vcu.edu> of "Mon, 07 May 2001 19:44:04 EDT." <Pine.A41.4.10.10105071423320.42368-100000@comet.vcu.edu>
Sender: owner-linux-xfs@xxxxxxxxxxx 
> Colleagues,
> 
> I have patched a kernel with XFS 1.0 and the Rule-Set Based Access
> Controls (www.rsbac.org). This is of particular importance to me for
> using Linux to power medical record repositories, requiring data
> integrity (journaled fs), performance, and security (mandatory access
> controls, role compatibility, ACLs, etc.)
> 
> The system seems to run fine even using RSBAC's 'check on init'
> function. This function caused problems with ReiserFS as ReiserFS works
> internally with 64 bit inode numbers, and RSBAC was removing entries for
> inode, which was making ReiserFS complain. Now my impression is that XFS
> uses 64 bit inodes, but somehow this is more compatible than the
> ReiserFS usage because I am not getting the same errors. Does XFS use 64
> bit inodes? Anyone care to comment?


Yes, XFS does use 64 bit inode numbers, but since the inode numbers are
really an encoded disk address, the top 32 bits of the inode number do not
get used unless you use really big filesystems, and the actual size is
a function of a number of factors, but at least 1 Tbyte, and usually
larger is required to move into the 33rd bit. I have some plans on how to
avoid this as well.

> 
> Finally, there is one part of the patch in RSBAC that is still FS
> dependent, a secure delete function that patches the fs/ext2/namei.c
> (for example) in ext2 by adding the following to ext2_unlink():
> 
> if(inode->i_nlink == 1)
>   rsbac_sec_del(dentry);
> 
> Now they have only implemented this into ext2, vfat, dos, and minix
> fs's, but would be nice for XFS integration as well. Where would such a
> patch work, or does XFS have an interface for this?

linvfs_unlink in fs/xfs/linux/xfs_iops.c, you need to do it after the
validate_fields() calls.

Steve

> 
> Anyone with further interest in both XFS and the RSBAC patches is
> welcome to cross post to the rsbac@xxxxxxxxx mailing list.
> 
> Thanks in advance, and congratulations on creating an excellent product
> in XFS and supporting open source software!
> 
> Regards,
> Mitchell
> 
> 
> ________________________________________________________________________
> K. Mitchell Russell, M.D.                         | kmrussel@xxxxxxxxxxx
> Research Fellow, MedITAC Research Lab             |   www.meditac.com
> 
> 
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • XFS + RSBAC, K Mitchell Russell
    • Re: XFS + RSBAC, Steve Lord <=
Previous by Date:  Re: xfs_check, xfs_repair should added to the xfs install iso, Eric Sandeen
Next by Date:  Re: nfsd from kernel 2.4.4 oops, Fermin Molina
Previous by Thread:  XFS + RSBAC, K Mitchell Russell
Next by Thread:  Great!, Carl Rueder
Indexes:  [Date] [Thread] [Top] [All Lists]