In addition to gaining supervisory control, LOMAC must also assign integrity levels to files in a manner that is persistent across reboots. LOMAC maintains a persistent mapping between levels and absolute canonical pathnames in its Path Level Map (PLM) module. Whenever the kernel opens a file, LOMAC labels its in-memory data structure (dentry) with the integrity level indicated by the PLM.
LOMAC's PLM implements a simple form of implicit attribute mapping [3]. Given an absolute canonical pathname, it consults a data structure similar to the abridged one shown in table 1. This data structure is an array of records, each a level, flag, path triplet. The records are sorted, longest path first. The basic algorithm is, given a target path, its level can be found by searching linearly though the list of records until a record is found whose path is a prefix of the target path. The level in this record is the proper level for the file named by the target path. For example, the level of ``/home/httpd/html'' is high, because it matches the record for prefix ``/home/httpd''. The attribute mapping is ``implicit'' because the appropriate level of a large number of files is implied by a small set of rules.
The child-of flag adds a slight bit of additional complexity. For example, the list of records uses the child-of flag in the record for /home. This record indicates that all children of /home are low by default. Because of the child-of flag, the record does not apply to /home itself, only its children.
If, during a search through the record list, the the target path matches a record's path exactly, the flag field is checked. If the child-of flag is set, the match is ignored, and the search continues. Consequently, the level of ``/home/httpd'' is high because it exactly matches the record for prefix ``/home/httpd'', which has no child-of flag. The level of ``/home/tfraser'' is low because it matches the record for prefix ``/home'' with the child-of flag, and the level of ``/home'' is high because it skips the child-of ``/home'' record and matches the record for prefix ``/''.
The actual list of PLM records used by the present version of LOMAC contains 25 records. The PLM can map levels to files on any type of filesystem, including remote network filesystems. It requires no filesystem support for storing attributes on disk. Since the PLM's list of rules is completely static, it is trivially persistent across reboots, and is not susceptible to consistency problems if the filesystem is modified while LOMAC is not running.
The PLM does have two main drawbacks, however. First, it requires canonical absolute pathnames as input. Determining the canonical absolute form of a pathname in a system call wrapper adds overhead.
Second, the PLM can produce inconsistent integrity level results when queried on files named by multiple hard links: If the different hard link names correspond to different levels, the PLM will return whichever level corresponds to the hard link name specified in a query. LOMAC prevents the creation of such confusing hard links during its run-time; administrators must take care to avoid creating them before they load LOMAC. This problem does not extend to symbolic links. LOMAC calls the appropriate kernel functions to translate all paths into canonical (all symbolic links translated) absolute (relative to the root directory) form before examining them. Consequently, LOMAC handles symbolic links properly.