On Sat, 10 Mar 2001, Aidan Cully wrote:

> There is at least one other, very important downside, which I think
> I saw brought up: you need to ensure that all accesses to ACL-protected
> data go through the ACL mechanism, and that ACLfs remains consistent
> with the file-system underneath it.  I don't see how this can be
> enforced easily with a layered filesystem, though it obviously can be
> where ACLs are implemented inside the filesystem code directly...  This
> is not an issue that exists (to the best of my knowledge) with the
> current layered filesystems.

Check out the "OVERLAY" layered file system. I designed it for just this
reason. It acts like nullfs, except it does less - nullfs exports the file
tree into a different part of the system file tree, overlayfs
doesn't. Once you mount an overlay filesystem, you can't(*) get at the
underlying vnodes w/o going through the layer. Yes, all sorts of stuff can
happen before the layer gets mounted, but if the mounting happens early on
in boot, things should be mostly ok.

(*) all you need to do is make sure not processes have obtained working
directories in the underlying fs since they could get at other nodes w/o
going through the layer. You also need to have not NFS exported the
underlying fs already.

Take care,

Bill