Executable File Access Domains are implemented as extended attributes (Section 5.3) of executable files. Each of the executable file ADs (Chapter 4), Subsection 4.3.5) is defined in terms of:
Rationale for implementing the latter feature has to do with optimization issues. LinSec implementation allows a maximum of 64 AD Groups to be defined for the ease of implementation and for the performance gains of representing AD Groups and AD Group sets as 64 bit bitmaps. However, if new AD Groups had to be created whenever an executable requires an AD which differs from what can be obtained from one of the existing AD Groups just in value of the flag of one or more of constituent AD Elements, the maximum number of AD Groups would soon become a bottleneck. Therefore, LinSec allows executable files to override the flag setting of a number of AD Elements belonging to AD Groups they are a member of by explicitly specifying AD Elements in question and storing them directly in extended attributes along with the AD Group membership information. For example, supposing that AD Group 1 contains an AD Element denoting that /etc directory can be accessed and that an executable file foo needs exactly the AD as described by AD Group 1 but with /etc excluded from it. Instead of defining a new AD Group for the purpose, system administrator can give foo a membership of AD Group 1 and, in addition, explicitly assign foo an AD Element representing /etc but with flag value denoting the exclusion.