Linux kernel stuff - very, very old

MAC - Mandatory Access Control/Compartments

A very early alpha release of MAC (Mandatory Access Control) support. This distribution contains a patch against kernel 2.2.12, patches for userland utilities ipchains and ip and a filesystem module mlsfs which together allow you to do divide a running Linux system into separate mutually-invisible compartments, each effectively looking like a different "virtual machine". Compartments cannot see processes (via "ps" or kill) in other compartments. Compartments can have different routing tables which can be configured so that they each have their own IP addresses, routing information and such like. Filesystems can be configured so that only a given compartment has access to them (more flexible than chroot).

This initial distribution implements integrity labels only at the moment and not sensitivity labels (following the KISS principle that compartment separation and system integrity labels are more useful in real life than sensitivity gradings).

Download. README.

Bufflink - fast lightweight kernel/userland communication

Bufflink provides a quick and easy way for kernel code to create a ring buffer and write to it from any context (process, bottom half or interrupt). A userland process can access it via a character device which behaves mostly like a FIFO.

Latest version is 0.3. Download. README.

Reqlog: write details of each block I/O request to a ring buffer

reqlog is a small patch to the Linux 2.2.12 kernel which writes brief details of each physical disk read/write to a ring buffer from where a userland program can make use of the information. Example uses of this information are for hot migration of live in-use block devices, as by the bmigrate suite detailed below or detailed disk I/O monitoring utilities (I'm going to write one Real Soon Now).

Latest version is 0.3. Download. README.

Bmigrate: hot migration of live in-use block devices

bmigrate is a set of programs which make use of the CONFIG_REQUEST_LOG option available in (the reqlog patch to) the Linux kernel in order to migrate the contents of a live in-use block device to a new location. This can be used to help migrate a large filesystem or database to a new system with only a few seconds unavailability time as the service is switched over.

Latest version is 0.3. Download. README.

Sockfs: a pseudo-filesystem for user/group-based access to privileged ports

sockfs is a pseudo-filesystem which allows the setting of owner, group and permissions for each reserved internet-domain port (i.e. family AF_INET, ports 1-1024). When mounted, directory entries for each reserved port appear (named 1, 2, 3, etc., rather like the procfs entries for each process named by PID).

The filesystem replaces the kernel privilege check for binding reserved ports. Instead of the default check which allows only root to bind to reserved ports, it checks whether the appropriate entry in the sockfs filesystem is writable by the process attempting the bind(). Owner, group and "other" bits are checked just as for ordinary file permission checks. The superuser (in fact, the fsuser just as for ordinary filesystems) is always granted permission. The filesystem allows the owner, group and permission bits to be changed by whoever has write access to the root of the mounted filesystem (usually root alone).

Sockfs was written for the 2.0 kernel and has not been updated since 1998 when the kernel patch side was refused into the main kernel. If anyone is interested, it can be easily updated for 2.2+.

Latest version is alpha2. Download. README.


Basic IP clustering support for Linux.

E-mail: Malcolm Beattie <>

Back to home page