A File System Access Domain represents a portion of a file system visible and accessible by a process. It effectively creates a file system cage or a sandbox to which the running process is confined. File System Access Domains do not replace the traditional Linux file system access controls, they operate at a higher level, as illustrated in Figure 4.3.1.
The notion of File System Access Domains is best illustrated by an example: Figure 4.3.1 depicts a possible File System Access Domain of an process. By including /etc and /usr the process is restricted to the portion of the file system represented by the subtrees below the nodes respectively (denoted by the outer ovals). However, not the whole subtrees are accessible by the process as the file /etc/shadow and all files below the directory /usr/local are excluded from the FS Access Domain (denoted by dashed inner ovals in the Figure).
LinSec File System Access Domain can be further subdivided into:
Read Only Access Domain denotes a portion of a file system that can be used for read access only and Read Write Access Domain denotes a portion of a file system that can be used both for read and write access. The latter Access Domain is Read-Write as opposed to Write Only as this avoids overlap in cases where files can be both read and written (in which case they would have to be duplicated in both of the Access Domains).
LinSec has no feature to prevent overlaps between the two access domains resulting from the ways in which they are configured in each particular case. Inclusion of such a feature is not regarded necessary as:
In cases of overlap between the access domains, the order in which process' access domains are checked, on file system access request (Subsection 4.3.9), becomes important.
In the context of the example illustrated by the Figure 4.3.1 the process in question can access all files below /etc, with exception of /etc/shadow, but only for reading. Writing to this subtree will not be permitted.
File System Access Domains are built upon the traditional UNIX idea of changing root directory (popularly called chroot) for a process in order to confine it to a subtree of the file system. The chroot approach proved to be very inflexible as it is only capable of confining a process to a single whole subtree of the main file system tree.
LinSec File System Access Domain is abbreviated AD in the rest of the report.
