Chapter 8: The Virtual Filesystem
The other capability that comes into play isCAP_DAC_READ_SEARCH, which grants the process the right to
override DAC decisions when reading files and searching directories. If the capability is present, then
access is granted if any of the following conditions holds:❑ A Read operation was requested.
❑ The inode in question is a directory, and no Write access was requested.Finally, the question remains how ACLs are taken into account. If the inode in question has an ACL
associated with it (checked byIS_POSIXACL) and a permission check callback for ACLs was passed to
generic_permission, the callback is utilized right after the fsuid of the current task is compared with
the UID of the file in question. If the desired access is denied, then process capabilities might still allow
it. (Note that the DAC check can be skipped if an ACL callback is given because the standard DAC check
is included in the ACL check.) Otherwise, the result of the ACL check is directly returned.8.6 Summary
One of the core concepts ofUnixis that nearly every resource can be represented by a file, and Linux
has inherited this point of view. Files are therefore very prominent members of the kernel world, and
a considerable effort goes into their representation. This chapter has introduced the virtual filesystem, a
glue layer that sits between deeper kernel layers and userland. It provides various abstract data structures
to represent files and inodes, and implementations of real filesystems must fill in these structures such
that applications can always use the same interface to access and manipulate files irregardless of the
underlying filesystem.I have discussed how filesystems are mounted into the filesystem tree visible for userland applications,
and have additionally shown how shared subtrees can be used to create different views of the ‘‘global’’
filesystem depending on the namespace. You have also learned that the kernel employs a number of
pseudo-filesystems that are not visible to userland, but nevertheless contain some information that is
interesting for internal purposes.Opening files requires a traversal of the file tree, and you have seen how this problem is solved by the
VFS layer. Once a file has been opened, it can be written to and read from, and you have also seen how
the VFS is involved in these operations.Finally, you have learned that the kernel provides some generic standard functions that make things
easier for real filesystems like Ext3, as discussed in the next chapter, and how the kernel ensures that
only appropriately privileged users may access objects located in the filesystem.