I'm not sure that the capabilities vs. access control lists distinction is as helpful as one might hope, when we're talking about interposed reference monitors that are neither part of the subject (e.g., the confined process) nor part of the object (e.g., the file on disk). ACL's are the case where permission-entries are stored with the object. Capabilities are the case where permission-entries are stored with the subject. In SubDomain and similar approaches, neither applies, because permission-entries are stored with the interposed guard entity. You're right that there is also the issue of revocation vs. delegation. If subjects can delegate their own permissions to others without involving the OS, then delegation is easy but revocation is hard; if subjects must invoke the OS to delegate permissions to others, revocation is easy, but delegation is now controlled. However, this issue is mostly orthogonal to the capabilities vs. ACL's axis. In practice, almost all ACL systems provide controlled delegation (and hence revocation is easy), and many capability systems provide unmediated delegation (and hence revocation is hard), so in many people's minds, people conflate the two tradeoffs---but I see no fundamental reason why this must necessarily be so. Sorry to interrupt with the philosophical abstract musings. Back to your regularly scheduled discussion... _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 20:24:18 PDT