tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

extattr namespaces



Here is public disuccsion about extended attributs namespaces, following
a private request from yamt@

We ahve two extended attributes API in tree: one from FreeBSD and one from 
Linux. We are about to toss the FreeBSD one in favor of the Linux one. 
That is easy now since we never had working extended attributes in a 
release.

Extended attribute have namespaces, which are used for access control. 
For instance, an unprivilegied  user can access user namespace extattr on 
a file he owns. system namespace extattr can only be accessed by 
privilegied users.

In the FreeBSD API, namespaces are int. There are two namesapces defined:
ssytem and user. There is no way to add other namespaces, though I have
no idea what happens if one use an int valude different than system or user.

In the Linux API, namespaces are dot-prefixed to the extended attribute 
named. For instance: system.foo is the system-namespace foo attribute. 
One can use any namespace, some of them having special access controls:
trusted, system and security feature privilegied access control.

If we dump the FreeBSD API, we are left with kernel internal interfaces
with namespaces as an int. We can just ignore them and enforce the use 
of dot-prefux namespaces. 


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index