David Wagner wrote: > In Unix, file descriptors are capabilities. Whoa boy, now we're getting to the meat of the subject! In the model that we've used to evaluate U2X systems a file descriptor is a name for a file system object. The name is private to the process, and the access control policy to an object is different depending on what kind of name (FD vs. path) you use. The FD policy can be looser than the path name policy because the name is only recognized after access checks have been made on a path name. > In the end, I guess modules that want good performance can pick > a policy with Unix-like semantics where there is no need to mediate > read()/write(), and modules that want radically-different policies > will need to mediate read()/write() and pay the performance cost. > I don't see any way to avoid this tradeoff, and as long as both > options are open to both parties, it seems like everyone can go > home happy. Am I right? I think that's the nut of it. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 16:13:44 PDT