[go: up one dir, main page]

GB2415530A - File system mandatory access control - Google Patents

File system mandatory access control Download PDF

Info

Publication number
GB2415530A
GB2415530A GB0518974A GB0518974A GB2415530A GB 2415530 A GB2415530 A GB 2415530A GB 0518974 A GB0518974 A GB 0518974A GB 0518974 A GB0518974 A GB 0518974A GB 2415530 A GB2415530 A GB 2415530A
Authority
GB
United Kingdom
Prior art keywords
access
file
compartment
rules
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0518974A
Other versions
GB2415530B (en
GB0518974D0 (en
Inventor
Tse-Huong Choo
Scott Alan Leerssen
Joubert Berger
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HP Inc
Original Assignee
Hewlett Packard Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US09/896,019 external-priority patent/US7962950B2/en
Application filed by Hewlett Packard Co filed Critical Hewlett Packard Co
Publication of GB0518974D0 publication Critical patent/GB0518974D0/en
Publication of GB2415530A publication Critical patent/GB2415530A/en
Application granted granted Critical
Publication of GB2415530B publication Critical patent/GB2415530B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

In one embodiment, the present invention is related to a computer system including compartments implemented on an operating system. A database contains access rules with said access rules defining which compartments are authorized to access particular file resources. A kernel module receives a system call to access a file from a user space application belonging to a compartment. A security module determines whether said user space application is authorized to access said file utilizing access rules stored in said database, wherein said security module is operable to permit access as a default rule when no access rule is located. This allows a reduction in size of the access rules database, with no entry required if the default rule is applicable. The access rules database may be configured to mirror the directory/subdirectory structure of the file resources.

Description

a 24 t 5530
SYSTEM AND METHOD FOR FILE SYSTEM MANDATORY ACCESS CONTROL
RELATED APPLICATIONS
This application is related to concurrently filed and commonly assigned U. S. Patent Application Serial No. , entitled, "SYSTEM AND METHOD FOR MANAGEMENT OF COMPARTMENTS IN A TRUSTED OPERATrNG SYSTEM," which is hereby incorporated herein by reference.
TECHNICAL FIELD
The present invention is directed to a system and method for computer contanmcnt and more particularly to a system and method for restricting access to files by processes.
BACKGROUND
Containment refers to restrictions on a computer system which prevent user-space applications from performing certain actions. In particular, containment is achieved by forcing a large untrusted application to utilize a smaller trusted application to perform certain actions.
By forcing the larger application to do so, the smaller application may ensure that the larger application does not perform undesirable actions, such as interfering with other applications.
One aspect of containment is restricting access to files. For example, it may be advantageous to restrict access to a configuration file, since the configuration file may be utilized to breach the security of the system l. ikewise, it is advantageous to prevent most processes from being able to read or write to files containing password information.
To restrict access to files, known trusted operating systems associate access information with each file stored on a file system. Specifically, the file structure is modified to include an additional permission data structure with each file. The permission data structure contains essentially a list of identifiers with each identifier specifying a group of processes that are allowed to access the respective file. When a process attempts to access a particular file, the process performs a system call to the kernel. The identifier of the process is obtained by the kennel routine associated with the system call. The kernel routme accesses the file by reading the list of identifiers. A logical comparison is made between the identifier received from the process and the list of identifiers. If a match is found, the kernel routme performs the access operation (e.g., opening the file). If no match is found, the kernel routine does not perform the access operations and, instead, returns an exception (e.g., enror message).
Although associating such a data structure with each file does restrict certain processes from accessing certam files, this approach is problematic In many respects. First, the amount of permission data is large, because file systems of ordinary complexity typically contain thousands of files. Secondly, the task of synchronizing permission data with file creation and file deletion is challenging. For example, many processes may create and delete files during their operation. If permission data is created or modified for each file operation, system performance is significantly degraded. Moreover, if permission data is also maintained by a system administrator, system administration is quite cumbersome when the number of files exceeds a small number.
It shall be appreciated that associating the additional data structure with each file causes the file system format to be incompatible with other file system formats. In particular, this approach is incompatible with the file system formats utilized by traditional UNIX.') operating systems. Thus, once data is stored in the above format, well-known applications and utilities cannot be utilized with the prccedrrlg access limiting file structure. t
SUMMARY OF T HFT INVENTION
In one embodiment, the present invention is related to a computer system including compartments implemented on an operating system. A database contains access rules with said access rules defining which compartments are authorized to access particular file resources A kernel module receives a system call to access a file from a user space application belonging to a compartment. A security module determines whether said user space application is authorized to access said file utilizing access rules stored m said datahasc. )
13RIF.F DESCRIPTION OF THE DRAWING
FIGURE 1 depicts a block diagram example of compartments according to the prior art.
FIGURE 2 depicts an exemplary system that utilizes compartments to provide containment according to embodiments of the present invention.
FIGURE 3 depicts another exemplary system that utilizes compartments to provide containment according to embodiments of tile present invcution.
FIGURE 4 depicts an exemplary ille system to which access is restricted according to embodiments of the present invention. )
DETAILED DESCRIPTION
Compartments refer to groups of processes or threads which are limited to accessing certain subsets of system resources of a computer system. FIGURE 1 depicts a block diagram example of compartments. System 100 includes two subsets of system resources (resource l and resource 2). System 100 also includes three compartments (designated compartments A, B. and C). Compartment A is only permitted to access the system resources associated with resource 1. Compartment C is only permitted to access the system resources associated with resource 2. Compartment B is permitted to access the system resources associated with both resource I and resource 2. As an example, if a process is designated as belonging to compartment A, the process would be allowed to access resource I but would be prevented from accessing resource 2.
According to embodiments of the present invention, by utilizing compartments, the security of a computer system may be enhanced through mandatory access control.
Mandatory access control refers to access control that a process cannot override. By utilizing mandatory access control, a breach of security In one compartment will not effect resources associated with another compartment. Specifically, if the security of an application operating In compartment A is compromised, the breach of security is limited to a subset of system resources. For example, resource I may include system resources associated with receiving TCP/IP packets without including system resources used to send TCP/IP packets. Instead, the system resources used to send TCP/IP packets may be assigned to resource 2. If an application in compartment A Is compromised by a buffer-overflow attack, the application could not be utilized to launch a denial of service attack against another web-resource. The application could not launch such an attack, since it is not permitted to access system resources associated with sending TCP/IP packets.
In embodiments of the present invention, any number of system resources may be organized according to compartment access control. For example, system resources associated with TCP/IP networking, routing tables, routing caches, shared memory, message queues, semaphores, process/thread handling, and user-id (UID) handling may be limited by utilizing compartments according to embodiments of the present invention.
FIGURE 2 depicts exemplary system 200 that illustrates how compartments may be implemented according to embodiments of the present invention. System 200 includes process 201 that is associated with a compartment. Process 201 executes code in user-space, i.e. a hardware-enforced operating mode that limits the operations of process 201. Process 201 may include code that is operable to attempt to access a protected resource (e.g., opening a certain file) according to a compartment scheme. Process 201 performs a system call to the kernel of the operating system. The system call includes transferring control to access control logic 202. Access control logic 202 receives a compartment identifier or tag of process 201.
Access control logic 202 utilizes the compartment identifier to search rule database 203 to determine whether the compartment associated with process 201 is permitted access to the particular resource. If access is permitted by the rules contained In rule database 203, access control logic 202 transfers processing control to communication access module 204 that performs the software operations to access the resource. If access is not permitted, access control logic 202 transfers processing control to exception handling module 205. Exception handling module 205 may return an exception (e.g., an error message) to process 201 and/or it may stop the operations of process 201.
System 300 of FIGURE 3 depicts another exemplary system that utilizes compartments to provide containment. System 300 includes a plurality of compartments. In this example, WEB compartment 301, FTP compartment 302, and SYSTEM compartment 303 are shown. Each compartment is associated with various executing processes or threads.
The processes of the compartments are limited to accessing system resources according to the rules stored in rule database 316. Rule database 316 may include various components or modules for the various types of resources. Rule database 316 may comprise separate tables for TCP/IP networking resource rules and for file system resource rules. Also, the various components may be stored in different locations. For example, TCP/IP resource rules may be stored in random access memory while file system resource rules may be stored on the file system.
SYSTEM compartment 303 may include processes that facilitate command line utilities 304 to modify the compartments or rules associated with the compartments.
Command line utilities 304 may include commands to create or delete a particular compartment. Command line utilities 304 may further include commands to create, delete, and/or modify the rules stored in rule database 316 that limit access to system resources.
Command line utilities 304 may further include commands to execute a process in a specific compartment. For example, a command may be utilized to execute an HTTP web server apphcation in WEB compartment 301. The command causes a thread to be created.
The command also creates an entry in the thread registry of the kernel (not shown). The thread is associated with a unique identifier. Also, the thread is associated with the identifier of WEB compartment 301. When the particular thread makes systems calls to the kernel to access system resources, the kernel utilizes the unique thread identifier to determine the compartment identifier. The kernel then detennnes whether the particular thread is authorized to access the requested resource. It shall be appreciated that this approach Is quite advantageous, because this approach requires no modification to the application being executed. Thus, the exemplary compartment approach described herein allows the security of ordinary platforms to be upgraded to include access control without requiring appreciable modification of user-space application code.
In the example of FIGURE 4, command line utilities 304 access the kernel via kernel modules 322 Routines of kernel modules 322 advantageously perform the actual manipulation (e.g., addition, modification, or deletion) of the respective objects as desired by the particular commands. Further examples of compartment manipulation via command line utilities are disclosed in U.S. Patent Application Serial No. , entitled, 'SYSTEM
AND METHOD FOR MANAGEMENT OF COMPARTMENTS IN A TRUSTED
OPERATING SYSTEM," which has been incorporated herein by reference.
The kernel of system 300 includes a plurality of modules. Certain modules are accessed by the various compartments via system calls. For example, processes operating in either WEB compartment 301 or FTP compartment 302 may communicate with processes operating on other systems via the Internet by utilizing system calls to routines of TCP/IP networking module 306. Socket communication may occur via UNIX domain sockets module 308. Interproccss communication module 310 includes kernel routines to facilitate communication between processes via shared memory, stacks, semaphores, and/or the like.
Interprocess communication module 310 may also facilitate spawning or forking new processes. File access module 312 may facilitate access to files on a file system. For example, file access module 312 may facilitate opemng, closing, reading from, writing to, deleting, renaming files, and/or the hke. Other kernel modules may be provided via other subsystems module 314.
Each of the kernel modules advantageously interacts with security module 320.
Security module 320 enforces the compartment scheme to prevent unauthorized access to system resources. Security module 320 utilizes device configuration module 318 and rule database 316 to facilitate compartment limitations. Security module 320 is capable of determining which resources are available to system 300 via device configuration module 318 Security module 320 further receives identification of a compartment and identification of a system resource to be accessed from a routine of a kernel module. Security module 320 searches rule database 316 to locate an applicable rule. Security module 320 permits or disallows access upon the basis of an applicable rule, or upon the basis of a default rule if no applicable rule Is located.
It shall be appreciated that system 300 is an exemplary system. The present invention is not limited to any particular compartment or containment scheme. Specifically, numerous approaches may be utihzed to prevent processes belonging to a compartment from accessing system resources. For example, access control may be implemented at the userlevel via several techniques. A strace() mechanism may be utilized to trace each system call of a given process. The strace() mechanism examines each system call and its arguments. The strace() mechanism either allows or disallows the system call according to rules defined in a rule database. As another example, system call wrapping may be utilized. In system call wrapping, wrapper functions, using a dynamically linked shared library, examine system calls and arguments. The wrapper functions also either allow or disallow system calls according to / rules defined in a rule database. User-level authorization servers may be utilized to control access to system resources. User-level authorizalon servers may control access to system resources by providing a controlled data channel to the kennel.
In embodiments of the present invention, access to f les by processes is restricted by rules based on process compartments. Reference is now made to FIGURE 4 that depicts exemplary file system 400 to which access is controlled by rules based on process compartments. File system 40() is organized according to a subdirectory structure. The highest component of f le system 400 is the root directory (referred to as root 401).
Underneath root 401, several subdirectories are shown including /apache 402, /lib 403, fete 404. It shall be appreciated that any number of subdirectories could exist at any level of f le system 400. However, the number of subdirectories shown in FIGURE 4 is limited to aid the readers understanding of embodiments of the present invention. Additionally, several subdirectories are shown undenneatl1 /apache 402 (/apache/conf 405 and /apache/logs 406).
As Is well known in the art, the pathname to a f le in a subdirectory is given by the various subdirectories. For example, the pathname for the file "/apache/conf/user0146.1Ogs"is /apache/conf 406. The pathname and filename may be passed to a function or a system call to perform venous access operations such as opening the file, reading from the f le. writing to the file, renaming the file, deleting the file, and/or the like.
TABLE I, below, sets forth a number of exemplary rules that may be included in database 316 to control access to file system 400 consistent with the teachings of the present invention:
TABLE, I
Rule No. Compartment I Pathname | Access | I WEB l /apache/conf READ l 2 WEB l /apache/logs | READ, WRITE l 3 WEB / I NONE (no access) Rule No. I Compartment Pathname Access |
_ _
4 SYSTEM / READ, WRITE The rules of TABLE I define the permissions given to any process belonging to WEB compartment 301 and SYSTEM compartment 303 to access files within root directory 40 l and files within the /apache/conf 405 and /apache/logs 406 subdirectories. I-or example, a process that belongs to WEB compartment 301 Is permitted to read any file within /apache/conf 405 and is allowed to read or write to any file within /apache/logs 406.
However, processes belonging to WEB compartment 301 are not permitted any access to files within root directory 401. A process in SYSTEM compartment 303 is permitted read and write access to f les within root directory 401.
The rules set forth in TABLE I may be stored in database 316 in any form. However, it is advantageous to store the rules in a manner that parallels the subdirectory structure of file system 40(). For example, database 316 may mclude a series of data structures for each subdirectory of file system 300. The data structures for each subdirectory may contain the rules pertaining to the respective subdirectories. Also, the data structures may form a linked fist structure. Specifically, the data structures may contain a pointer to its parent subdirectory and a pomter to each child subdirectory. By organizing the rules in this preferable manner, security module 320 may search the database in an efficient manner by traversing the data structures according to the pathname of the file to be accessed. It shall be appreciated that other mechanisms may be utilized in lieu of a pointer approach. For example, a relational database structure may be utilized to organize rules according to the structure of file system 400.
Additionally, it is advantageous to minimize the number of rules stored in database 316. According to embodiments of the present invention, a default rule may be placed in root directory 40] for compartments. The default rule is applied until another rule is specified at a data structure associated with lower subdirectory. The specific rule in the data structure associated with the lower subdirectory is applied to every child subdirectory thereafter until another rule is located. According to the exemplary rules given in TABLE I, the default rule for a process belonging to WEB compartment 301 is no access. More specific rules are provided f or /apache/conf 405 and /apache/logs 406. By applying this approach, a process belonging to WEB compartment 301 is allowed access to read from every file in /apache/conf 405 and every child subdirectory associated with /apache/conf 405. Likewise, a process belonging to WEB compartment 301 is allowed access to read from and write to every file in /apache/logs 406 and every child subdirectory associated with /apache/logs 406.
According to embodiments of the present invention, security module 320 determines which rules apply based on the compartment ident'ficr of the process. If no rules are located in rule database 316, access is permitted by default. If one or more rules apply, security module 320 preferably utilizes the most specific rule. Specifically, security module 320 first examines the rules to determine whether a specific rule applies to the particular file. If such a rule is located, it is applied. If not, security module 320 examines the lowest subdirectory associated with the file that is defined by the pathnamc. If a rule is provided for that subdirectory, it Is applied. If not, security module 32() successively searches for a rule at each higher parent subdirectory until a rule is located or root directory 401 is reached.
For example, a process belonging to WEB compartment 301 may attempt to read /apache/conf/httpd.conf: A number of rules (Rules 1, 2, and 3) exist for WEB compartment 301. Accordingly, the most specific rule is applied. The rule pertaining to the lowest subdirectory, /apache/conf 405, is applied, i.e. Rule I, because no rule explicitly exists for apache/conf/httpd.cont: Security module 320 permits access on the basis of Rule I. Later, the same process belonging to WEB compartment 301 may attempt to write to /apache/conf/httpd.conf. As discussed, Rule I applies. In this case, security module 320 does not permit access to the file, because only READ access is permitted by Rule 1.
The same process belonging to WEB compartment 301 may attempt to write to /etc/passwd. A number of rules (Rules 1, 2, and 3) exists for WEB compartment 301. A specific rule is not provided for the file. Accordingly, security module 320 examines the lowest subdirectory defined by the pathname. No rule applies for fete 404 for WEB compartment 301. Security module 320 searches the parent of /etc 404 which is root directory 401. Security module 320 locates Rule 3 (no access) which is associated with root directory 401. Accordingly, access is not permitted.
It shall be appreciated that embodiments of the present invention provide several advantages. First, the use of a database to retain access information related to Compaq Dents greatly simplifies security management. Specifically, it is not necessary to apply and validate access information to each file. Synchronization issues are significantly reduced, since access infonnation need not be modified for each additional or deleted file. The amount of access information is significantly reduced, because rules are based on subdirectories instead of based on individual f lest Structuring the database of rules to parallel the subdirectory structure of the file system allows for efficient access to rules of the database by the kerucl. Also, structuring the database in this maimer simplifies maintenance of rules by a system administrator. Additionally, it shall be appreciated that embodiments of the present Invention are compatible with known file system formats. Specifically, embodiments of the present invention may be implemented without modifying the file structure of f les, because a database is utilized that is distinct from the files. Accordingly, embodiments of the present invention allow platforms to rmplernent security procedures without requiring modification of the user space applications or modification of their file systems.

Claims (1)

  1. WHAT IS CLAIMED IS: 1. A computer system for controlling access to certain
    files by processes, said computer system comprising: compartments implemented on an operating system; a database containing access rules, said access rules defining which compartments are authorized to access particular file resources; a kernel module for receiving a system call to access a file from a user space application belonging to a compartment; and a security module for determining whether said user space application is authorized to access said file utilizing access rules stored in said database, wherein said security module is operable to permit access when no access rule is located.
    process.
GB0518974A 2001-06-29 2002-06-20 System and method for file system mandatory access control Expired - Fee Related GB2415530B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/896,019 US7962950B2 (en) 2001-06-29 2001-06-29 System and method for file system mandatory access control
GB0214263A GB2379764B (en) 2001-06-29 2002-06-20 System and method for file system mandatory access control

Publications (3)

Publication Number Publication Date
GB0518974D0 GB0518974D0 (en) 2005-10-26
GB2415530A true GB2415530A (en) 2005-12-28
GB2415530B GB2415530B (en) 2006-02-15

Family

ID=35463704

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0518974A Expired - Fee Related GB2415530B (en) 2001-06-29 2002-06-20 System and method for file system mandatory access control

Country Status (1)

Country Link
GB (1) GB2415530B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0768594A1 (en) * 1995-10-10 1997-04-16 Data General Corporation Computer system security
WO2002061552A1 (en) * 2001-01-31 2002-08-08 Hewlett-Packard Company Trusted gateway system
WO2002061554A1 (en) * 2001-01-31 2002-08-08 Hewlett-Packard Company Trusted operating system
WO2002061553A1 (en) * 2001-01-31 2002-08-08 Hewlett-Packard Company Network adapter management
GB2376764A (en) * 2001-06-19 2002-12-24 Hewlett Packard Co A trusted computing environment with an integrity metric for both host and guest operating systems

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0768594A1 (en) * 1995-10-10 1997-04-16 Data General Corporation Computer system security
WO2002061552A1 (en) * 2001-01-31 2002-08-08 Hewlett-Packard Company Trusted gateway system
WO2002061554A1 (en) * 2001-01-31 2002-08-08 Hewlett-Packard Company Trusted operating system
WO2002061553A1 (en) * 2001-01-31 2002-08-08 Hewlett-Packard Company Network adapter management
GB2376764A (en) * 2001-06-19 2002-12-24 Hewlett Packard Co A trusted computing environment with an integrity metric for both host and guest operating systems

Also Published As

Publication number Publication date
GB2415530B (en) 2006-02-15
GB0518974D0 (en) 2005-10-26

Similar Documents

Publication Publication Date Title
US7962950B2 (en) System and method for file system mandatory access control
JP2739029B2 (en) How to control access to data objects
US7191469B2 (en) Methods and systems for providing a secure application environment using derived user accounts
US6457130B2 (en) File access control in a multi-protocol file server
CA2312492C (en) Multi-protocol unified file-locking
KR101153064B1 (en) Systems and methods for fine grained access control of data stored in relational databases
US7085928B1 (en) System and method for defending against malicious software
US8850549B2 (en) Methods and systems for controlling access to resources and privileges per process
US20180189300A1 (en) Method and system for providing restricted access to a storage medium
US8359467B2 (en) Access control system and method
US7293033B1 (en) System and method for providing effective file-sharing in a computer system to allow concurrent multi-user access
US20070094471A1 (en) Method and system for providing restricted access to a storage medium
US20090271586A1 (en) Method and system for providing restricted access to a storage medium
US20180218148A1 (en) System call policies for containers
Gligor et al. Design and implementation of secure Xenix
Van Meter et al. Derived Virtual Devices: A secure Distributed File system
US7487548B1 (en) Granular access control method and system
GB2415530A (en) File system mandatory access control
EP1504321A2 (en) Method and system for providing a secure application environment using derived access rules
US20140115005A1 (en) System and methods for live masking file system access control entries
Jaeger et al. Security architecture for component-based operating systems
US20240320356A1 (en) File system data access control method, computer-readable storage medium and data storage device
CN111209580B (en) Method, system and medium for isolating shared user environment based on mandatory access control
CN112379968B (en) Method, device, equipment and storage medium for applying multiple openings
KR100604239B1 (en) A method of operating a file server by implementing a single file locking semantics for various file locking protocols and a file server operated by the method

Legal Events

Date Code Title Description
732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20120329 AND 20120404

732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20160701 AND 20160706

732E Amendments to the register in respect of changes of name or changes affecting rights (sect. 32/1977)

Free format text: REGISTERED BETWEEN 20181105 AND 20181107

PCNP Patent ceased through non-payment of renewal fee

Effective date: 20180620