Hans Reiser wrote: > George Beshers wrote: > >> 2) The *permissible functionality *of a file system is roughly >> speaking, the ACLs >> for all the objects in the file system. >> >> Actually, I think this is a good place to start, because the type >> "permissible >> functionality" is in fact what the mask is applied to and what is >> returned. >> Grant you evaluation is done lazily as the execution of an >> application requires it. >> > Yes. I have started re-reading withe Single UNIX Specification with getting a working definition of permissible functionality in mind. Have not gotten to Usenix papers yet or a careful search of ACM. Does anyone think there is a better starting point? Or things that are particularly important to consider? > >> 3) A user and group instantiated mask forms an *operational set of >> functionality*. >> >> What is important here is to recognize that a given executable >> may have >> different apparent functionality based on who is running it. > > > I think not in our particular niche. We do process oriented security, > and that is all for now. Later we can make it more complex. We can't avoid it at some level without re-writing Linux security. Take a moment to consider the set-UID bit on a file which is an executable and I think you will see what I am driving at. That said, all we need to do is make our specification conform to the smallest code change for the time being, e.g., the identity mask---what was happening before is what you get. NB. I understand that the overriding goal of the first 3 months is devising and demonstrating that we have a strategy that scales to file systems containing millions of files---but I don't think we can lose any semantics as fundamental as user/group permissions without inviting criticism. > >> >> >> >> Well, for the moment only more questions: >> >> Suppose we have a file system and a mask. If we were to create a >> chroot by copying just >> the file system > > > semantic tree (not files, just filenames) > >> accessible through the mask and run the application in that environment >> would the semantics of running the application on the original file >> system with the mask >> by equivalent. By equivalent I mean no observable difference in the >> instructions executed >> at the user level or the output generated. > > > No, because new files might be made visible through the mask without > the new file creator even being aware that there was a mask. I don't think my question was very clear ... For any process, could that process determine if it was running * on a reiser4 file system that is really the root * on a reiser4 file system with a mask, or * on a reiser4 file system with chroot /exclusively/ by making calls to the reiser4 file system? > >> >> Does the question make sense? > Uh no... :-[