Extended Attributes and Access Control Lists

Many filesystems provide features that extend the standard functionality offered by the VFS layer. It is impossible for the virtual filesystem to provide specific data structures for every feature that can be imagined — fortunately, there's lots of room in our imagination, and developers are not exactly short of new ideas. Additional features that go beyond the standard Unix file model often require an extended set of attributes associated with every filesystem object. What the kernel can provide, however, is a framework that allows filesystem-specific extensions. Extended attributes (xattrs) are (more or less) arbitrary attributes that can be associated with a file. Since usually every file will possess only a subset of all possible extended attributes, the attributes are stored outside the regular inode data structure to avoid increasing its size in memory and wasting disk space. This allows a really generic set of attributes without any significant impact on filesystem performance or disk space requirements.

One use of extended attributes is the implementation of access control lists that extend the UNix-style permission model: They allow implementation of finer-grained access rights by not only using the concept of the classes user, group, and others, but also by associating an explicit list of users and their allowed operations on the file. Such lists fit naturally into the extended attribute model. Another use of extended attributes is to provide labeling information for SE-Linux.

Continue reading here: Extended Attributes

Was this article helpful?

0 0