Posted Sep 23, 2004 10:09 UTC (Thu) by zooko
In reply to: Complexity
Parent article: An introduction to SELinux
I think you are on the right track. In my view, the ultimate goal should be an object-capability system, as described in Paradign Regained . Paradigm Regained starts with a good, simple motivating question: "How much authority does cp need?".
My litmus test for this issue is: what access control system will allow me to download a dancing bear program from dancingbears.ru and run it on my desktop, without taking any explicit action to indicate that I want it to have limited permissions, and still be safe from any malicious thing that the dancing bear program might try to do?
I saw a demo of exactly that, using the CapDesk object-capability access control system, demoed by Marc Stiegler.
Any access control system that can't do that isn't good enough for me.
So for me, the question of what kind of access control system to use has an obvious answer: use the object-capability paradigm. The question of how to make it sufficiently backwards-compatible to gain users does not have an obvious answer. The CapDesk demo could not run dancing bear .exe's, nor dancing bear x86 glibc executables. It could only run dancing bear programs written in the E language.
to post comments)