2.1.1.5 File systems
WLI security features are imposed on all directories and regular files that reside in file systems called through the VFS layer.
WLI generates metadata to keep track of its file access policies. Policy metadata might become scattered in files throughout a file system. VxFS (aka JFS) at revision 5.0.1 or later is an exception because metadata can be stored within a named stream. A named stream is associated with a file inode, but is not accessible through the usual open() on the file.
Because a proprietary utility like Symantec NetBackup is required for backing up named streams, the administrator may choose to have metadata stored on files only.
WLI also generates signature metadata for signed executable binaries. For native ELF binaries, the metadata is stored within a special section of the file.
Special device files within file systems are not affected by WLI with the exception of /dev/mem and /dev/kmem. In restricted mode, access to these files is denied except to applications explicitly granted the mem capability. For more information on WLI capabilities, see “Security features” (page 9) and wli(5).
2.2 WLI database
WLI maintains a set of regular files and directories under /etc/wli. Some files contain configuration data referenced during system boot, and others maintain user and administrator key associations within WLI. These files are installed with WLI or are generated when WLI is initialized, as described in “Configuring” (page 25). WLI prohibits write access to these files in restricted mode. In maintenance mode, the entire database can be read or written without WLI restrictions.
The following directories are under /etc/wli:
/etc/wli/keys | Directory containing |
| private keys, one per file. In maintenance mode, the directory |
| can be read and written. Read/write access is prohibited for |
| all files in this directory in restricted mode. |
/etc/wli/certificates | Directory containing public keys authorized for |
| verification of file access policies. |
The following files are under /etc/wli: | |
/etc/wli/wlicert.conf | File mapping WLI capabilities to authorized public keys. |
| For details on content, see wlicert.conf(4). WLI does not |
| permit write access to this file in restricted mode. |
/etc/wli/wlisyspolicy.conf | File containing security parameters read into kernel |
| memory early in the |
| content, see wlisys(1M) and wlisyspolicy(1M). |
/etc/wli/wlisys.conf | File containing initialization parameters for WLI kernel |
| components. For details on content, see wlisys(1M). |
2.3 WLI metadata files
WLI generates at least one metadata file. The number of metadata files generated depends on file system version, value of the wmdstoretype attribute, and file system type.
The following sections describe the metadata file types. All metadata file types have WLI write protection in restricted mode. To override WLI protection for file backup, see Section 1.2.2 (page 10).
16 Product overview
