Linux3.0.0 the DAC security data structure (traditional 9Bit module, ACL mode) related to objects (such as files/directories) in the kernel

Source: Internet
Author: User

1th FCB Data structure (file control block)

1. Catalog items

Equivalent to the FCB sub-department, including two content: that is, the file name and inode number, different filenames may correspond to the same inode number, which corresponds to the same FCB master, that is, a file can have multiple names.

2. Inode

The main part of the FCB, including file owners, shared instructions, address information, etc., called the inode, the inode and the file has a one-to-one relationship. In the Unix file system, there is a fixed area that holds the inode for all files. Each inode has a unique number called I_number.

The inode is defined in Include/linux/fs.h, as follows:

struct Inode {/* RCU path Lookup touches following: */umode_t I_mode;      uid_t I_uid;      gid_t I_gid;      const struct Inode_operations *i_op;       struct Super_block *i_sb;   spinlock_t I_lock;      /* I_blocks, I_bytes, maybe i_size */unsigned int i_flags; unsigned long i_state; #ifdef config_security void *i_security; #endif struct Mute        x I_mutex;      unsigned long dirtied_when;      /* Jiffies of First dirtying */struct Hlist_node i_hash;     struct List_head i_wb_list;             /* Backing Dev IO list */struct list_head i_lru;      /* inode LRU list */struct list_head i_sb_list;             Union {struct List_head i_dentry;      struct Rcu_head i_rcu;      };      unsigned long I_ino;      atomic_t I_count; unsigned int i_nlink;      dev_t I_rdev;      unsigned int i_blkbits;      U64 i_version; loff_t i_size, #ifdef __need_i_size_ordered seqcount_t i_size_seqcount; #endif struct      Timespec I_atime;      struct Timespec i_mtime;      struct Timespec i_ctime;      blkcnt_t i_blocks;      unsigned short i_bytes;      struct Rw_semaphore I_alloc_sem;   const struct File_operations *i_fop;      /* Former->i_op->default_file_ops */struct file_lock *i_flock;      struct Address_space *i_mapping; struct Address_space i_data; #ifdef config_quota struct Dquot *i_dquot[maxquotas]; #endif struct List_hea      D i_devices;             Union {struct Pipe_inode_info *i_pipe;             struct Block_device *i_bdev;      struct Cdev *i_cdev;       }; __u32 i_generation; #ifdef config_fsnotify __u32                  I_fsnotify_mask;              /* All Events this inode cares about */struct hlist_head i_fsnotify_marks; #endif #ifdef Config_ima atomic_t I_readcount;   /* struct Files open RO */#endif atomic_t i_writecount; #ifdef config_fs_posix_acl struct POSIX_ACL      *i_acl; struct Posix_acl *i_default_acl; #endif void *i_private; /* fs or device private pointer */};

The 2nd chapter UGO and ACL data structure

Where I_mode is the Ugo permission (User, Group, other) whose type umode_t is defined in include/linux/types.h :

typedef unsigned short          umode_t;

Visible I_mode is essentially a 16bit space, only the right 10bit is used. The Ugo access control mode describes the permissions of the file with a bit of three 3-bit bits, which is 9bit, and is preceded by a type flag as a file. Indicates whether the file or directory, each class of users accounted for 3 bits, read, write, execute permissions each with 1-bit description, with permissions, the bit is set to 1. The read, write, and execute permissions are represented by R, W, x three characters, respectively.

I_acl and I_default_acl are pointers to ACL data structures, representing both the current ACL and the default ACL, with the default ACL being the only directory, and when new files or directories are created in the directory, the new file inherits the default ACL of the parent directory.

Data structures such as POSIX_ACL are defined in the/include/linux/posix_acl.h file

struct Posix_acl_entry {      short                    e_tag;      unsigned short            e_perm;      unsigned int        e_id;}; struct Posix_acl {      atomic_t              a_refcount;      unsigned int        a_count;      struct posix_acl_entry       a_entries[0];};

Each ACL entity consists of three parts: E_tag, e_id, E_perm. E_tag represents a flag for an ACL entity, such as the user in user:tux:rwx is a e_tag. E_ID is a user or group ID that is restricted by an ACL entity, such as Tux in user:tux:rwx, which can be empty in some entities. E_perm describes the specific access rights, there are mainly rwx three kinds, which is consistent with the traditional u/g/o model. There are 6 types of E_tag in the Posix standard, namely Acl_user_obj, Acl_user,acl_group_obj, Acl_group, Acl_mask, Acl_other. The acl_user_obj is the file owner's ACL entity, Acl_group_obj is the ACL entity of the filegroup, Acl_mask is the mask ACL entity, and Acl_other is the ACL entity of the other user. The IDs of these four (one) ACL entities are empty, and the e_id of other types of ACL entities cannot be empty.

3rd Chapter related operation
The correlation function in 3.1 include/linux/posix_acl.c

Posix_acl_init (struct posix_acl *acl, int count)

Initialize an ACL

struct POSIX_ACL *posix_acl_alloc (int count, gfp_t flags)

Allocating space for an ACL

struct Posix_acl *posix_acl_clone (const struct POSIX_ACL *acl, gfp_tflags)

Copy an ACL

Int posix_acl_valid (const struct POSIX_ACL *acl)

Check the legality of an ACL

Int posix_acl_equiv_mode (const struct POSIX_ACL *acl, mode_t*mode_p)

Compare an ACL with a UGO permission

struct Posix_acl *posix_acl_from_mode (mode_t mode, gfp_t flags)

Create an ACL from UGO permissions

Posix_acl_permission (struct inode *inode, const struct POSIX_ACL*ACL, int want)

Checks whether the current process has want permissions to access the Inode

The correlation function in 3.2 include/fs/ext4/acl.c

static struct Posix_acl *ext4_acl_from_disk (const void *value,size_t size)

Remove ACLs from disk

static void *ext4_acl_to_disk (const struct POSIX_ACL *acl, size_t*size)

To deposit ACLs into disk

static struct Posix_acl *ext4_get_acl (struct inode *inode, int type)

Removing ACLs from the Inode

static int Ext4_set_acl (handle_t *handle, struct inode *inode, inttype, struct posix_acl *acl)

Depositing ACLs into Inode

int Ext4_check_acl (struct inode *inode, int mask, unsigned intflags)

Checks whether the current process has the Mask permission to access the Inode, and internally calls the Posix_acl_permission function.

4th Chapter References

The relevant data structures are found in the Linux kernel source code:





Linux3.0.0 the DAC security data structure (traditional 9Bit module, ACL mode) related to objects (such as files/directories) in the kernel

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.