[cap-talk] SELinux vs. capabilities
Jonathan S. Shapiro
shap at eros-os.com
Fri Jul 27 15:46:53 EDT 2007
On Fri, 2007-07-27 at 20:27 +0100, Toby Murray wrote:
> On Fri, 2007-07-27 at 13:14 -0400, Jonathan S. Shapiro wrote:
> > Part of what is going on here is that UNIX implements a very limited
> > number of object protocols: files and directories mostly. A new object
> > cannot introduce an arbitrary new protocol in the style of IPC. Further,
> > all object servers (e.g. file system, network system) are universally
> > trusted to faithfully implement their protocols.
> > Under these assumptions, filtering becomes much easier...
> Yes. So you get this benefit at an apparently unavoidable cost of a loss
> of flexibility.
Perhaps and perhaps not. Plan-9 is thought provoking here. Their
approach was to argue that the file and directory interfaces were enough
to support a generalized mechanism, and that you could piggyback other
protocols on top of these. This gives you one layer -- the
read/write/open/close layer -- at which audit and tracing is possible,
and another -- the application overlay protocol -- at which it may not
The main advantage to this approach is that the commonality of the
bottom layer interface makes it much easier to plug things together. It
remains to be seen how this will play out in descriptor systems.
Windows, certainly, does not offer the compositional flexibility of UNIX
More information about the cap-talk