[cap-talk] rights communication - hope? - tome - network

[Jed Donnelley]

At 11:55 PM 9/27/2004, Ben Laurie wrote:
>David Wagner wrote:
>>Jed Donnelley wrote:
>>>Can you tell
>>>me why people are pursuing ACLs rather than capabilities as a model
>>>for "communicating" rights in the examples you mentioned earlier,
>>>e.g. SELinux and Systrace?
>>
>>They're not.  Or at least, they're not pursuing ACLs specifically so
>>much as just trying to solve the problem whatever way occurs to them.
>>It's not that they've decided "ACLs are better, and darn it, I refuse to
>>use capabilities".  Rather, they're just building whatever is easiest
>>and works.  If you want to suggest to them that "no, you should only
>>use capabilities, and never use anything else; capabilities are better
>>than what you're doing now", you need to make the case that changing
>>what they do will provide sufficient benefits to be worth the change.
>>It's a question of where the burden of proof lies.
>
>I don't think that's the issue at all. Surely the point is that SELinux 
>and Systrace impose their will on a program from outside, and that just 
>can't be done with object capabilities - the program has to cooperate to 
>play the capability game.

While briefly stated, I think I agree with this point.  As I noted previously I
typically think in terms of processes communicating across a network.
Indeed they do have to "play the capability game" as that is all that's
available to them to access rights outside their domain (their memory).
Despite that, it's still true that the API available to code in any such 
process
and look (through libraries) very much like the APIs available on systems
like Unix or Windows.

--Jed http://www.webstart.com/jed/