* frm dawat_private "07/26/01 18:20:29 +0000" | sed '1,$s/^/* /' * * richard offer wrote: *> Take for example the case where a MAC check would deny access, and that *> the time to perform DAC checks is long. * * It is rather difficult for me to imagine a reason why we should * worry about optimizing for syscalls that are disallowed by policy, * and that's putting it mildly. (Some have even suggested the exact * opposite: namely, that, when you deny a request, you should delay * for some extra-long period, to deter attacks.) This gets annoying very quickly to real users doing real permitted things. If "ls -l" requires going to out to the tape unit only then to return "permission denied", the time taken will be longer than it takes customers to file a bug. In Trusted Irix, MAC not only protects the contents of a file, it protects the attributes of the file. richard. ----------------------------------------------------------------------- Richard Offer Technical Lead, Trust Technology, SGI "Specialization is for insects" _______________________________________________________________________ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 15:24:33 PDT