David Wagner wrote: > > Casey Schaufler wrote: > >In some implementations of Mandatory Access Control > >checks are done on every operation just in case the > >MAC label changed after the open. > > I see. Suppose our hooks had the following properties: > 1. For modules that mediate every read()/write() call, > they can do so, but performance might be affected due > to the unavoidable overhead of a function call. Yup. > 2. Modules that don't want to mediate any read()/write() > calls won't incur any noticeable performance overhead. If we implement the module mechanism correctly! > If both properties could be achieved with some mechanism, > would this be sufficient to support these MAC applications? Absolutely. As an aside, I don't much care for doing security checks on FD accesses. I've never done it on the systems I've built. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 16:34:49 PDT