[cap-talk] Mandatory Policy

Jonathan S. Shapiro shap at eros-os.com
Thu Aug 2 08:59:34 EDT 2007 

[Note suggested subject change -- I should have changed it when I gave
my definition.]

On Thu, 2007-08-02 at 08:14 -0400, Jonathan S. Shapiro wrote:
>   Mandatory policy is policy whose controlling party is not a
>   participant in the communication, except as a degenerate case. That
>   is: the controlling agent's communications may be subject to the
>   policy as a consequence of implementation or policy design, but this
>   is not the purpose or focus of the policy.

Using this definition as a "stake in the ground", I want to try to
articulate a part of why all of us dislike the mandatory policy concept,
and see if I can set a foundation for why mandatory policy is necessary
or unnecessary.

The mandatory policy notion implicitly establishes an us/them dichotomy.
There is the (system) policy administrator, and there is the user, and
one strictly dominates the other.

Socially, of course, phrasing it this way is offensive to many people
here, and I think that this is part of the visceral negative reaction
that people have to the term.

However, I want to suggest two points:

  1. The "role" of an administrator is, in principle, legitimate, but
  2. The monolithic nature of this role in conventional systems is
     problematic, and a cause for reasonable suspicion.

What do I mean by "the role of an administrator"?

  [ I will speak of "administrator" in the singular below. I do not 
    mean to preclude a group of co-equal administrators, but that is
    a side issue. ]

Administrators are not needed in single-user computers. The only role
for administration in such systems is to establish safety warnings. Some
people really do find it comforting to be asked "Do you really want to
delete this file?" While I personally want to be able to turn that sort
of thing off, I don't have a problem with the feature in abstract. I
mention it because the most natural mechanism of implementation for some
of these sorts of things is a global policy somewhere. If you want this
kind of thing, it's implementation definitely should NOT be replicated
in half a billion applications.

Where administrators are needed is in multiuser systems where there are
shared resources, and in particular shared namespaces. When two people
work together this can all be very informal. As the group becomes
larger, you start to run into policy issues:

  + Sooner or later, somebody will be ill-behaved. Such a person will
    not collaborate in recovery.
  + Even people with good intentions will not always follow all of
    the appropriate "conventions" for the shared space.
  + Occasionally something will get disclosed incorrectly. You want
    to remove it, but the "owner" isn't handy.
  + You run out of space, and you want to have a well-defined person
    to fix this problem. Similarly for other "problems of mechanism".
  + You want to declare that user X should no longer be able to update
    or read documents in the space.

    [I understand the argument that exposed document versions remain
     exposed forever. This disregards the fact that (a) people *don't*
     make copies eagerly in practice, and (b) there may be *social*
     policies for "enforcing" rules about such behavior that the
     access policy is designed to reinforce.]

All of these are activities that we might reasonably label
"administrative" in nature. What the traditional administrator role
ignores is that there can be more than one shared workspace in a system,
and consequently there may be distinct administrators for different
workspaces. That is: "administrator" is an adjective, not a noun. It
should properly be understood to mean "administrator of <something>".

We can obviously imagine subdivision and/or delegation of administrative
responsibility, but there is a more fundamental question that should be
asked as well:

  Is there some essential reason that a computing system requires a
  primordial, all-powerful administrative role?

In evaluating this question, I will disregard the possibility that a
primary administrator's role may be limited by a suitably implemented
administrative user interface. That is important for integrity reasons,
and it provides something of a social palliative, but it does not alter
the essential question.

I suggest that the answer to this question may be determined by a simple
test: If there a single, primordial shared resource namespace that
exists in a system for fundamental reasons, and this namespace requires
any sort of administrative management, then it follows that there must
be a primordial administrator.

Even if we set aside the UNIX-style single system namespace, there IS an
essential primordial namespace: the namespace of physical devices
configured on the machine. That is: the network connections, the disk
drives, the memory, the CPUs, and so forth. All authority of any sort in
the system is derived in hierarchical fashion (more precisely: in
lattice fashion) from these primordial resources.

It is possible, through technical means, to separate administrative
authority to *allocate* these resources from administrative authority to
*access* these resources, but the primordial namespace of resources
exists.

So: it follows immediately that we have at least one perimeter at which
mandatory policy is both enforceable and necessary in a multiuser
system. Since this particular perimeter can mediated easily by the OS,
it may not generalize. Are there other cases?

I suspect that the answer goes back to namespaces and composition of
policies. If policies do not compose, then it is not possible to
frame/express them in a modular way. Under these conditions, subdivision
of administrative authority becomes a very delicate matter. In the large
view, there is no such thing as disjoint namespaces: two namespaces
accessed by a common process are effectively joined for policy purposes.

I need to let the back of my head ponder further about that.


shap

More information about the cap-talk mailing list