Re: backward compat / access (was Re: Benchmarks)

From: David Wagner (dawat_private)
Date: Fri Apr 20 2001 - 18:42:31 PDT

  • Next message: David Wagner: "Re: Specifications (the beginning)"

    Flavien Lebarbe  wrote:
    >The idea of "a NULL pointer in the struct keeps the default -ie no 
    >check- function in place" is reasonable I think (may be a flag 
    >'default when nothing specified is refuse' could be useful, I 
    >dunno).
    
    Well, I'd be grateful if there was a way to specify that the
    default when nothing is specified is that the request is denied.
    
    This is part of the assurance argument for Janus: that anything
    not explicitly validated by us policy writers is guaranteed to
    be denied, even if we forgot about the existence of some operation,
    or even if the kernel is upgraded and a new operation is added.
    We're failing safe, i.e., trading away availability for security.
    Not all policy modules will want to make this trade-off, but it is
    a policy decision, and so I think it makes sense to leave this up
    to the policy module, rather than hard-coding it in the kernel.
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 18:45:08 PDT