[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")

Jonathan S. Shapiro shap at eros-os.com
Wed Jan 3 15:16:48 CST 2007

On Wed, 2007-01-03 at 15:05 -0600, Ka-Ping Yee wrote:
> I wasn't aware that the classification of capability systems as
> discretionary ought to be considered a valid classification.  I
> thought a big source of the confusion in the whole debate was
> precisely this -- that it doesn't make sense to label capability
> systems as discretionary or mandatory, because this distinction
> argues from a perspective (ignorance of the difference between
> de facto and de jure access) that capability approaches see as
> inherently flawed.

This is bunk, because it is inconsistent with the actual usage of the

First, as I have said several times, mandatory policies consider
authority and information flow rather than permissions. While I'm sure
that some analyses have neglected de facto access, this is not
universally true and it is *certainly* not true of TCSEC (i.e. MLS),
which is the most widely referenced mandatory control model.

Mandatory control advocates almost universally state that capabilities
are purely discretionary controls. This is absolutely correct. There is
no mechanism in the "kernel" implementation of any pure
object-capability system that enforces any mandatory control. The
primordial mechanisms are all discretionary, and the primordial
communication system does not provide any "hook" for injecting mandatory
control decision predicates into the kernel-implemented communication
transport mechanism (that is: the IPC implementation).

What the "capabilities are discretionary controls" statement neglects to
consider is the possibility that a subsystem implementing a mandatory
policy might operate by judiciously and appropriately wielding purely
discretionary controls. Generally, but not universally, the statement
also tacitly assumes that the enforcement of mandatory controls must
occur within the kernel.

> How would you write the definition?

That has been a subject of very hot debate here. Better to leave those
pages as they were than introduce definitions that we *know* are wrong.
My suggestion is that you should back these edits out.

Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100

More information about the cap-talk mailing list