Extending File Permission Granularity for Linux

Abstract

In the recent years, threats against intellectual properties, unauthorized information disclosures and data breaches have been raised high. Most of the above attacks initiated within the network, with the help of internal employees. Whether intentionally malicious or unintentionally hazardous, are by far the greater problem in online security. Therefore for system administrators and authorize parties, another level of security definition is needed to secure important files and documents while continuing business as it was. In Linux, traditional file system uses READ, WRITE and EXECUTE permissions over individual users and groups in order to control the file access and file operations. Although this has been the de-facto methodology, it has some disadvantages when it comes to highly secure and sensitive environments like banks and military. There is no straight forward way of defining permissions in operational aspect. The goal of this project is to increase the granularity levels of defining permissions of the Linux file system going beyond traditional read, write and execute permissions. It consists of mainly two modules. In meta header module, authorized user can define what, who and how things are accessible related to files. He can define on what operations needs to restrict on what devices, locations and domains. The other module is responsible for handling the file operations and restrict according to the defined permissions. Evaluation carried out on security, performance and usability aspects. There may have slight performance impact but it’s negligible compared to the requirements of security. Further, this implementation can extends go beyond ext4 and apply into main kernel development.