On Fri, Aug 31, 2007 at 10:46:02AM -0500, Mikel L. Matthews wrote: > >Let me say it again: that's how mandatory access control is supposed to > >work. A program (or user) isn't supposed to be able to delegate access > >under a mandatory policy. > > How about looking at it this way, I am work for company A and therefore > I can see all of their engineering documents. You work for company B and > are not supposed to see any of our engineering documents. Company A's > policy states that I can't disclose company private information to any > one who is not cleared for it. So by giving you access to this > information (either by telling you (e.g., passing a file descriptor) or > handing you a document) I am in violation of company policy. MAC is > there to enforce the company policy so I won't give you the information > you are not supposed to have.
... except, of course, the fact that there's nothing to stop you from talking to me over the same channel and marshalling all IO to that file. Frankly, a much saner alternative would be to have file-passing as _replacement_ for any capabilities-changing mechanisms (i.e. "has capability" == "has the right opened file available" and "gain capability" == "talk somebody who grants it into passing such file to you"). But that would be a different system with differently designed userland... - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
