[cap-talk] mandatory vs. discretionary distinction - more, clarification

[Duncan Grove]

cap-talk-request at mail.eros-os.org wrote:
> Message: 1
> Date: Sat, 19 Jan 2008 10:09:35 -0800
> From: Jed Donnelley <capability at webstart.com>
> Subject: [cap-talk] mandatory vs. discretionary distinction - more
> 	clarification
> To: "General discussions concerning capability systems."
> 	<cap-talk at mail.eros-os.org>
> Message-ID: <200801191809.m0JI9nab029112 at www.eros-os.com>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
>
>   
> How about the other MLS folks on the list.  What does
> the MAC vs. discretionary distinction mean for them?
>   
I've always hated the terms "mandatory" and "discretionary". I put them 
in quotes because they are rubbery. Whether a policy is "mandatory" or 
"discretionary" depends on your point of view. For example, the trusted 
reviewer in your example has "discretionary" power to effect what you 
called "mandatory" policy.

To me, the only realistic "mandatory" policy in the [object] capability 
model is that that you can't access another object without a valid 
capability to that object (i.e. the "system's" access check is 
"mandatory"). *Everything* else is discretionary, depending on your 
point of reference. (Aside: similarly I always argue that the "policy" 
*is* the implementation; trying to specify "policy" separately to 
"implementation" is pointless; hence a strong, formally verifiable 
combined implementation/policy language is critical; the problems 
arising through compilers, verification tools etc also being part of the 
implementation is left as an excercise for the reader ;-). One other 
"mandatorily"-enforced policy I would *possibly* stoop to is that 
disjoint object graphs will remain disjoint, giving you "mandatory" 
Multi Level Security aka MLS (or more precisely Mandatory Independent 
Levels of Security aka MILS).

Duncan

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.