Re: MAC before DAC vs DAC before MAC

• Previous message: Greg KH: "Re: Patch: Socket hooks"
• In reply to: richard offer: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

richard offer wrote:

> Take for example the case where a MAC check would deny access, and that the
> time to perform DAC checks is long.
> ... [snip]
> When I wrote the "But we can probably live with that" I wasn't thinking
> about ACLs, so I recant it :-)

We can go round and round on which configuration is faster, based on various
assumptions about which check is more complex.

But that wasn't the question:  David & I want to know why anyone should care
about the performance of denied accesses?

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Previous message: Greg KH: "Re: Patch: Socket hooks"
• In reply to: richard offer: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 14:48:28 PDT