[cap-talk] Confinement CC problem ?? (Rob Meijer: Communicating conspirators)

[Rob]

>>
>>I believe the main difference is in what is being locked down to a level.
>>In what you describe the 'processes' are being locked down to a clearance
>>level. I know that this is required in the higher MLS levels, but I
>>would be glad if I could use capability design between the lower
>>levels.
>
> By "use a capability design between the lower levels" do I take you
> to mean that you somehow want to be able to allow direct communication
> between processes at different levels with a capability mechanism
> somehow enforcing a workable (by what policy standards?) MLS mechanism?
>
>>In my proposed design the capabilities are being locked down
>>to a clearance level instead, allowing processes with capabilities on
>>multiple clearance levels to somewhat move between the levels during
>>their lifetime. The later results in a more natural way of programming
>> and
>>thus in shorter development times imho. An added bonus is as I stated
>> that
>>I believe it would allow the definition of a confinement subset of the CC
>>problem.
>
> Sorry Rob, but try as I might I don't see it.  I guess this is one of
> those
> cases where I think we would really have to stand up at a white board
> and scratch out a more detailed design before I'd get it.  Perhaps others
> can chime in here if any are following and might be able to contribute.

I have made an attempt to get things into something of a big
picture/detailed picture short document, I'm a bit reluctant to do so
given that its only a very preliminary state, but hopefully it can be
helpfull.

http://www.xs4all.nl/~rmeijer/tsproxy/

I've made the graphics link to the source graphviz dot files, I think these
could effectively be used as an e-mail compatible white board.
Maybe others could also look at this page to see if my aparently limited
communication skills could maybe be reworded by someone to make a bit
more clear what I am trying to bring across.

Rob