next up previous contents
Next: Control Requirements Up: Implementation Previous: Labeling   Contents

API extensions

Due to the large number of new file-related calls and the potential need for future expansion, the new file-related calls were implemented as library functions that invoke a single system call, flask_filecall, with a first parameter that identifies the specific call. Internally, the Linux file system component uses a variant of the Virtual File System (VFS) interface. Extended forms of the file creation operations were added to this interface to permit the filesystem-independent code to pass the SID of the new file to the filesystem-specific code. New operations would not have been necessary if the existing file creation operations accepted a general attribute structure as a parameter, as in the BSD VFS interface.

SID parameters needed to be added to several internal functions to support the new system calls. Some of these internal functions are called from many different locations within the kernel and may be called from kernel-loaded modules. Consequently, it was not practical to simply change the existing function and update all calls to it. For such functions, _secure was appended to the function name, and the interface and implementation of the function were extended for the new processing. A stub function that merely calls the new function with default parameters was added using the old function name and interface. This permits the existing code to continue to use the old function interface, but introduces the overhead of an extra function call in these cases.


next up previous contents
Next: Control Requirements Up: Implementation Previous: Labeling   Contents