Re: The Demise of Simple Assurance?

From: jmjonesat_private
Date: Tue Jul 31 2001 - 17:45:51 PDT

  • Next message: Jesse Pollard: "SMP for testing..."

    On Tue, 31 Jul 2001, richard offer wrote:
    
    > I thought we agreed to not call it MAC/DAC sequence, but module/in-kernel
    > sequence :-)
    
    I think we did, but only to a certain extent.
    
    I saw the consensus/agreement as being to consider in-kernel checks as a
    finite element, and in-module checks as a separate element.  Where these
    two considerations are indivisable, i'd thought we given "preference" to
    in-kernel checks.
    
    > 
    > I thought that being fully authoritative using a single hook implied moving
    > current kernel logic out into a module. There would be no issues with
    > module/in-kernel sequence since there would be no in-kernel.
    
    "Fully Authoritative" vs. "Simply Authoritative".  I don't think moving
    logic OUT of the kernel in order to reproduce it in the modules was ever
    something agreed upon.  I may be wrong.
    
    Not that I think this is a bad idea, largely, but I think it has been
    "argued down" for many reasons.  Even eliminating the "simple-assurance"
    argument, there is the issue of "kernel invasion".  Do you have a response
    to that argument?
    
    > 
    > Of course I'm probably wrong.
    > 
    
    Not necessarily, but you need to prove you're right, imho.
    
    > * 
    > * Crispin
    
    > 
    > richard.
    > 
    > -----------------------------------------------------------------------
    > Richard Offer                     Technical Lead, Trust Technology, SGI
    > "Specialization is for insects"
    > _______________________________________________________________________
    > 
    
    J. Melvin Jones
    
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 17:47:34 PDT