Re: Design scope of a security policy module

• Previous message: Henrý Þór Baldursson: "Design scope of a security policy module"
• In reply to: Henrý Þór Baldursson: "Design scope of a security policy module"
• Next in thread: Henrý Þór Baldursson: "Re: Design scope of a security policy module"
• Reply: Henrý Þór Baldursson: "Re: Design scope of a security policy module"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 04, 2002 at 03:22:22PM +0000, Henrý Þór Baldursson wrote:
> 	I'm not here to debate licensing issues. I'm here rather to investigate
> how extensive the framework is. What the design scope of a security
> policy module should be. For example with regards to access control to
> files, more specifically where the access control verdict depends on the
> content of files, it seems logical to me for the framework to cache
> verdicts in order to reduce resource usage and increase responsiveness
> of the system.
> 	When an access control policy, whose only factor is content, is applied
> to a file. That policy should not need to be applied to said file until
> its content changes, or a reasonable amount of time has passed. And I,
> personally, feel that this functionality belongs in the framework rather
> than in something called a "security policy module". 1) Because caching
> verdicts has nothing to do with security, it has to do with reducing
> latency in the framework's design. 2) Because this would prevent people
> from excessively redesigning the wheel and causing code obesity.
> 	My questions are: Has/Should this functionality be implemented in the
> framework rather than in security policy modules? What are your opinions
> on the matter?

Hm, do you have any specific examples of function calls that should be
"cached"?  And how do you know if (for example) a file's content's
hasn't changed from the last time it was accessed, within the existing
hooks (like the read() hook for example)?

At first glance I would say that there should not be anything within the
framework to accomplish such "cacheing" as the framework is nothing but
a bunch of function calls that would point to your code.  You could
accomplish the caching just as fast as anything within the framework
could do.

A simple example patch for what you are wanting to accomplish would be
helpful in explaining your concept here.

thanks,

greg k-h
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: insmod"
• Previous message: Henrý Þór Baldursson: "Design scope of a security policy module"
• In reply to: Henrý Þór Baldursson: "Design scope of a security policy module"
• Next in thread: Henrý Þór Baldursson: "Re: Design scope of a security policy module"
• Reply: Henrý Þór Baldursson: "Re: Design scope of a security policy module"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 04 2002 - 08:39:23 PST