Fw: PERFORCE change 18676 for review
Adam Migus
amigus at tislabs.com
Wed Oct 16 22:26:54 GMT 2002
Ilmar,
I selected '+' because I couldn't use ',', which can't be used because it's
the policy string delimiter and using it in two contexts would require
context sensitive parsing in the kernel. Since that's not going to happen
anytime soon we have '+'. If you picked the delimiter, what would it be and
why?
In future someone (read: probably me) will implement a userland name mapping
scheme so we can have more meaningful labels. Schedules and priorities
preclude doing so right now. If you feel so inclined and/or don't want to
wait, please forward your patches. :-)
Please note, Robert and I have two separate sets of changes pending
integration into the main MAC tree. Roberts are kernel string handling and
associated libc changes. Mine are framework/policy and framework/userland
API changes. Both of these changes will likely affect how this would be
implemented. Thus I'd hold off until you see them in the tree. ETA on
Roberts patch is 1-2 days, ETA on mine is 2-3 days.
Adam
> -----Original Message-----
> From: Ilmar S. Habibulin [mailto:ilmar at watson.org]
> Sent: Wednesday, October 16, 2002 4:14 AM
> To: Adam Migus
> Cc: cboss at tislabs.com; trustedbsd-discuss at trustedbsd.org
> Subject: Re: Fw: PERFORCE change 18676 for review
>
>
>
> On Fri, 4 Oct 2002, Adam Migus wrote:
>
> > All,
> > I've just submitted my implementation of compartments for the MAC/MLS
> > policy. The commit message below contains the details. If you have any
> > questions let me know. Please note: This increases the size
> of the label
> > in userland. Consequently, persistant label store will need to be
> > reinitialized.
> I thought that compartments should be implemented in BIBA model too. And
> IPSEC RFCs says so.
>
> Is '+' the only one delimiter possible? And do you plan to use more human
> readable label text? I had some sort of dictionaries in /etc/mac and
> mac_{to,from}_text() use these dictionaries translating label from human
> readable text to machine representation. So there was
> mac/secret+proj_a+proj_b, not mac/1+1+2.
>
>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list