tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Mapping Linux extended attribute namespaces



Hi everybody

Our extended attribute API is derived from FreeBSD. It uses an int as
the namespace. Two namespaces are defined, system and user. For UFS1, 
we store system attributes in /.attribute/system et user attributes in 
/.attribute/user. Other namespaces are not honoured.

Linux extended attribute API uses a dot-delimited string prefix in the
attribute name as the namespace (e.g.: system.foo or user.bar). That
scheme let developers easily introduce any new namespace. A few namespace
are widely used and enjoy special treatments for access control: system, 
trusted, security and user. See Linux attr(5) for the details of 
acess control for the four deflined Linux namespaces:
http://linux.die.net/man/5/attr

We have a Linux API available from <sys/xattr.h>. It stores Linux system,
trusted and security namespaces as native system namespace, and anything 
other as native user namespace. It is available in latest HEAD and netbsd-5.

If one day we want to emulate the access control semantics of Linux
trusted and security namespaces, we need to introduce native namespaces
for them, otherwise we cannot tell the difference between them and 
system namespace. Since our extended attributes have never been usable 
in a a NetBSD release, I sugest to do it right now, as it will not
cause backward incompatibility. Doing it after a reelase where trusted
and security are mapped as system would need administrator intervention
to fix things.

Opinions?

-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost


Home | Main Index | Thread Index | Old Index