[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Filter approaches (was: Re: [PATCH] enable /proc/$$/loginuid)



--- Leigh Purdie <Leigh Purdie intersectalliance com>
wrote:

> So, we have four alternative approaches here I
> think: ...

A better way to look at it might be to have the
kernel deal with the "object policy" view and
have the daemon deal with the "user interface"
view. The kernel should filter on "accesses by
Leigh", and the daemon should filter files named
"*[Pp]urdie*". The kernel has to know that the
daemon wants to see all pathnames and pass them
along, and the daemon has to tell the kernel
what sort of records it needs to look at.

A dumb kernel will overwhelm the daemon, especially
if the daemon is smart. A kernel that tries to do
regular expressions is is trouble. No CAPP policy
is going to use wildcards, and "real" sysadmins
don't care about subject/object modeling.


=====
Casey Schaufler
casey schaufler-ca com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]