[cap-talk] Newbie questions about security
James Morris
jmorris at namei.org
Wed Jan 9 20:41:17 EST 2008
On Thu, 20 Dec 2007, Jed Donnelley wrote:
> You might find this recent talk on object capabilities:
>
> http://youtube.com/watch?v=EGX2I31OhBE
>
> worth listening to. There are others if you find that
> one worthwhile.
Thanks for the high level overview of this area -- very useful!
One of the questions which came up in the talk was about how you'd extend
this model over the network. Something perhaps to consider here is how
the current Labeled NFS work might be useful. The project mailing list is
at:
http://linux-nfs.org/pipermail/labeled-nfs/
The first message has some useful introductory information.
The general idea with Labeled NFS is to convey object and subject security
labels over NFS, to facilitate remote security labeling operations and the
application of MAC policy to remote objects and subjects.
While this is based around requirements for MAC, I suspect this mechanism
might also be of use in conveying and controlling authority via references
to distributed objects. e.g. it should allow the idea of "file descriptor
as capability" to be applied to remote filesystem objects via NFS.
- James
--
James Morris
<jmorris at namei.org>
More information about the cap-talk
mailing list