[cap-talk] What sustained interest in capabilities

[Rob Meijer]

On Mon, December 29, 2008 20:09, David-Sarah Hopwood wrote:

>> The "impedance mismatch" is also far less of a problem than it may
>> seem, it turns out, for reasons I won't elaborate on in detail here,
>> but in brief it's because once you wrap an external ACL-based service
>> in a capability (which can have arbitrarily complex code controlling
>> access), the laws of capability authority transfer then take over.
>> You really don't have to think in terms of ACLs at all, or the fact
>> that the service itself is unaware of the capability wrapper, from the
>> POV of the layer it is pure capabilities.
>
> I disagree. Complexity is the enemy of security, and it's not possible
> to make a system simpler by adding layers. Since an ACL layer is
> typically already too complicated, it is only by removing such layers
> that we can obtain a high degree of confidence in the security of the
> whole system.

I think it is definitely possible to make a system simpler by adding
layers, in fact layering is an important tool in keeping complexity
manageable.
Adding a layer on top of a preexisting complex layer that exposes a
simpler interface to upper layers can certainly reduce the complexity of
higher layers to an extend that more than compensates for the complexity
of the intermediate layer. You could look at it partly like removing a
layer by adding a layer. AppArmor + my MinorFs project for example remove
a (complex) ACL layer from visibility to higher layers by adding
additional layers on top of that ACL layer.