0% found this document useful (0 votes)

52 views

Efficiently Supporting Attribute-Based Access Control in Linux

Uploaded by

lulu Han

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

52 views

Efficiently Supporting Attribute-Based Access Control in Linux

Uploaded by

lulu Han

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 15

This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2023.3299429

Efficiently Supporting Attribute-based Access

Control in Linux
H.O Sai Varshith, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri

Abstract—Linux is a widely used multi-user operating system with applications ranging from personal desktop to commercial heavy
duty web servers. It has built-in security features based on discretionary access control enforced in the form of access control lists,
which can be enhanced using the Linux Security Module (LSM) Framework. LSM allows inserting security verification hooks for
supporting custom security policies. However, there is no support yet for Attribute-Based Access Control (ABAC) - an access control
model gaining popularity due to its dynamic nature and flexibility. In ABAC, access is granted or denied based on attributes of the
subject, object and environment. In this work, we propose a method for enhancing Linux’s security features by integrating ABAC for file
system objects using the LSM framework. We look at various kernel and user space components and how they can be made to work
together to enforce ABAC policies. Different algorithms and data structures for efficient access request resolution are also investigated.
Finally, we carry out extensive performance evaluation of the ABAC-enabled Linux system and discuss its results.

Index Terms—Access Control, ABAC, Linux Security Module, File System Security, Access Resolution

1 I NTRODUCTION that capture various properties of the subjects, objects and

Linux, which is a multi-user operating system, has several environmental conditions of a system.
built-in security features, one of which is Discretionary DAC works well for relatively smaller systems with low
Access Control (DAC) based file access. In DAC, files and number of users and objects since users typically can handle
directories in the system are owned by a user and a group. a limited set of objects. However, as the number of users
The owner has the ability to assign permissions to other and objects increases, assigning permissions via groups and
users. Linux also provides Access Control Lists (ACLs), ACLs becomes difficult to manage. Similarly, in RBAC, as
which extend DAC permissions by enabling the owners of the number of users and objects increases, the number of
a file/directory to assign different permissions to individual roles reaches a point where it becomes unmanageable. Such
users for even finer control. The kernel provides a Linux a phenomenon is referred to as role explosion [7], [8] and is
Security Module (LSM) framework that allows implemen- very common in large enterprises with multiple domains
tation of custom mandatory access control based security of operation. Thus, DAC and RBAC typically become error-
modules in which users are granted access to resources prone and time-consuming as system complexity increases.
based on a centrally defined security policy. Security En- ABAC solves this difficulty with the help of attributes
hanced Linux (SELinux) [1] and AppArmor [2] are two and a centrally defined policy. Users can manage attributes
popular examples of LSMs. of the objects they own. Some systems automatically assign
Role-Based Access control (RBAC) is another popular common attributes like file-type, date modified, etc. It pre-
access control method, widely used in web-applications vents the need for users to assign permissions to individual
and has shown to improve efficiency of access control objects as in DAC. In ABAC, administrators are responsible
administration [3]. In RBAC, users are assigned roles, and for managing attributes and policy. Attributes provide much
appropriate permissions are included in those roles. Access finer control than roles and avoid the problem of role
control decisions are made based on the permissions of the explosion in RBAC. Besides circumventing the challenges
roles rather than those of the users. In Linux, a limited of DAC and RBAC, ABAC also introduces the concept of
implementation of RBAC can be achieved through SELinux environmental attributes which lets administrators define
[4], [5]. Attribute-Based Access Control (ABAC) is a rela- dynamic policies whose permissions change based on the
tively new access control model [6] with an expanding user system’s environmental situation. In contrast to DAC based
base due its dynamic nature and ability to support fine- on ACLs, which is static, environmental attributes provide
grained policies. In ABAC, access control decisions are made dynamic access control based on the current system state.
using the notion of attributes, which are name-value pairs Environmental attributes constitute a unique property of
ABAC and requires sophisticated mechanisms to emulate
• H. Varshith and S. Sural are with the Department of Computer Science in DAC or RBAC.
and Engineering, Indian Institute of Technology, Kharagpur, India. The primary problem considered in this article is
E-mail: [email protected] and [email protected] whether and how ABAC can be supported in Linux. We
• J. Vaidya and V. Atluri are with the MSIS Department, Rutgers Univer- had introduced an initial approach in [9], where a simple
sity, Newark, USA.
E-mail: [email protected] and [email protected] linked-list based implementation and its preliminary results
were presented. In contrast, the current work focuses on the
efficiency aspect of enabling ABAC in Linux. We present

Authorized licensed use limited to: Jinan University. Downloaded on September 01,2023 at 15:12:10 UTC from IEEE Xplore. Restrictions apply.
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2023.3299429

improved access resolution data-structures and algorithms the kernel at build-time and can be activated/deactivated at
in detail along with the results of extensive performance boot-time. Currently, the official kernel source includes eight
studies. LSMs (Capabilities, AppArmor, LoadPin, SELinux, Smack,
The rest of the paper is organized a follows. Section 2 Tomoyo, Yama and SafeSetID). LSM vendors also provide
briefly presents some of the preliminaries and relevant con- user space tools and libraries to interact with the LSM.
cepts of Linux. Section 3 describes the research challenges
faced and how Linux LSM is effectively used to handle
them. In Section 4, we propose two novel methods for
efficiently resolving access. System level design is presented
in detail in Section 5. Section 6 explains the deployment
procedure for the proposed system. Section 7 presents per-
formance results of the system and Section 8 discusses
related work in the field. Finally, Section 9 concludes the
paper, providing directions for future research.

2 P RELIMINARIES
In this section, we first discuss the user management proce-
dure in Linux along with the LSM framework and different
background services available in Linux. We then briefly
introduce the various components of ABAC.

2.1 Users and Authentication

Users in Linux are entities who log in and use system
resources to perform various operations. They are uniquely
Fig. 1: Linux Security Module Hooks control flow
identified by their user ids which are commonly used for
Flow of control in a hypothetical system where three LSMs
access checks. Some user ids are reserved for special users.
A, B and C have registered hooks for a system call. Note
For example, the root user is always assigned user id 0.
that the DAC checks are performed before calling
There are two common user management systems for Linux
registered LSM hooks.
- centralized and standalone. In centralized user manage-
ment, user accounts are stored in a central server which The traditional group based permission model is imple-
uses a directory service like Lightweight Directory Access mented by the capabilities LSM, which is always active.
Protocol (LDAP) [10]. In standalone user management, user Most LSMs extend the capabilities module rather than
account information is stored in text files on the system. The overriding or disabling it since many existing applications
standalone authentication model is available by default in have dependencies on it. When multiple LSMs are active,
most Linux distributions. In this paper, we consider only the hooks of each LSM are called one after the other as
the standalone user management model based on username shown in Figure 1. If access is denied by a hook, then access
and password authentication. is immediately denied and remaining hooks are not called.
Therefore, if an object is covered by the security policy of
2.2 Linux Security Module Framework multiple LSMs, access should be granted by all the covering
The DAC model of Linux can be enhanced with the Linux LSMs.
Security Module framework (LSM) [11]. LSM allows writing
kernel extensions to implement custom security models. It 2.3 Background Services in Linux
inserts hooks at various points in the kernel where a user- The init daemon is the first process executed by the Linux
level system call can result in an access to objects that are Kernel with process ID (PID) always set to 1. Its pur-
protected by the security policy. The need for modifying pose is to initialize, manage and track system services and
system calls directly to insert access control checks is thus daemons. There are two popular init daemons - Init (also
eliminated. Such an approach avoids making changes to known as System V init, or SysVinit) and Systemd. Systemd
the kernel in different locations and provides a uniform (System Daemon) starts services in parallel which avoids
interface for implementing custom security checks. Hooks unnecessary delays, thus speeding up system initialization.
are C language [12] methods that return 0 if access is Systemd also allows services to define their dependencies on
granted or error code EPERM otherwise (which results in other services and the order in which services should start.
an "Operation not permitted" error). The set of available There are two types of systemd services, namely, System
hooks for different types of objects is predefined by the LSM and User. System services are managed by the system-wide
API. LSMs provide definitions for a subset of the available instance of systemd (with PID 1), whereas User services
hooks based on the coverage of the security policy being are managed by per-user instances of systemd. The system-
enforced. LSMs are stack-able, i.e., multiple LSMs can be wide instance has root access and is always running in the
active simultaneously. background but user instances start when the user logs in
Unlike normal kernel modules, LSMs cannot be loaded and stop when the user logs out.
or unloaded on demand. Instead, they are compiled into

2.4 Attribute-Based Access Control systems. Unfortunately, this API does not provide the file
As mentioned before, Attribute-Based Access Control access mode, and only notifies that a file has been accessed.
(ABAC) [6] is an access control model in which access is The next option is to modify the Virtual File System (VFS),
granted based on a policy defined in terms of attributes of which is a core kernel component and serves as an abstrac-
the subject and the object, and also of the environmental tion layer for the various file systems supported by Linux
condition such as time, location, system load, etc. Attributes (ext4, ext3, zfs, etc.). It is responsible for all file system
are name-value pairs describing properties of entities in operations including security checks. However, modifying
a system. A policy is a set of rules written in terms of the VFS directly can severely impact the kernel’s stability as
attributes and access is granted if at least one rule in the well as performance, and is therefore strongly discouraged.
policy is satisfied. This led us to use the LSM framework which provides hook
Consider the example ABAC rule, IF subject’s designation methods [16] that perform security checks when files of
is student AND object’s type is assignment AND today is a interest are accessed. An advantage of this approach is that
weekday THEN allow READ access. Such a rule states that its overhead characteristics are well-studied [17]. Both PEP
a student can read an assignment during weekdays. In this and PDP are represented in a single LSM hook, enabling us
example, ⟨designation, student⟩, ⟨type, assignment⟩, ⟨today, to implement ABAC as an extension to the kernel, making it
weekday⟩ are attribute-value pairs of the subject, object more flexible, portable and easier to maintain and distribute
and environment, respectively, while READ is the permit- when compared to directly patching the kernel.
ted mode of access. Another possible rule is IF subject’s Placement of the Policy Information Point (PIP), which
designation is faculty AND object’s type is assignment AND provides attributes and policy, is the next research challenge.
today is a weekend THEN allow READ access. Since an ABAC PIP should be accessible to PEP with very low latency. We
policy is comprised of multiple rules of the form described explored a netlink based approach where ABAC data is
above, the most straightforward approach is to evaluate the stored in user space (on the disk) and a background service
rules sequentially [9]. For each rule, all the conditions are resolves access requests. In this method, PEP (LSM hook)
verified and the rule is considered to be satisfied if all its sends object and user information to the service and receives
individual conditions are satisfied. Access to a requested access decision via netlink sockets. But this method is too
object is denied if none of the rules in the ABAC policy is slow due to the inherent latency of netlink sockets. This
satisfied. For an ABAC policy comprised of the two rules led us to designing in-memory kernel data structures which
above, if a student attempts to READ an assignment on a represent ABAC data so that requests can be resolved within
weekend, the access would be denied. the kernel itself. Such an approach eliminates any latency
Environmental attributes allow administrators to define issues since both PEP and PIP belong to the same address
dynamic rules, which is a unique feature of ABAC. It space. The kernel data structures are generated using the
enables fine-grained and identity-agnostic access control, security file system API provided by Linux. The placement
and hence is quickly gaining in popularity. Currently, an of PDP, PEP and PIP is shown in Figure 3.
implementation of ABAC for Linux is not available. Ensuring efficiency of the proposed method is yet an-
other challenge that had to be resolved. The hook method is
called for each file read/write, which occurs quite frequently.
3 E NHANCING ACCESS C ONTROL IN L INUX WITH Therefore, it must be extremely fast to avoid degrading
ABAC system performance. The performance of the hook method
In this section, we discuss the research challenges involved, is affected by the following factors.
followed by our proposal for an ABAC system for file 1) Preliminary checks - In the proposed system, ABAC is
system objects in Linux. We look at the initial setup and enabled only for files in a shared directory and only for
each component of the proposed system in detail and how non-root users. The check for whether an object is cov-
attributes and policies are managed. A high level overview ered by ABAC is done using the object’s absolute path,
of the LSM based approach is given in Figure 2. which is obtained from the dentry argument passed to
the hook method. The user’s id is fetched using a kernel
provided method. Therefore, the performance of this
3.1 Research Challenges
step is outside our control and could not be further
Placement of the Policy Enforcement Point (PEP) and the optimized.
Policy Decision Point (PDP) are the primary challenges in 2) Fetching Attributes - Data structures used by PIP have
designing ABAC support in Linux. PEP is responsible for a significant effect on the performance. We use hash-
intercepting incoming access requests while PDP resolves tables (provided by the kernel hashtable API) for map-
them. Flexibility (compatibility with different versions of ping users and objects to their ABAC data structures
Linux) and portability (independent of hardware specifica- (discussed later).
tions) are two important factors to be taken into consid- 3) Access Resolution - The final step is to resolve requests
eration. One possibility is to use a user space file system and make access control decisions. Efficiency of this
like FUSE [13]. However, it would limit ABAC to a single step depends on the data structures used to represent
file system. It is also slower due to the overhead of the ABAC attributes as well as the policy, and also on the
FUSE layer. The next user space level option is to use the algorithms used for access resolution. We propose a
fanotify [14], [15] API provided by Linux which allows us covering rule set based method and an access control
to intercept file system events and make security decisions. tree based approach, both of which aim to reduce the
It is heavily used in anti-virus software targeting Linux number of comparisons, thus speeding up resolution.

Fig. 2: High level overview of the ABAC LSM

Creation of shared directory and setting up of appropriate

permissions are automatically performed by a script for
installing ABAC user space tools. We use the following
permissions on the shared directory -
i Any user in the abac group should have read-write-
execute permissions.
ii stickybit option is enabled so that only the owner of a
file can remove/rename it.
iii setguid option is enabled so that files in this directory
inherit the abac group’s id. Such an approach avoids the
need for switching to the abac group before working
with the shared directory.

3.3 ABAC LSM

The ABAC Linux Security Module developed by us is the
core component of our approach. In the proposed method,
the LSM code is patched into the kernel tree and enabled
Fig. 3: Placement of PDP, PEP and PIP during build-time configuration. Once the kernel is built
with ABAC LSM enabled, it is automatically loaded on
system boot. ABAC LSM is a path-based security module,
3.2 Initial System Configuration meaning that it identifies objects based on the absolute path
By default, each user of a Linux system has her own di- of the file in the system. It uses the file_permission(struct
rectory, called the home directory, under /home, which is file *file, int mask) to perform access control check
accessible only by the owner. It is possible to give access to for file operations. This hook allows verification during
other users for files in a user’s home directory. However, read/write events for an already open file. The first ar-
this can create confusion and cause security breaches, if not gument to the hook - struct file *file is a pointer to
managed correctly. Therefore, for multiple users to have ac- the kernel file structure, which contains information such
cess to files, a shared directory, usually under /home, is used. as the pointer to the file’s dentry (Directory Entry), current
Consider that this directory is named as /home/secured. position in the read/write, supported file operations, file
Files that are to be protected by the ABAC policy are placed flags, etc. Dentries are used by the kernel to keep track of
in this directory. Similar to other LSMs like SELinux and file hierarchies in directories, map inodes to files, etc. ABAC
AppArmor, our approach to supporting ABAC extends the LSM uses the file’s dentry to obtain its full path via the
capabilities module. Hence, the permissions of this shared - dentry_path_raw() method. The second argument to the
directory must be set up in such a way that the capabilities hook - int mask is a bit mask that indicates the operation
module always grants access to all users for all actions. for which the file was opened - read, write, append, etc.

Algorithm 1 Pseudo code for ABAC LSM hook Algorithm 2 Rule List based Access Resolution
1: function ABAC _ FILE _ PERMISSION(f ile ∗ f ile, mask ) 1: function ABAC _ RESOLVE(uid, path, mask )
2: uid ← current_euid() 2: user_attr ← get_user_attr(uid)
3: if uid == 0 return 0 3: if user_attr == null return denied
4: path ← dentry _path_raw(f ile) 4: covering _rules ← get_covering _rules(path)
5: if path does not belong to secured directory 5: if covering _rules == null return denied
6: return 0 6: env _attr ← get_env _attr()
7: if system not initialized return -EPERM 7: op ← get_abac_op(mask)
8: decision ← abac_resolve(uid, path, mask) 8: for rule in covering _rules
9: if decision == allowed return 0 9: if op ̸= rule.op
10: return -EPERM 10: rule ← rule.next
11: continue
12: if compare(rule.user, user_attr)
A pseudo-code of the LSM hook is given in Algorithm 1 13: if compare(rule.env, env _attr)
followed by an explanation. 14: return allowed
The purpose of the first step (Lines 2-3) of the algorithm 15: rule ← rule.next
is to obtain the subject’s user id. The effective user id of 16: return denied
a user can be obtained using the current_euid() macro.
If the obtained user id is 0, then access is always granted
since it is the root user. The second step (Lines 4-6) is to 4.1 Rule List based Approach
check if the object being accessed belongs to the shared The first resolution method uses a rule-list based approach
directory. The hook method is called for every file access, where every object has a set of covering rules and only those
but only files in the shared directory are covered by ABAC. rules are searched during access resolution. A covering rule
So, for files outside the shared directory, access is granted by is a rule in the ABAC policy whose set of object attribute-
default. The next step (Line 7) is to verify that the policy and value pairs subsume the attribute-value pairs of the object.
attributes are loaded. During system boot, the ABAC policy For example, if an object has attribute designation with value
and attributes of all entities are loaded into the kernel. If for student, every rule in the policy with this object attribute-
some reason, this fails to occur, files in the shared directory value pair becomes a covering rule. Each object is mapped
should be inaccessible. Therefore, if the policy is not loaded, to an array of rule-ids via the hash table mentioned above.
access is denied. In the fourth step (Lines 8-10), an access Since the object is mapped to its covering rule set, we do not
control decision is made using the user id, file path and need to compare object attributes again during resolution.
access mode mask. The policy evaluation method used in Therefore, in this method, once the covering rule set is deter-
abac_resolve() function is discussed in the next section. It mined for each object, we ignore the object attributes present
should be noted that, the access decision of ABAC LSM may in rules. Traversing only through the covering rules avoids
not be final. If there are other LSMs after ABAC LSM that checking unnecessary rules and correspondingly speeds up
use the file_permission() hook, then their outcome would access resolution. A pseudo code of the abac_resolve()
determine the final decision. method of Algorithm 1 using this approach is given in
Algorithm 2.
4 ACCESS R ESOLUTION L OGIC In the first step (Lines 2-6) of the algorithm, the resolu-
tion method first obtains user and environmental attributes
We propose two methods for resolving incoming access
from ABAC securityfs and the covering rule set. If user
requests which use different data-structures and algorithms.
attributes are not available or if the covering rule set is
Both the methods use a hash-table indexed by object path
empty, access is denied. Then the access mode bit mask is
to store object to data-structure mappings, and arrays to
converted into appropriate ABAC operation - "READ" or
store user-attribute mappings. For hash-tables, we use the
"MODIFY" (Line 7). The next step (Lines 8-16) is to traverse
hash table API provided by Linux kernel. The user-attribute
each rule in the covering rule set and compare the attributes
mapping array is indexed by user-ids, which start from
of the access request with those of the rule. The compare
1000. However, environmental attributes are stored using
method goes through each attribute in the rule and verifies
linked lists since they are typically few in number. We
that the access request contains that attribute with the same
chose hash-tables and arrays to improve the performance
value. Note that, as the rule list is maintained for each
of fetching object and user attributes, respectively, since it is
individual object and we do not need the object attributes
an O(1) time operation.
additionally to identify the same, we only compare user and
Both methods use encoded attributes and value strings
environmental attributes, thus ignoring the object attributes.
to further improve resolution performance. Each attribute/-
If any of the comparisons fail, we move on to the next rule. If
value string is assigned a unique positive integer before it
all are successful, access is allowed. Finally, after traversing
is injected into the kernel (Discussed later in Section 5.3).
through the covering rule set, if none is satisfied, access
Using integers reduces the overhead of strcmp() when com-
is denied. A point to note here is that, we consider every
paring attributes and their values during resolution since
rule to have the same number of equality checks, which is
comparing integers is much faster and does not involve
the total number of user and environmental attributes. If a
function calls.
particular attribute a is not pertinent to a rule, we still make

Algorithm 3 ACT based access resolution

1: function ABAC _ RESOLVE(uid, path, mask )
2: uattr ← get_user_attr(uid)
3: if uattr == null return denied
4: root ← get_obj _act(path)
5: if root == null return denied
6: eattr ← get_env _attr()
7: if eattr == null return denied
8: op ← get_abac_op(mask)
9: result ← resolution_helper(root, uattr, eattr, op)
10: if result == null return denied
11: return allowed
Fig. 4: ACT for READ operation on example file F1 12:
13: function RESOLUTION _ HELPER(node, uattr, eattr, op)
14: if node == null return null
it a constituent of that rule in the form a=*, where * denotes 15: if nodeisleaf and node.op == op return node
don’t care. This approach presents the rules uniformly to
16: child ← get_branch(node, uattr, eattr)
the security officer and there is no ambiguity whether the
17: if child == null return null
corresponding condition was omitted intentionally or it was
18: return resolution_helper(child, uattr, eattr)
inadvertently missed out.
TABLE 1: abac CLI sub-commands and their functions
4.2 Access Control Tree based Approach
The next evaluation method uses a special policy tree data Sub-command Function
structure [18], where each object is mapped to an Access user Manage ABAC users and attributes
Control Tree (ACT). An ACT is a tree data structure where obj Manage object attributes
each non-leaf node in the tree represents an attribute and policy Manage ABAC rules
each branch from a node represents a value of the node’s at- avp Define and manage available attributes
tribute. The leaf nodes represent the allowed access modes.
load Load ABAC data from store into kernel
The tree is built from the object’s covering rules and its
nodes are arranged in such a way that the number of com- server Start ABAC background service
parisons is reduced during access resolution. For example, watch Start ABAC shared directory watch service
consider the two rules mentioned in Sub-section 2.4. Also, env_update Start ABAC environmental attribute service
let F1 be a file whose object attribute type is assignment. Then init Initialize the policy and attribute store
the ACT for the READ operation on F1 will be as shown in
Figure 4.
In this method, the hash-table maps each object to a a branch is found, then we invoke the function recursively
pointer to the root of the ACT. Note that, the current with the child node of that branch and return its result on
approach is different from the work in [18], where a single termination of recursion (Line 18).
tree is created and used for access resolution of all the users,
objects, environmental conditions and operation. A pseudo
5 S YSTEM D ESIGN
code of the abac_resolve() method of Algorithm 1 using
ACT is given in Algorithm 3. In this section, we give system level details of the design
Similar to the previous method, in this algorithm also, used to implement our proposed approach.
the LSM fetches user attributes, object’s ACT root and cur-
rent environmental attributes (Lines 2-7). If any of these are 5.1 abac Command Line Tool
unavailable, access is denied immediately. Next, we invoke We have developed an abac command line interface (CLI)
a recursive method (Line 9) to resolve accesses using the tool that provides the complete user space functionality
ACT’s root and attributes obtained in the previous step. required to interact with the kernel space LSM, manage
The recursive method takes the ACT node, user and envi- users, objects and their attributes. This is the main point of
ronmental attributes, and access mode mask as arguments interaction for both administrators and users of the system.
and traverses the tree till it reaches a leaf node. After a The abac command has several sub-commands, which in
sanity check (Line 14) to ensure the current node is not turn have several actions corresponding to different tasks
null, at each invocation it is checked if the current root is (Table 1). All the sub commands, except obj are exclusive to
a leaf (Line 15). If so, it verifies if the given access mode the administrator since normal users only have the right to
matches with the leaf node’s access mode. If there is a manage attributes of the objects they own.
match, access is allowed, else denied. If the current node
is not a leaf node, the user and environmental attributes are
examined to determine which branch of the current node 5.2 Policy and Attribute Store
to traverse (Lines 16-17). It might also happen that none of ABAC policies and attributes are stored in JSON format [19]
the branches are suitable, in which case access is denied. If and located in /etc/abac/. Files in this directory contain all

TABLE 3: Files in ABAC securityfs

Listing 1: Sample files in Policy and Attribute store
Filename Function
# available attribute value pairs (avp.json)
{ user_attr User Id to attribute-value pair mapping
’user’: { obj_attr File path to attribute-value pair mapping
’designation’: [’developer’, ’QA’, ’intern’], env_attr Current environment attribute-value pairs
’group’: [’software’, ’accounts’, ’sales’]
}, ’object’: { policy ABAC policy rules
’type’: [’doc’, ’pdf’, ’deb’], perf Time taken for resolving the last access request
’released’: [’true’, ’false’] action LSM operation mode
}, ’env’: {
’day_of_week’: [’weekday’, ’weekend’],
’cpu_load’: [’low’, ’high’], Algorithm 4 Pseudo code of ABAC Securityfs write syscall
’is_holiday’: [’true’, ’false’] 1: function ABAC _ POLICY _ WRITE(buffer, len)
} 2: if buffer is empty return -EINVAL
}
# User attributes (use_attr.json) 3: data ← kmalloc(len)
{ 4: if data is null return -EFAULT
’1000’: {’designation’: ’developer’}, 5: data ← copy _f rom_user(data, buf f er, len)
’1001’: {’designation’: ’intern’, ’group’: ’sales’}, 6: if data is null return -EFAULT
}
7: policy = parse_policy(data)
# Object attributes (obj_attr.json)
{ 8: if policy is null
’statement’: {’type’: ’pdf’, ’released’: ’true’}, 9: retval ← -EINVAL
’memo’: {’type’: ’pdf’, ’released’: ’true’}, 10: else
} 11: retval ← len
# Environmental Attributes (env_attr.json) 12: kf ree(data)
{ 13: return retval
’day_of_week’: ’weekday’,
’cpu_load’: ’high’,
’is_holiday’: ’false’
} mainly used for inter-process communication and enable
# Policy (policy.json) interaction between the kernel and the user space. Appli-
[{ ’user’: {’designation’: ’developer’}, cations can treat them like regular files and use common
’object’: {’type’: ’pdf’, ’released’: ’true’}, system calls like open(), read(), write(), etc. For example,
’env’: {’day_of_week’: ’weekday’},
the proc file system, mounted at /proc, contains information
’op’: ’READ’},
}] about processes. The debugfs file system is mounted at
/sys/debug and contains information used by utilities like
ftrace. We use the securityfs pseudo file system to communi-
TABLE 2: Files in policy and attribute store cate with the kernel from user space. Securityfs is mounted
at /sys/kernel/security. LSMs that intend to use this file
Filename Function
system create a directory and populate it with the needed
avp.json Maps available attributes to set of possible values
files. The Securityfs API does not provide system calls
user_attr.json UID to attribute-value pair mapping
required to operate on the files created. Instead, the imple-
obj_attr.json File path to attribute-value pair mapping
menter must provide custom system calls for each file based
env_attr.json Current environment attribute-value pairs
on its functionality. Pointers to these custom system calls are
policy.json ABAC policy rules
passed to the securityfs API at the time of initializing the
file system. We use the fs_initcall() callback method to
initialize securityfs files during kernel initialization. ABAC
ABAC related information and are referred to as the policy
LSM creates a securityfs directory named abac and popu-
and attribute store. ABAC background services and the CLI
lates it with the files listed in Table 3.
tool interact with this store to obtain and modify ABAC
Only root user has access to files in ABAC securityfs.
information. It is created automatically during installation
Each file in ABAC securityfs has an associated custom
and appropriate DAC permissions are set (using chmod -R
write() call. The write() call reads data from user space,
660) so that only the root user has access to it. Files in the
copies it to a kernel space buffer using the copy_from_user()
store and their functions are listed in Table 2. The JSON
method, and parses the data written into kernel objects.
format is chosen since Python3 has native support for it.
Although possible, it is not recommended to manually
Sample JSON files of the store are shown in Listing 1.
interact with securityfs. Instead, administrators should use
the provided command line tool to work with ABAC data. A
pseudo code for the write system call of policy file in ABAC
5.3 Security File System securityfs is given in Algorithm 4.
The proposed method uses a pseudo-file system to inject The abac_policy_write() method shown in the algo-
attributes and policy into the kernel from user space. Pseudo rithm is called when user space programs invoke the write
file systems are hierarchically organized interfaces to kernel system call on the policy file in ABAC securityfs. Its argu-
objects, that appear as regular files in the system. They are ments are a pointer to the user space character buffer and its

length. Unlike normal write syscall, here a successful write

indicates that the policy was properly loaded. Therefore, on
successful parsing of the policy, the length of the user space
buffer is returned. Also, on memory allocation error, -EFAULT
is returned and for parsing failure, -EINVAL is returned,
indicating that there is an error in the policy file. The first
step (Line 2) is a sanity check to verify that the user space
buffer is not empty. In the next step (Lines 3-6), a kernel
space character buffer is allocated. To copy data from the
user space buffer to kernel space, the copy_from_user()
method provided by the kernel is used. After making sure
that data is copied correctly, the next step (Line 7) is to
parse the data. If parsing is successful (Line 10), the policy
is stored in kernel space and return value is set to the length
of the buffer, indicating that the system call was successful.
If parsing fails (Lines 8-9), the return value is set to an
appropriate error code. The parsed policy is made available
to the LSM hook method (Algorithm 1) via extern variables.
The syscalls for rest of the files are similar, differing only in Fig. 5: ABAC LSM and services boot sequence
the method used for parsing and the object created.

5.4.3 Environmental Attribute Service

5.4 Background Services for ABAC Support
Environmental attributes are a unique feature of ABAC
The proposed method has three Systemd services that run
due to their ability to support dynamic access control. The
in the background. They start automatically on system boot
values of environmental attributes can change with time,
and run until the system shuts down. These services are
location, number of users logged in, system load, etc. But
essential for proper functioning of the kernel components.
access requests must be verified against the ABAC policy
If the services fail to start or stop running, files in the shared
using current values of the environmental attributes. This
directory may become inaccessible. Systemd prevents this
is where the environmental attribute service comes in. It
by restarting the services immediately if they fail. We look
constantly updates the values of environmental variables
at each service in detail below.
and loads them into the kernel. An issue that naturally arises
is the time interval between updates. Consider the example
5.4.1 ABAC Service
attribute - day_of_week. It is set to "weekday" for Monday
ABAC service is a system Systemd service. It loads the user, to Friday, "weekend" for Saturday and Sunday. We can see
object, environment attributes and the ABAC policy from that the value changes only at midnight of Fridays and
the store into the kernel so that the LSM can enforce the Sundays. So, the update function needs to run only at these
loaded policy. Since it is a system service, it has access to two moments. To handle this, we use cron based scheduling
the policy and attribute store. It also handles requests from to avoid unnecessary updates, thus reducing background
users for managing object attributes via the abac obj sub- job overhead.
command. It provides actions like listing, assigning and
removing object attributes and ensures that object attributes
are being accessed and managed only by the object’s own- 5.5 System Boot Sequence
ers. In the first step of Linux booting procedure, the boot-loader
program executes a bootstrap code which invokes various
5.4.2 Shared Directory Watch service initialization steps like process and memory initialization,
As mentioned in Subsection 3.2, the shared directory has decompressing the kernel and loading it into memory.
a special set of permissions for the proposed method to Next, the kernel itself is initialized followed by calling
function correctly. These permissions are initially set at the init hooks registered by various subsystems. The proposed
time of installation when the shared directory is empty. system uses two such hooks, namely, security_init and
Therefore, files created later would not have appropriate fs_initcall. security_init is responsible for initializing
permissions and become inaccessible. To prevent this, the the LSM hook method using the DEFINE_LSM macro provided
directory watch service runs in the background, listening by the kernel. The fs_initcall method is used to register
for file system events. Similar to the ABAC service, it is ABAC securityfs, and for creating the directory and files
also a system Systemd service and has access to the store. mentioned previously (in Section 5.3). After all the init
When it detects a file system event in which new files and calls are executed, the user space init process (Systemd) is
directories are created, it uses the chmod command to assign started. It starts the ABAC service, environmental attribute
appropriate permissions. It also responds to file deletion and shared directory watch services. Figure 5 provides an
events and removes the deleted file’s attributes from the overview of the booting procedure.
store. This avoids maintaining unnecessary attributes in the
store and loading them into the kernel.

TABLE 4: Four parameters and their values used in all the Fig. 6: Variation of access time in user space for 200 rules
experiments (Other parameter values as shown in Table 5)
Parameter C1 C2 C3 C4
103
Object Attributes 5 10 15 25 SP RL ACT DAC
Values Per Object Attribute 5 10 15 25
Env. Attributes 3 5 7 10

Access Time (in µs)

Values Per Env. Attr. 2 4 10 15
102
TABLE 5: Metadata for the results shown in Table 6 and
Figure 6

Parameter C1 C2 C3 C4
101
Users 10 50 100 500
User Attributes 5 10 25 50
Values Per User Attribute 5 10 15 25
Objects 100 500 1000 5000
100
C1 C2 C3 C4
6 D EPLOYMENT S TEPS
Fig. 7: Variation of access time in user space for 500 users
Deployment of the proposed method for supporting ABAC (Other parameter values as shown in Table 7)
in Linux involves patching, building and installing the
Linux kernel from source, and installing user space utilities 103
and services. The first step is to obtain kernel source from SP RL ACT DAC
the official content delivery network [20] and the source
code of the ABAC kernel components from our GitHub
repository [21]. To patch the kernel with the proposed ABAC
Access Time (in µs)

source, one needs to copy contents of the security directory 102

from the repository to the downloaded kernel source. The
contents to be copied are as follows -
i abac_<xyz> directory
Contains C language source code, a Makefile and a
101
Kconfig. Here xyz represents the evaluation method
used by the LSM. It can be either "trees_enc" or
"rules_enc". The source code in each directory contains
the LSM hook method, securityFS write() syscalls and
parsing methods. It also contains a Makefile and a 100
Kconfig which are required by the kernel build system. C1 C2 C3 C4
ii Makefile
Defines the dependencies for building the security sub-
system using the GNU Make build system [22]. 7 E XPERIMENTAL R ESULTS
iii Kconfig To evaluate the performance of the proposed method, we
Kernel configuration file which lists the available op- studied file access time under various scenarios. It may
tions. It lists options like available LSMs, available LSM be noted that there are only two real-world datasets on
hooks, securityFS properties, etc. ABAC currently available. These are Amazon Kaggle [24]
The next step is to configure the kernel based on the system and Amazon UCI [25]. The first one was published by
architecture and required features. Once configuration is Amazon on Kaggle. It is a challenge for predicting if an
complete, the kernel can be built using make and installed employee will get access to a resource depending on her
using make install command. On next system boot, the job role. However, this dataset is not sufficiently large for
ABAC patched kernel will be available for selection. User conducting our studies requiring multiple possible attribute
space utilities, written in python, can be downloaded from combinations. It has only eight user attributes and a re-
our other GitHub repository [23]. It contains source code source id. The action column is either allow or deny. Most
for the abac command line tool and Systemd unit files, of the attributes for this dataset are highly imbalanced with
which provide commands for starting the background ser- only a few of their all possible values being actually present
vices. There is also a script for automatically installing in most of the rows [26]. Further, it does not contain any
the command line tool and background services. Detailed resource or environmental attributes. On the other hand, the
installation and usage instructions for both user and kernel Amazon UCI repository is quite sparse [27] and there is also
space components for various platforms are provided in the no resource or environmental attribute.
README files of the respective repositories. To circumvent the above mentioned shortcomings, we
developed an ABAC data simulator for generating realistic

Evaluation Access Time in User Space Access Time in Kernel Space

Config.
Method 10 50 100 200 10 50 100 200
Rule List 11.52 12.40 14.95 16.02 0.40 0.48 0.63 0.68
C1
ACT 12.20 12.82 13.46 15.21 0.26 0.35 0.48 0.53
Rule List 13.20 15.90 16.89 17.14 0.45 0.65 0.97 1.15
C2
ACT 12.89 13.46 14.10 15.05 0.37 0.42 0.87 0.90
Rule List 16.99 18.76 19.68 20.46 2.41 2.64 3.10 4.01
C3
ACT 15.78 15.22 17.10 18.46 1.17 2.01 2.80 3.79
Rule List 26.05 26.89 28.10 28.76 11.56 12.10 14.25 14.98
C4
ACT 19.65 20.54 22.00 24.18 10.87 11.51 11.99 13.28

TABLE 6: Access time (in µs) for number of policy rules from 10 to 200 (Other parameter values as shown in Table 5)

TABLE 7: Metadata for the results shown in Table 8 and capabilities) disabled.
Figure 7 As discussed in Sub-section 2.4, there are nine com-
ponents of ABAC which can potentially affect the perfor-
Parameter C1 C2 C3 C4
mance. These are the number of users, objects, user at-
Rules 10 50 100 200 tributes, object attributes, environmental attributes, values
User Attributes 5 10 25 50 per user attribute, per object attribute, per environmental
Values Per User Attribute 5 10 15 25 attribute, and the number of rules. Each experiment has
Objects 100 500 1000 5000 one varying parameter and four configurations C1, C2, C3
and C4 of fixed parameters, with C1 being the smallest and
Fig. 8: Variation of access time in user space for 5000 objects C4 being the highest in terms of number of attributes and
(Other parameter values as shown in Table 10) entities. Of these, impact of the number of object attributes
and values per object attribute as well as the number of
103 environmental attributes and values per environmental at-
SP RL ACT DAC tribute is similar to that of the number of user attributes
and the number of values per user attribute. Hence we keep
their values fixed for all the experiments as shown in Table
4. Note that, while the number of values for each attribute
Access Time (in µs)

102 (user, object or environment) varies across configurations,

within a given configuration, we do not vary it for different
attributes. This is for ease of comparison and to simplify
the data generation process. Also, there are two operations
considered in the experiments, namely, read and write.
101
For each experiment, every configuration is loaded into
the kernel and files in the shared directory were accessed
in read or write mode and the access time (in µs) was
measured. We measure access time from user space which
100 represents the time taken from the user’s perspective, and
C1 C2 C3 C4 also time spent in the ABAC LSM, which represents the
performance of the attribute fetching and access resolution
algorithm. Before measuring times, we switch the kernel
data with various combinations of parameter values. The into performance evaluation mode using the action and
simulator, which is written in Python, takes these values perf files as shown in Table 3. We report the average result
as input and creates ABAC systems of the desired size. We over 500 repetitions of the experiment, where each instance
ensured that the data so generated has distribution similar includes accessing every file in the secured abac directory,
to what is intuitively expected in practice. For example, measuring time taken from user space (wall clock time) using
the number of objects is considered an order of magnitude the perf_counter_ns() method in python, and obtaining the
greater than the number of subjects, the number of environ- time spent in the LSM from securityfs. The measured user
mental attributes is less than the number of user or object space access time includes -
attributes, the number of values per environmental attribute i Time taken by context switches
is less than the corresponding numbers for user and object ii Time taken by Virtual File System (VFS) code
attributes, etc. iii Time taken by other LSMs (capabilities module in our
We conducted five experiments using synthetically gen- case)
erated data sets obtained from the simulator on a desktop iv Time taken by ABAC LSM
machine having 3.1GHz Intel i7 CPU with 8GB RAM and The time spent inside the LSM does not include times
7200RPM hard disk, running Ubuntu 20.04 with ABAC (ii) and (iii) in the above list. Therefore, it gives a better
patched kernel (Version 5.10.96) and other LSMs (except idea of the performance of different evaluation methods. It

Evaluation Access Time in User Space Access Time in Kernel Space

Config.
Method 10 50 100 500 10 50 100 500
Rule List 12.91 12.70 12.51 12.72 0.48 0.50 0.49 0.49
C1
ACT 11.20 11.26 11.29 11.01 0.35 0.31 0.33 0.36
Rule List 14.77 14.72 14.89 14.66 0.87 0.95 0.97 1.00
C2
ACT 13.10 13.25 13.44 13.68 0.90 0.89 0.84 0.89
Rule List 16.54 17.02 17.11 16.97 2.22 2.37 2.29 2.05
C3
ACT 16.00 15.89 15.99 16.48 1.98 1.99 2.11 2.10
Rule List 27.41 27.11 27.46 27.65 12.54 12.43 12.33 12.60
C4
ACT 24.89 25.11 25.79 25.63 11.94 11.87 11.57 12.00

TABLE 8: Access time (in µs) for number of users from 10 to 500 (Other parameter values as shown in Table 7)

Evaluation Access Time in User Space Access Time in Kernel Space

Config.
Method 10 500 1000 5000 10 500 1000 5000
Rule List 13.59 13.98 13.97 14.02 0.37 0.38 0.39 0.35
C1
ACT 12.68 13.14 12.98 12.77 0.36 0.35 0.34 0.35
Rule List 14.69 14.82 14.50 14.70 0.60 0.68 0.71 0.69
C2
ACT 12.95 12.76 12.95 12.99 0.46 0.47 0.48 0.51
Rule List 16.25 16.18 16.66 16.23 1.71 1.86 2.10 2.11
C3
ACT 15.00 15.64 15.42 15.24 1.70 1.69 1.56 1.76
Rule List 26.98 27.01 26.91 29.99 11.72 12.32 12.87 12.05
C4
ACT 25.00 25.34 24.99 25.01 11.59 11.49 11.29 11.61

TABLE 9: Access time (in µs) for number of objects from 10 to 5000 (Other parameter values as shown in Table 10)

TABLE 10: Metadata for the results shown in Table 9 and Fig. 9: Variation of access time in user space for 50
Figure 8 attributes per user (Other parameter values as shown in
Table 13)
Parameter C1 C2 C3 C4
Rules 10 50 100 200 103
Users 10 50 100 500 SP RL ACT DAC
User Attributes 5 10 25 50
Values Per User Attribute 5 10 15 25
Access Time (in µs)

102
should be noted that the time measured inside the kernel
also includes the time taken to perform sanity checks and
that for fetching attributes. On the other hand, user space
time measurements give a good idea of performance as seen 101
by the user. We also measured the user space access time
with the DAC module to provide a relevant baseline for the
ABAC module.
In the first experiment (with metadata given in Table
5), we study the impact of number of rules in the ABAC 100
policy on access time. In Table 6, we vary the number of C1 C2 C3 C4
rules from 10 to 200 and show the access time in the user
space as well as in the kernel space. The results are shown
for both the rule list (RL) based approach (Subsection 4.1) is because of the increasing size of the tree and the number
as well as the ACT based approach (Subsection 4.2). In of covering rules, which in turn increases the time taken for
Figure 6, we fix the number of rules to 200 and show how access resolution. The execution time also increases across
the two rule evaluation approaches RL and ACT compare configurations due to increasing number of attributes per
with DAC for all the four configurations in terms of the user, which again increases the RL and ACT sizes. Further,
access time in the user space. We also plot the execution the results in the figure show that the approach proposed
time for a single policy (SP) based approach proposed in in this paper is an order of magnitude more efficient as
our previous work [9]. Note that the y-axis is plotted in log compared to our previous work.
scale for ease of comparison. From the table, it is observed The results of our second experiment (with metadata
that the access time increases with the number of rules. This given in Table 7) are reported in Table 8, where we show

Evaluation Access Time in User Space Access Time in Kernel Space

Config.
Method 5 10 25 50 5 10 25 50
Rule List 13.00 13.11 13.20 13.25 0.39 0.40 0.42 0.43
C1
ACT 12.84 12.91 12.86 12.90 0.37 0.38 0.39 0.39
Rule List 14.89 14.95 15.00 15.01 0.81 0.81 0.82 0.85
C2
ACT 14.02 14.05 14.11 14.12 0.69 0.72 0.73 0.75
Rule List 15.76 15.98 16.12 16.35 2.10 2.15 2.18 2.20
C3
ACT 15.20 15.24 15.28 15.48 1.96 1.99 2.04 2.10
Rule List 25.10 25.15 25.20 25.29 11.99 12.08 12.10 12.16
C4
ACT 24.89 24.97 25.10 25.14 11.89 11.99 12.10 12.15

TABLE 11: Access time (in µs) for number of user attributes from 10 to 50 (Other parameter values as shown in Table 13)

Evaluation Access Time in User Space Access Time in Kernel Space

Config.
Method 5 10 15 25 5 10 15 25
Rule List 13.10 13.13 13.11 13.00 0.40 0.39 0.38 0.40
C1
ACT 12.89 12.91 12.86 12.90 0.37 0.36 0.37 0.35
Rule List 13.99 14.20 14.21 14.08 0.68 0.69 0.69 0.68
C2
ACT 13.05 13.10 13.09 13.10 0.65 0.66 0.67 0.64
Rule List 16.25 16.26 16.27 16.25 1.86 1.88 1.90 1.92
C3
ACT 15.21 15.25 15.30 15.32 1.65 1.71 1.75 1.69
Rule List 24.68 24.70 24.69 24.69 11.88 11.98 11.81 11.94
C4
ACT 24.49 24.51 24.48 24.50 11.70 11.71 11.76 11.69

TABLE 12: Access time (in µs) for number of values per user attribute from 5 to 25 (Other parameter values in Table 14)

TABLE 13: Metadata for the results shown in Table 11 and Fig. 10: Variation of access time in user space for 25 values
Figure 9 per user attribute (Other parameter values as shown in
Table 14)
Parameter C1 C2 C3 C4
Rules 10 50 100 200 103
Users 10 50 100 500 SP RL ACT DAC
Values Per User Attribute 5 10 15 25
Objects 100 500 1000 5000
Access Time (in µs)

TABLE 14: Metadata for the results shown in Table 12 and 102
Figure 10

Parameter C1 C2 C3 C4
Rules 10 50 100 200 101
Users 10 50 100 500
User Attributes 5 10 25 50
Objects 100 500 1000 5000
100
C1 C2 C3 C4
the impact of varying the number of users from 10 to 500.
In Figure 7, we fix the number of users to 500 and show
how the RL and ACT approaches compare with DAC as increases.
well as the SP approach for all the four configurations in For the third experiment (with metadata given in Table
terms of the access time in the user space. From the figure 10), we show the impact of varying the number of objects
and the table, it is observed that the access time within from 10 to 5000 in Table 9. In Figure 8, we fix the number
a configuration remains unaffected. The reason is that an of objects to 5000 and show how the two rule evaluation
increase in the number of users does not affect the size of the methods compare with DAC as well as the SP approach. The
data structures used in access resolution. Since we use hash table and the figure show that the execution times within a
tables to fetch user attributes, time taken to fetch attributes configuration remain unaffected whereas times across con-
remains unchanged as well. However, time increases with figuration increase monotonically with configuration size
the size of configuration since the number of user attributes (C1 to C4) due to increase in the number of attributes.

We report the results of our fourth experiment (with immediately. Therefore, the overhead for file access times
metadata given in Table 13) in Table 11, where the number for files outside the shared directory is negligible. Further,
of user attributes is varied from 10 to 50. The results are both the rule evaluation approaches proposed in this paper,
shown for both the rule list based approach as well as the namely RL and ACT, are approximately ten times faster than
ACT based approach. In Figure 9, we fix the number of user the single policy based approach introduced in our earlier
attributes to 50 and show how the two rule evaluation meth- work [9].
ods compare with DAC as well as the SP approach. From For our current RL approach, we keep the sizes of all
the figure and the table, it is observed that the access time the rules equal as mentioned in Sub-section 4.1 and use
increases monotonically with number of user attributes both don’t care values if needed. Thus, for each rule, the number
within a configuration and across configurations. The reason of equality checks is equal to the number of user and
for increase within a configuration is that higher number of environmental attributes. Instead, one can also make the
user attributes leads to a longer linked list of attribute value number of conditions in each rule variable by pruning those
pairs for each user, which in turn increases access resolution which are not relevant for that particular rule. The rules can
time. Access time also increases with configuration size due then be sorted in increasing order of the number of equality
to the increase in number of rules. conditions to be checked, further improving the efficiency
In the final experiment (with metadata given in Table of the RL approach at the cost of some loss in uniformity.
14), we study the impact of varying the number of values
per user attribute (from 5 to 25) on access time as shown in 8 R ELATED W ORK
Table 12. In Figure 10, we fix the number of values per user
Linux has seen a huge rise in personal and commercial
attribute to 25 and compare the two rule evaluation methods
usage in recent years due to its performance and flexibility.
with DAC as well as the SP. The results in the table and the
This led to increased scrutiny on security in Linux. Con-
figure indicate that the access time within a configuration
temporary work in this field discusses various vulnerabili-
remains unaffected, but increases with configuration size.
ties, exploits and mitigation strategies [28], [29], [30]. With
The reason is similar to the second experiment. Increasing
increase in the popularity of containerization technology
the number of values per user attribute does not affect the
and Linux being the most popular choice [31] for running
size of data structures used in access resolution and hence,
container images, security issues in this area are being
access time remains unaffected. The impact of varying other
studied thoroughly [32]. However, research in access control
parameters like object attributes, environmental attributes
methods for Linux is not up to speed. We believe the main
and their respective values per attribute is likely to be
reason is that complex access control solutions are already
similar to the previous experiments since the logic used for
available at the application level [33], [34], [35].
storing and fetching is the same. Hence, we do not repeat
The work presented in this paper makes modifications at
those results here.
the operating system level and provides file system security.
From the above experiments, we observe that the pro-
Recent research in this particular area includes studies on
posed method is quite efficient and can indeed be used
placement of LSM hook method in the kernel [36], [16], [37],
in practical deployments of ABAC enhanced Linux. The
[38], [39] and improving SELinux policies [40], [41]. LSM
average access time is within 30 µs even with 5000 objects
framework is also being used in containerization technolo-
and 200 rules. From the tabulated data and plots, it is seen
gies [42]. Use of SELinux in embedded systems has been
that the ACT based evaluation method is faster. However,
studied as well [43]. SELinux is also enabled by default in
it requires some additional memory for storage since each
android devices and provides various security features [44],
object has its own tree, whereas in the single policy based
[45]. However, to the best of our knowledge, except for our
method, each object only has references to a global list of
preliminary discourse [9], there is no work available that
rules. As the height of the tree is O(|UA|), where UA
aims to provide ABAC support in Linux. In the proposed
denotes the set of user attributes, this overhead is not
method, usage of LSM module to perform security checks
significant, especially because not all user attributes will
and use of user space services and tools to interact with
be used in accessing every object, and hence, will not be
kernel are similar to SELinux and AppArmor. But the sim-
included in its ACT. As mentioned in Section 1, DAC needs
ilarity ends there, the internal design and security model
to store the list of users having access on any given object in
implemented by our method are completely different.
the form of ACLs, which requires more space compared to
ACT.
We also observe that, access time of the proposed 9 C ONCLUSIONS AND F UTURE W ORK
method is dependent on the number of rules in the ABAC In this paper, we looked at existing access control models
policy and the number of user attributes. From the tables, in Linux and introduced a method for integrating Attribute-
we can see that only a small portion of user space access Based Access Control for file system objects using the Linux
time is spent in ABAC LSM and the remaining time is Security Module Framework along with efficient data struc-
spent in other kernel functions and the DAC module. Com- tures and algorithms. A significant improvement is achieved
pared to DAC, which is available by default, the proposed over an initial version of the work. We carried out extensive
method has only around 6 - 15 µs overhead. Note that the experiments to study its performance under ABAC config-
file_permission() hook method is called for every file ac- urations of various sizes. The following improvements and
cess. This includes files outside the shared directory, device features are planned for in the future.
files like /dev/tty/, etc. However, as seen in Algorithm 1, The current implementation is limited to two predefined
for the files outside the shared directory, access is granted environmental attributes - time of day and day of week. In

order to make the system more flexible, a procedure that [6] Chung, D. Ferraiolo, D. Kuhn, A. Schnitzer, K. Sandlin, R. Miller,
lets an administrator define custom attributes is needed. and K. Scarfone, “Guide to attribute based access control (abac)
definition and considerations,” 2019-02-25 2019.
One way of achieving this would be to provide a standard [7] “Achieving fine-grained access control and mitigating role explo-
set of environmental attributes based on their type - time sion by utilising abe with rbac,” Int. J. High Perform. Comput. Netw.,
based, location based, etc., and a way to configure them vol. 10, p. 109–117, jan 2017.
depending on the system’s needs. An advantage of such [8] A. Elliott and S. Knight, “Towards managed role explosion,” in
Proceedings of the 2015 New Security Paradigms Workshop, NSPW
an approach is that, it requires the administrator to have ’15, (New York, NY, USA), p. 100–111, Association for Computing
little to no programming knowledge for setting things up. Machinery, 2015.
However, the downside is that the user will be limited to [9] H. S. Varshith, S. Sural, J. Vaidya, and V. Atluri, “Enabling
attribute-based access control in linux kernel,” in Proceedings of
the available types of attributes. Another possible method the 2022 ACM on Asia Conference on Computer and Communications
involves letting the administrator define custom attributes, Security, ASIA CCS ’22, (New York, NY, USA), p. 1237–1239,
their values, methods to calculate those values and an Association for Computing Machinery, 2022.
interval at which they should be run. This would offer a [10] B. Arkills, LDAP Directories Explained: An Introduction and Analysis.
Addison-Wesley Professional, 2003.
lot more flexibility, but not everyone can be expected to [11] “Linux Security Module Usage — The Linux Kernel documenta-
possess programming skills. Our data generator tool used in tion.” https://www.kernel.org/doc/html/latest/admin-guide/
the experiments can be further enhanced by incorporating a LSM/index.html, 2021.
[12] B. W. Kernighan and D. M. Ritchie, The C programming language.
facility to have different number of values for each attribute 2006.
and also by providing support for different number of [13] B. K. R. Vangoor, P. Agarwal, M. Mathew, A. Ramachandran,
equality conditions for different rules. S. Sivaraman, V. Tarasov, and E. Zadok, “Performance and re-
In our implementation of ABAC, all attributes and poli- source utilization of fuse user-space file systems,” ACM Trans.
Storage, vol. 15, may 2019.
cies are managed by the root user only. This is sufficient for [14] L. Civolani, G. Pierre, and P. Bellavista, “Fogdocker: Start con-
moderately sized systems. However, as the user base grows, tainer now, fetch image later,” in Proceedings of the 12th IEEE/ACM
it can become unmanageable for a single administrator to International Conference on Utility and Cloud Computing, UCC’19,
(New York, NY, USA), p. 51–59, Association for Computing Ma-
manage the system. In RBAC, a hierarchy of administrator chinery, 2019.
roles is possible [46], in which there can be multiple staff [15] M. Monaco, O. Michel, and E. Keller, “Applying operating system
members with selected administrative roles under the main principles to sdn controller design,” in Proceedings of the Twelfth
administrator [47], [48]. A similar model also exists for ACM Workshop on Hot Topics in Networks, HotNets-XII, (New York,
NY, USA), Association for Computing Machinery, 2013.
ABAC [49], where under the chief administrator, a set of [16] T. Jaeger, A. Edwards, and X. Zhang, “Consistency analysis
next level admin users or even normal users may be allowed of authorization hook placement in the linux security modules
to create policy rules covering a limited set of attributes. framework,” ACM Trans. Inf. Syst. Secur., vol. 7, p. 175–205, may
2004.
Further, Separation of Duty (SoD) and Binding of Duty
[17] W. Zhang, P. Liu, and T. Jaeger, “Analyzing the overhead of file
(BoD) are two important security policies that can add protection by linux security modules,” in Proceedings of the 2021
constraints to the accesses allowed to any user controlled ACM Asia Conference on Computer and Communications Security,
by ABAC [50]. Enforcing SoD and BoD in ABAC-enhanced (New York, NY, USA), p. 393–406, ACM, 2021.
[18] R. Nath, S. Das, S. Sural, J. Vaidya, and V. Atluri, “Poltree: A data
Linux will be another interesting research direction. structure for making efficient access decisions in abac,” SACMAT
SELinux uses a complex cache mechanism called Access ’19, (New York, NY, USA), p. 25–35, Association for Computing
Vector Cache (AVC) which stores results of past access Machinery, 2019.
requests and prevents the need to perform entire resolution [19] F. Pezoa, J. L. Reutter, F. Suarez, M. Ugarte, and D. Vrgoč, “Foun-
dations of json schema,” in Proceedings of the 25th International
process for every access request. A similar mechanism can Conference on World Wide Web, pp. 263–273, International World
be implemented for ABAC LSM. A predefined number of Wide Web Conferences Steering Committee, 2016.
past access requests and their results can be stored in the [20] “Linux kernel content delivery network.” https://cdn.kernel.org/
pub/linux/kernel/v5.x/, Nov 2021.
kernel and reused before going through the normal resolu- [21] H. S. Varshith, “Source code for ABAC kernel components.” https:
tion procedure. A common cache eviction protocol like Least //github.com/saivarshith2000/abac_lsm_2022, Apr 2022.
Recently Used can be explored. It may however be noted [22] “GNU Make build system.” https://www.gnu.org/software/
that, presence of stale entries in the cache can inadvertently make/, Nov 2021.
[23] H. S. Varshith, “Source code for abac utilities.” https://github.
introduce other security vulnerabilities. com/saivarshith2000/abac_utils, Apr 2022.
[24] “Amazon employee access challenge:,” 2014.
[25] D. Dua and C. Graff, “UCI machine learning repository,” 2017.
R EFERENCES [26] S. Tang, J. Han, and Y. Zhang, “Amazon employee access control
system,” 2014.
[1] K. A. Khan, M. Amin, A. K. Afridi, and W. Shehzad, “Selinux in [27] A. Abu Jabal, E. Bertino, J. Lobo, M. Law, A. Russo, S. Calo,
and out,” in 2011 IEEE 3rd International Conference on Communica- and D. Verma, “Polisma - a framework for learning attribute-
tion Software and Networks, pp. 339–343, 2011. based access control policies,” in Computer Security – ESORICS
[2] T. Ecarot, S. Dussault, A. Souid, L. Lavoie, and J.-F. Ethier, “Appar- 2020 (L. Chen, N. Li, K. Liang, and S. Schneider, eds.), (Cham),
mor for health data access control: Assessing risks and benefits,” pp. 523–544, Springer International Publishing, 2020.
in 2020 7th International Conference on Internet of Things: Systems, [28] W. Xu, J. Li, J. Shu, W. Yang, T. Xie, Y. Zhang, and D. Gu, “From
Management and Security (IOTSMS), pp. 1–7, 2020. collision to exploitation: Unleashing use-after-free vulnerabilities
[3] M. P. Gallaher, A. C. O’Connor, B. Kropp, and G. Tassey, “The in linux kernel,” in Proceedings of the 22nd ACM SIGSAC Conference
economic impact of role-based access control,” 2002. on Computer and Communications Security, CCS ’15, (New York, NY,
[4] S. Smalley, “Configuring the selinux policy,” NAI Labs Rep, pp. 02– USA), p. 414–425, Association for Computing Machinery, 2015.
007, 2002. [29] H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F.
[5] G.-J. Ahn and D. Gami, “Enabling role-based delegation and revo- Kaashoek, “Linux kernel vulnerabilities: State-of-the-art defenses
cation on security-enhanced linux,” in 2007 12th IEEE Symposium and open problems,” in Proceedings of the Second Asia-Pacific Work-
on Computers and Communications, pp. 865–870, 2007.

shop on Systems, APSys ’11, (New York, NY, USA), Association for ’12, (New York, NY, USA), p. 7–12, Association for Computing
Computing Machinery, 2011. Machinery, 2012.
[30] P. A. Loscocco, P. W. Wilson, J. A. Pendergrass, and C. D. Mc- [48] S. Bhatt, F. Patwa, and R. Sandhu, “Abac with group attributes and
Donell, “Linux kernel integrity measurement using contextual attribute hierarchies utilizing the policy machine,” in Proceedings
inspection,” in Proceedings of the 2007 ACM Workshop on Scalable of the 2nd ACM Workshop on Attribute-Based Access Control, ABAC
Trusted Computing, STC ’07, (New York, NY, USA), p. 21–29, ’17, (New York, NY, USA), p. 17–28, Association for Computing
Association for Computing Machinery, 2007. Machinery, 2017.
[31] J. Watada, A. Roy, R. Kadikar, H. Pham, and B. Xu, “Emerging [49] S. Jha, S. Sural, V. Atluri, and J. Vaidya, “Security analysis of abac
trends, techniques and open issues of containerization: A review,” under an administrative model,” IET Information Security, vol. 13,
IEEE Access, vol. 7, pp. 152443–152472, 2019. no. 2, pp. 96–103, 2019.
[32] X. Lin, L. Lei, Y. Wang, J. Jing, K. Sun, and Q. Zhou, “A measure- [50] S. Jha, S. Sural, V. Atluri, and J. Vaidya, “Specification and verifi-
ment study on linux container security: Attacks and countermea- cation of separation of duty constraints in attribute-based access
sures,” in Proceedings of the 34th Annual Computer Security Appli- control,” IEEE Transactions on Information Forensics and Security,
cations Conference, ACSAC ’18, (New York, NY, USA), p. 418–429, vol. 13, no. 4, pp. 897–911, 2018.
Association for Computing Machinery, 2018.
[33] M. Sharifi, H. Movahednejad, S. G. H. Tabatabei, and S. Ibrahim,
“An effective access control approach to support web service
security,” in Proceedings of the 11th International Conference on In-
formation Integration and Web-Based Applications & Services, iiWAS
’09, (New York, NY, USA), p. 529–535, Association for Computing H.O Sai Varshith graduated from the Depart-
Machinery, 2009. ment of Computer Science and Engineering at
[34] Z. Zhang, E. Haffner, A. Heuer, T. Engel, and C. Meinel, “Role- the Indian Institute of Technology, Kharagpur,
based access control in online authoring and publishing sys- India in 2022 with a dual degree, i.e., Bachelor
tems vs. document hierarchy,” in Proceedings of the 17th Annual of Technology and Master of Technology. He is
International Conference on Computer Documentation, SIGDOC ’99, currently working at Honeywell. His research in-
(New York, NY, USA), p. 193–198, Association for Computing terests include operating systems and computer
Machinery, 1999. security.
[35] A. Armando, R. Carbone, E. G. Chekole, and S. Ranise, “Attribute
based access control for apis in spring security,” in Proceedings of
the 19th ACM Symposium on Access Control Models and Technologies,
SACMAT ’14, (New York, NY, USA), p. 85–88, Association for
Computing Machinery, 2014.
[36] V. Ganapathy, T. Jaeger, and S. Jha, “Automatic placement of
authorization hooks in the linux security modules framework,” Shamik Sural is a professor in the Department
in Proceedings of the 12th ACM Conference on Computer and Com- of Computer Science and Engineering, Indian
munications Security, CCS ’05, (New York, NY, USA), p. 330–339, Institute of Technology Kharagpur. He is a recip-
Association for Computing Machinery, 2005. ient of the Alexander von Humboldt Fellowship
[37] L. Georget, M. Jaume, G. Piolle, F. Tronel, and V. V. T. Tong, “Ver- and Fulbright Fellowship. He is a senior member
ifying the reliability of operating system-level information flow of IEEE and is currently serving on the editorial
control systems in linux,” in Proceedings of the 5th International FME boards of IEEE Transactions on Dependable &
Workshop on Formal Methods in Software Engineering, FormaliSE ’17, Secure Computing and IEEE Transactions on
p. 10–16, IEEE Press, 2017. Services Computing. His research interests in-
[38] D. Wang, Y. Dong, and W. Yang, “Subject and object sensitivity clude computer security and data science.
label of linux,” in 2012 IEEE Symposium on Robotics and Applications
(ISRA), pp. 224–226, 2012.
[39] X. Li, “Verifying mediations of linux security modules with blast,”
in 2010 2nd IEEE International Conference on Information Management
and Engineering, pp. 371–376, 2010.
[40] Z. C. Schreuders, T. McGill, and C. Payne, “Empowering end users
to confine their own applications: The results of a usability study Jaideep Vaidya is a Distinguished Professor
comparing selinux, apparmor, and fbac-lsm,” ACM Trans. Inf. Syst. of Computer Information Systems with Rutgers
Secur., vol. 14, sep 2011. University and is the Director of the Rutgers
[41] B. Hicks, S. Rueda, L. St.Clair, T. Jaeger, and P. McDaniel, “A Institute for Data Science, Learning, and Ap-
logical specification and analysis for selinux mls policy,” in Pro- plications. He has published over 200 papers
ceedings of the 12th ACM Symposium on Access Control Models in international conferences and journals. His
and Technologies, SACMAT ’07, (New York, NY, USA), p. 91–100, research interests are in privacy, security, and
Association for Computing Machinery, 2007. data management. He is an IEEE Fellow, AAAS
[42] A. R. MP, A. Kumar, S. J. Pai, and A. Gopal, “Enhancing secu- Fellow, and an ACM Distinguished Scientist. He
rity of docker using linux hardening techniques,” in 2016 2nd has served as the Editor-in-Chief of IEEE TDSC.
International Conference on Applied and Theoretical Computing and
Communication Technology (iCATccT), pp. 94–99, 2016.
[43] L. Fiorin, A. Ferrante, K. Padarnitsas, and S. Carucci, “Hardware-
assisted security enhanced linux in embedded systems: A pro-
posal,” in Proceedings of the 5th Workshop on Embedded Systems Secu-
rity, WESS ’10, (New York, NY, USA), Association for Computing Vijayalakshmi Atluri is a Professor of Com-
Machinery, 2010. puter Information Systems in the MSIS Depart-
[44] S. Mutti, E. Bacis, and S. Paraboschi, “An selinux-based intent ment, and research director for the Center for
manager for android,” in 2015 IEEE Conference on Communications Information Management, Integration and Con-
and Network Security (CNS), pp. 747–748, 2015. nectivity (CIMIC) at Rutgers University. Her re-
[45] X.-l. Song and C.-H. Yang, “Mobile device management system search interests include Information Security,
based on aosp and selinux,” in 2017 IEEE Second International Privacy, Databases, Workflow Management and
Conference on Data Science in Cyberspace (DSC), pp. 417–420, 2017. Distributed Systems. She has published over
[46] M. Dekker, J. Crampton, and S. Etalle, “Rbac administration in 150 technical papers in peer reviewed journals
distributed systems,” SACMAT ’08, pp. 93–102, 01 2008. and conference proceedings. She is an IEEE
[47] X. Jin, R. Krishnan, and R. Sandhu, “A role-based administra- Fellow and a member of the ACM.
tion model for attributes,” in Proceedings of the First International
Workshop on Secure and Resilient Architectures and Systems, SRAS

Access Control Model2
No ratings yet
Access Control Model2
18 pages
inf 320
No ratings yet
inf 320
2 pages
CH04-CompSec4e
No ratings yet
CH04-CompSec4e
48 pages
CH04 CompSec4e
No ratings yet
CH04 CompSec4e
48 pages
CH04 CompSec4e
No ratings yet
CH04 CompSec4e
48 pages
ACCESS CONTROL SYSTEM
No ratings yet
ACCESS CONTROL SYSTEM
12 pages
Information Security_Lec10 (2)
No ratings yet
Information Security_Lec10 (2)
19 pages
Iyer 2018
No ratings yet
Iyer 2018
12 pages
Policy Management in Enterprise Application
100% (2)
Policy Management in Enterprise Application
2 pages
RABAC: Role-Centric Attribute-Based Access Control: Xjin@cs - Utsa.edu, Ravi - Sandhu, Ram - Krishnan @utsa - Edu
No ratings yet
RABAC: Role-Centric Attribute-Based Access Control: Xjin@cs - Utsa.edu, Ravi - Sandhu, Ram - Krishnan @utsa - Edu
13 pages
Differentiating Between Access Control Terms
No ratings yet
Differentiating Between Access Control Terms
12 pages
CH04-CompSec3e-Access Control
No ratings yet
CH04-CompSec3e-Access Control
43 pages
Attributebased Access Control Vincent C Hu David F Ferraiolo pdf download
100% (1)
Attributebased Access Control Vincent C Hu David F Ferraiolo pdf download
89 pages
What Is Abac, Rbac, Etc
No ratings yet
What Is Abac, Rbac, Etc
12 pages
Access Control
No ratings yet
Access Control
34 pages
CH 04
No ratings yet
CH 04
41 pages
PBAC
No ratings yet
PBAC
14 pages
Lecture-21-IS-BSE-7A-SMI-Fall-2024
No ratings yet
Lecture-21-IS-BSE-7A-SMI-Fall-2024
48 pages
CS 3306 Unit 4 Written Assignment
No ratings yet
CS 3306 Unit 4 Written Assignment
6 pages
Role - Based Protection by Mastamooti
No ratings yet
Role - Based Protection by Mastamooti
15 pages
(IJCST-V4I1P11) :pradnya Agale
No ratings yet
(IJCST-V4I1P11) :pradnya Agale
4 pages
Wr as u4 Data
No ratings yet
Wr as u4 Data
7 pages
Unit 4 - CS
No ratings yet
Unit 4 - CS
32 pages
Lecture4 AccessControl
No ratings yet
Lecture4 AccessControl
13 pages
Attribute Based Access Control (Abac)
No ratings yet
Attribute Based Access Control (Abac)
4 pages
Access Control Models-1
No ratings yet
Access Control Models-1
3 pages
An Automatic Attribute Based Access Control Policy Extraction From Access Logs
No ratings yet
An Automatic Attribute Based Access Control Policy Extraction From Access Logs
14 pages
Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (4 Week)
No ratings yet
Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (4 Week)
36 pages
Computer Security: Principles and Practice: Access Control
No ratings yet
Computer Security: Principles and Practice: Access Control
24 pages
Week 02 Slides
No ratings yet
Week 02 Slides
59 pages
Access_Control_Models
No ratings yet
Access_Control_Models
1 page
Access Control (1)
No ratings yet
Access Control (1)
32 pages
Cknowledgment
No ratings yet
Cknowledgment
1 page
Jeas 0512 699 PDF
No ratings yet
Jeas 0512 699 PDF
3 pages
04 - Access Control
No ratings yet
04 - Access Control
53 pages
Data Secuirity
No ratings yet
Data Secuirity
35 pages
Lecture11 -Access Control
No ratings yet
Lecture11 -Access Control
34 pages
Lecture 20
No ratings yet
Lecture 20
22 pages
#10-11 Access Control Models
No ratings yet
#10-11 Access Control Models
51 pages
Security Chap 5
No ratings yet
Security Chap 5
68 pages
CS 3306 Unit 4 Programming Assignment
No ratings yet
CS 3306 Unit 4 Programming Assignment
6 pages
ASWIN TS DECODED NOTES UNIT 3 Instantiation Policy and Intermediate Control[1]
No ratings yet
ASWIN TS DECODED NOTES UNIT 3 Instantiation Policy and Intermediate Control[1]
3 pages
FALLSEM2024-25_BCSE317L_TH_VL2024250101438_2024-08-05_Reference-Material-I
No ratings yet
FALLSEM2024-25_BCSE317L_TH_VL2024250101438_2024-08-05_Reference-Material-I
28 pages
CS 3306 - Unit 4 Written Assignment Student University of The People Debanjana Chaudhuri
No ratings yet
CS 3306 - Unit 4 Written Assignment Student University of The People Debanjana Chaudhuri
4 pages
rbac-std-draft
No ratings yet
rbac-std-draft
43 pages
Week6_2
No ratings yet
Week6_2
50 pages
Bài 5 - Access Control
No ratings yet
Bài 5 - Access Control
27 pages
Access_Control_Models_Comparison_SY0-701
No ratings yet
Access_Control_Models_Comparison_SY0-701
2 pages
Lecture4 AccessControl
No ratings yet
Lecture4 AccessControl
13 pages
Principles of Information Security-Ch8
No ratings yet
Principles of Information Security-Ch8
41 pages
ACCESS CONTROL PRINCIPLES
No ratings yet
ACCESS CONTROL PRINCIPLES
7 pages
Netwrk Security
No ratings yet
Netwrk Security
22 pages
UNIT 5 OS NOTES (1)
No ratings yet
UNIT 5 OS NOTES (1)
19 pages
RBAC STD Proposal
No ratings yet
RBAC STD Proposal
29 pages
Lecture-13-ACL
No ratings yet
Lecture-13-ACL
19 pages
Computer Security: Principles and Practice: Chapter 4: Access Control
No ratings yet
Computer Security: Principles and Practice: Chapter 4: Access Control
41 pages
Handout 6 - Access Control
No ratings yet
Handout 6 - Access Control
48 pages
Ch04 Cryptographic Tools
No ratings yet
Ch04 Cryptographic Tools
27 pages
Computer Security: Principles and Practice
No ratings yet
Computer Security: Principles and Practice
21 pages
Location-Based Services Privacy Security and Assur
No ratings yet
Location-Based Services Privacy Security and Assur
11 pages
Adsa A4
No ratings yet
Adsa A4
3 pages
Week4 1
No ratings yet
Week4 1
37 pages
Project Fall 2024
No ratings yet
Project Fall 2024
5 pages
SIM Secure Interval Membership Testing and Applications To Secure Comparison
No ratings yet
SIM Secure Interval Membership Testing and Applications To Secure Comparison
16 pages
Sec22fall Srinivasan
No ratings yet
Sec22fall Srinivasan
18 pages
Mi Privacy-Preserving Face Recognition Using Random Frequency Components ICCV 2023 Paper
No ratings yet
Mi Privacy-Preserving Face Recognition Using Random Frequency Components ICCV 2023 Paper
12 pages
Privacy-Preserving Reverse Nearest Neighbor Query Over Encrypted Spatial Data
No ratings yet
Privacy-Preserving Reverse Nearest Neighbor Query Over Encrypted Spatial Data
15 pages
1 s2.0 S0020025510001386 Main
No ratings yet
1 s2.0 S0020025510001386 Main
12 pages

Efficiently Supporting Attribute-Based Access Control in Linux

Uploaded by

Efficiently Supporting Attribute-Based Access Control in Linux

Uploaded by

This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing.

Efficiently Supporting Attribute-based Access

1 I NTRODUCTION that capture various properties of the subjects, objects and

2.1 Users and Authentication

Fig. 2: High level overview of the ABAC LSM

Creation of shared directory and setting up of appropriate

3.3 ABAC LSM

Algorithm 3 ACT based access resolution

TABLE 3: Files in ABAC securityfs

length. Unlike normal write syscall, here a successful write

5.4.3 Environmental Attribute Service

Access Time (in µs)

source, one needs to copy contents of the security directory 102

Evaluation Access Time in User Space Access Time in Kernel Space

102 (user, object or environment) varies across configurations,

Evaluation Access Time in User Space Access Time in Kernel Space

Evaluation Access Time in User Space Access Time in Kernel Space

Evaluation Access Time in User Space Access Time in Kernel Space

Evaluation Access Time in User Space Access Time in Kernel Space

You might also like