> On Jun 6, 2019, at 11:33 AM, Casey Schaufler <ca...@schaufler-ca.com> wrote:
>
>> On 6/6/2019 10:11 AM, Andy Lutomirski wrote:
>>> On Thu, Jun 6, 2019 at 9:43 AM Casey Schaufler <ca...@schaufler-ca.com>
>>> wrote:
>>> ...
>>> I don't agree. That is, I don't believe it is sufficient.
>>> There is no guarantee that being able to set a watch on an
>>> object implies that every process that can trigger the event
>>> can send it to you.
>>>
>>> Watcher has Smack label W
>>> Triggerer has Smack label T
>>> Watched object has Smack label O
>>>
>>> Relevant Smack rules are
>>>
>>> W O rw
>>> T O rw
>>>
>>> The watcher will be able to set the watch,
>>> the triggerer will be able to trigger the event,
>>> but there is nothing that would allow the watcher
>>> to receive the event. This is not a case of watcher
>>> reading the watched object, as the event is delivered
>>> without any action by watcher.
>> I think this is an example of a bogus policy that should not be
>> supported by the kernel.
>
> At this point it's pretty hard for me to care much what
> you think. You don't seem to have any insight into the
> implications of the features you're advocating, or their
> potential consequences.
>
>
Can you try to spell it out, then? A mostly or fully worked out example might
help.
As Stephen said, it looks like you are considering cases where there is already
a full communication channel between two processes, and you’re concerned that
this new mechanism might add a side channel too. If this is wrong, can you
explain how?
