Re: intercepting system calls

• Previous message: David Wagner: "Re: The bootstrap process"
• Maybe in reply to: Philippe Biondi: "intercepting system calls"
• Next in thread: Celestial Wizard: "Re: intercepting system calls"
• Next in thread: Crispin Cowan: "intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler:

>> Could you give me a concrete example of a policy where this matters?
>> If we have to go to some lengths to support mediating read and write,
>> do you think this is justified?
>
>In some implementations of Mandatory Access Control
>checks are done on every operation just in case the
>MAC label changed after the open. UNICOS works this
>way, for one. It's not the only way to meet the B1 (LSPP)
>requirements, you can revoke access to files when their
>labels change, or disallow changing labels on open files,
>but it is a legitimate (and commercially successful)
>approach.

It is also the approach taken by Sun's Trusted Solaris.  

--
Darren J Moffat


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Andrew Morgan: "Re: The bootstrap process"
• Next message: Andrew Morgan: "Re: The bootstrap process"
• Previous message: David Wagner: "Re: The bootstrap process"
• Maybe in reply to: Philippe Biondi: "intercepting system calls"
• Next in thread: Celestial Wizard: "Re: intercepting system calls"
• Next in thread: Crispin Cowan: "intercepting system calls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 17:10:44 PDT