Browse Prior Art Database

Software partition based access control list

IP.com Disclosure Number: IPCOM000190633D
Original Publication Date: 2009-Dec-09
Included in the Prior Art Database: 2009-Dec-09
Document File: 4 page(s) / 77K

Publishing Venue

IBM

Abstract

Disclosed is a mechanism for restricting access of filesystem objects to specific software partitions based on software partition based access control list.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 41% of the total text.

Page 1 of 4

Software partition based access control list

Software partitions are virtual operating system instances that share a common kernel with their own set of file systems, security services (users, groups, etc.) and other resources.

Consider the scenario where a software partition exports its filesystems to other partitions and wants to restrict access to some the objects underneath. This would enable for example disallowing few applications residing on the filesystems from being executed from certain software partitions.

Currently there does not exist any such mechanism to restrict access to specific filesystem objects with respect to software partitions. The access permissions are assigned for filesystems objects based on users, groups, roles and authorizations.

This article describes of a mechanism that provides software partition based access control list which maintains the list of partitions which have specific access permissions.

File system objects shall consist of directories, devices, executables, data files. In the proposed solution an access control list is maintained with respect to software partitions for file system objects.

PACL (Partition based Access Control List) consists of series of entries called Partition Access Control Entry (PACE). Each PACE defines the access rights for a file system object with respect to the software partitions. Access rights for a file system object are read, write, execute, disallow.

Consider the case where PartitionA exports its file system /db2 to PartitionB. Here db2 filesystem contains db2 binaries and library functions. /db2 which gets exported in read-write mode has the instances that gets created in the same /db2 filesystem.

PartitionB creates db2 instances and performs some database operations and updates the logs in /db2 filesystem. We need to secure the binaries and library files from PartitionB (restrict to only execute permission) and also allow other log files in write mode.

In the above case the PACE entry is maintained for bin and lib directory with only execute permission for PartitionB. When a process in PartitionB tries to modify file objects of bin directory in /db2 filesystem the system checks for PACE entry and denies the operation as it has only execute permission.

Advantages of this mechanism will be as given below:
1) Granular level access permissions can be maintained for each individual file system objects with respect to software partitions.
2) Access to important filesystem objects can be retricted only to few partitions in cases where the filesystem is shared across multiple partitions.

1

Page 2 of 4

3) Filesystem object based access control list.
4) Different modes of permissions can be granted to data files.
5) Restriction of certain devices can be achieved based on software partitions.
6) High level of security is ensured for critical devices/files.

Individual filesystems can be enhanced to understand and enforce PACL....