[cap-talk] Defining Mandatory and Discretionary (was: A better reference for the "capabilities propagate too easily" argument)

Thu Aug 2 07:28:48 EDT 2007

On Wed, 2007-08-01 at 17:31 -0400, Jonathan S. Shapiro wrote:
> On Wed, 2007-08-01 at 21:09 +0100, Toby Murray wrote:
> > On Wed, 2007-08-01 at 08:58 -0700, Mark Miller wrote:
> > > Again, I have no idea what you or anyone else (except Alan) means when
> > > they say "discretionary" or "mandatory". 
> > 
> > The SELinux access controls are discretionary from the point of view of
> > anyone who can modify them (that is, the policy). They are mandatory
> > from the point-of-view of anyone who cannot.
> 
> I think that this is fair. They are mandatory in the same sense that a
> non-bypassable membrane imposes a mandatory control if you are a process
> that sits "inside" the environment imposed by the membrane.
> 
> > Does anyone agree with these definitions? They seem to be about the only
> > sane ones  I've ever been able to apply. From memory, they were derived
> > from "The Inevitability of Failure", a Steve Smalley paper motivating
> > SELinux if memory serves. They were derived during discussions with
> > previous work colleagues; but I think they serve well generally.
> 
> So far as I know, this definition of discretionary vs. mandatory as
> reflecting point of view originated with me.

These definitions were fleshed out in discussion with Duncan Grove, my
old work supervisor. We started with the definitions of "mandatory" and
"discretionary" given in

P. Loscocco, S. Smalley, P. Muckelbauer, R. Tayler, J. Turner, and J.
Farrel. The inevitability of failure: The flawed assumptions of security
modern computing environments. In In Proceedings of the 21st National
Information Systems Security Conference, 1998.

They certainly don't present the insight that the distinction between
mandatory and discretionary depends on your point-of-view. But their
definitions were enough to work on, to enable us to derive this insight.

Namely:

"This paper instead uses the more general notion of mandatory security
defined in [59], in which a mandatory security policy is considered to
be any security policy where the definition of the policy logic and the
assignment of security attributes is tightly controlled by a system
security policy administrator."

and

"Likewise, as defined in [59], this paper uses a more general notion of
discretionary security in which a discretionary security policy is
considered to be any security policy where ordinary users may be
involved in the definition of the policy functions and/or the assignment
of security attributes."

It was Duncan who had the insight that, whether it was mandatory or
discretionary depends on who you are.

I have no idea whether he had read anything that directly sparked this
insight but I've always believed it to be an independent discovery of
his.

Hopefully he'll chime in if I've misrepresented him here. 

>  If Steve came to this view
> first, I would very much like to know.

I have no evidence to support that.

>  If I didn't originate this
> framing, I don't want to take credit away from anyone else.

I think it's a case of multiple independent discoveries of the same
idea. I wouldn't worry about taking credit from anyone else though. I'd
like to think that if this insight has already been stumbled upon by
more than one person independently, then hopefully others have reached
it as well.