[cap-talk] Newbie questions about security

James Morris jmorris at namei.org
Wed Jan 9 20:41:17 EST 2008


On Thu, 20 Dec 2007, Jed Donnelley wrote:

> You might find this recent talk on object capabilities:
> 
> http://youtube.com/watch?v=EGX2I31OhBE
> 
> worth listening to.  There are others if you find that
> one worthwhile.

Thanks for the high level overview of this area -- very useful!

One of the questions which came up in the talk was about how you'd extend 
this model over the network.  Something perhaps to consider here is how 
the current Labeled NFS work might be useful.  The project mailing list is 
at:

http://linux-nfs.org/pipermail/labeled-nfs/

The first message has some useful introductory information.

The general idea with Labeled NFS is to convey object and subject security 
labels over NFS, to facilitate remote security labeling operations and the 
application of MAC policy to remote objects and subjects.

While this is based around requirements for MAC, I suspect this mechanism 
might also be of use in conveying and controlling authority via references 
to distributed objects.  e.g. it should allow the idea of "file descriptor 
as capability" to be applied to remote filesystem objects via NFS.



- James
-- 
James Morris
<jmorris at namei.org>


More information about the cap-talk mailing list