IBM 10 SP1 EAL4 Server User Manual


 
5.1.2.1.1.1 Access Control Lists
ACLs provide a way of extending directory and file access restrictions beyond the traditional owner, group,
and world permission settings. For more details about the ACL format, refer to Discretionary Access Control,
Section 5.1.5, of this document, and section 6.2.4.3 of the SLES Security Target document. EAs are stored on
disk blocks allocated outside of an inode. Security-relevant EAs provide the following functionality:
Immutable: if this attribute is set, the file cannot be modified, no link can be created to it, and it
cannot be renamed or removed. Only an administrator can change this attribute.
Append only: if this attribute is set, the file may only be modified in append mode. The append only
attribute is useful for system logs.
5.1.2.1.2 Data structures
The following data structures and inode operations illustrate how the ext3 file system performs DAC and
object reuse.
ext3_super_block: The on-disk counterpart of the superblock structure of VFS,
ext3_super_block stores file system-specific information such as the total number of inodes,
block size, and fragment size.
40
Figure 5-7: Security attributes, extended security attributes, and data blocks for
the ext3 inode