[cap-talk] rights communication - hope? - tome - network
jed at nersc.gov
Tue Sep 28 14:30:14 EDT 2004
At 11:55 PM 9/27/2004, Ben Laurie wrote:
>David Wagner wrote:
>>Jed Donnelley wrote:
>>>Can you tell
>>>me why people are pursuing ACLs rather than capabilities as a model
>>>for "communicating" rights in the examples you mentioned earlier,
>>>e.g. SELinux and Systrace?
>>They're not. Or at least, they're not pursuing ACLs specifically so
>>much as just trying to solve the problem whatever way occurs to them.
>>It's not that they've decided "ACLs are better, and darn it, I refuse to
>>use capabilities". Rather, they're just building whatever is easiest
>>and works. If you want to suggest to them that "no, you should only
>>use capabilities, and never use anything else; capabilities are better
>>than what you're doing now", you need to make the case that changing
>>what they do will provide sufficient benefits to be worth the change.
>>It's a question of where the burden of proof lies.
>I don't think that's the issue at all. Surely the point is that SELinux
>and Systrace impose their will on a program from outside, and that just
>can't be done with object capabilities - the program has to cooperate to
>play the capability game.
While briefly stated, I think I agree with this point. As I noted previously I
typically think in terms of processes communicating across a network.
Indeed they do have to "play the capability game" as that is all that's
available to them to access rights outside their domain (their memory).
Despite that, it's still true that the API available to code in any such
and look (through libraries) very much like the APIs available on systems
like Unix or Windows.
More information about the cap-talk