* frm dawat_private "07/26/01 00:57:54 +0000" | sed '1,$s/^/* /' * * Sounds promising. * * richard offer wrote: *> It doesn't get over the issue of performance (module faster than kernel). *> But we can probably live with that. * * I didn't understand this remark. Should I try to understand * what you meant by "the issue of performance", or is this a * minor issue? Take for example the case where a MAC check would deny access, and that the time to perform DAC checks is long. Before anyone says that DAC checks are fast, they are can be as long as you're only looking in the inode. But if the DAC checks require looking elsewhere (ie using ACLs that are too big to store in the inode), and the file is located elsewhere (near-line storage system), it could mean getting the file off a tape only to then throw it away. This is a real issue with some of our existing big box customers. When I wrote the "But we can probably live with that" I wasn't thinking about ACLs, so I recant it :-) richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 07:25:32 PDT