STORAGE

Compiling Linux kernel with Rich ACL support

Anoop C SLeave a comment

I don’t know how many of you have heard about Rich ACL or Rich Access Control Lists. Most of you might have heard about NFS protocol i.e, the Network File System protocol. This particular protocol, with its v4.0 and above defines a particular set of ACLS known as NFSv4 ACLs. Rich ACL is a modified or an extended form of NFSv4 ACLs. Let me explain in brief on what do we mean by ACLs.

ACL or Access Control List ?
This is a list of permissions attached to an object. The object can be file, directories and so on. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

ACLs and Linux
Linux follows the POSIX 1003.1e draft 17 standard for defining and storing ACLs. Even then in linux, getfacl and setfacl command line utilities do not strictly follow POSIX 1003.2c draft 17, which shows mostly in the way they handle default ACLs. For detailed explanation on how ACLs are defined and how they work in linux, please see http://users.suse.com/~agruen/acl/linux-acls/online/ .

Variations in ACL implementations
The ACL model implemented by the various versions of Windows is more powerful and complex than POSIX ACLs, and differs in several aspects. These differences create interoperability problems on both sides which is a disadvantage for UNIX-like systems. To address this issue, several UNIX-like systems started to support additional ACL models based on version 4 of the the Network File System (NFSv4) protocol specification. Linux is lacking this support so far. Following are some of the differences between various ACLs

* POSIX standard can allow only ALLOW access. Windows and NFSv4 ACLs can have either ALLOW or DENY access.
* Order of POSIX ACL entries are not significant and is additive whereas Windows and NFSv4 ACLs require significance in their order.
* POSIX model contains only 3 general permission bits. On the other side, Windows and NFS uses more in-depth permission bits which numbers upto 12 or 14.

Why then Rich ACL for Linux ?
There are two main reasons for adopting a new ACL model for Linux:
[1] POSIX standrad is limited by its small set of permission bits and additive ALLOW-only semantics.
[2] Interface mismatch between POSIX ACLs and the ACL models provided by Windows system.

To bring together the disparate models and address inter- operability issues, Rich ACL was proposed whose detailed explanation can be found at https://www.kernel.org/doc/ols/2010/ols2010-pages-19-32.pdf .

How to build a running kernel with Rich ACL support ?
In order to build a complete linux system with Rich ACL support, you need to have both kernel and userspace sides properly setup. Follow the guidelines listed below to compile, build and run a kernel with Rich ACL support:

[1] Clone the following kernel git tree for Rich ACL
http://git.kernel.org/pub/scm/linux/kernel/git/agruen/linux-richacl.git/

[2] cd into the cloned directory and checkout to a branch with name under the format richacl-yyyy-mm-dd

[3] Copy an existing kernel config file from /boot/. Usually it will be listed as /boot/config-`uname -r`
$ cp /boot/config-`uname -r` .config

[4] Add the Rich ACL configuration variable.
$echo CONFIG_EXT4_FS_RICHACL=y >> .config

[5] Run the following
$ make olddeconfig
$ make -jX
Note:- Make sure the you replace X with a number equal to the number of CPU cores available in your system
Now sit-back and relax as it takes some time to compile the various modules.

[6] Install the kernel using the following commands. Please note that kernel installation uses the installkernel command to complete the whole process. For Ubuntu, its there by default and for rpm based distros you need to install grubby, which will include this particular binary.
$ make modules_install install

Now you can reboot and select the newly built kernel from grub menu. Hmm..! only half is done. The next step is to install the userspcace-tools and other utilities to support Rich ACL. The following installations are based on gnu Makefiles and related targets. Please read the INSTALL file from each repository for detailed instructions.

[1] Clone the following repository for librichacl and install it. This library helps you to run the alternative commands for setfacl and getfacl in richacl model as setrichacl and getrichacl.
https://github.com/andreas-gruenbacher/richacl

[2] Clone and install the coreutils repository to provide support for commonly used commands like ls, cp, mv etc. Use the richacl branch.
https://github.com/andreas-gruenbacher/coreutils

[3] Build and install a version of E2fsprogs from the following link with richacl feature flag support. Again checkout to richacl branch before proceeding to configure and make install.
https://github.com/andreas-gruenbacher/e2fsprogs

[4] Enable richacl feature flag for required ext4 partition
$tune2fs -O richacl /dev/filesystem
Replace filesystem with your partition name.

Done..? Yeah.. Now its time for testing the functionaltiy. Some usual checks are as follows:

$ tune2fs -l /dev/filesystem | grep acl
A sample output is as follows
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg richacl sparse_super huge_file uninit_bg dir_nlink extra_isize
Default mount options:    user_xattr acl

If you couldn’t see “acl” listed in the default mount options, then remount the file system with acl support as given below:
$ mount -o remount,acl <mount-point>

That’s all for now. Now you can try out some practical examples given at http://www.bestbits.at/richacl/examples.html in order to understand Rich ACLs in a more practical way.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s