ACL evaluation: interaction between "best match" and privilege

[Casey Schaufler]

Robert Watson wrote:

> ...  However, this section does not describe how the ACL
> access check interacts with the CAP_DAC_* privilege described in the
> capabilities section, which allow individual capabilities to override
> specific lack of authorization via DAC checks.  While the result is
> un-ambiguous in a a fundamental sense (at the end of the day, either they
> have sufficient rights or they don't), the definition of "best match" in
> the face of extra privileges is ambiguous.

We have to get systemicly philosophical to address this issue.
I'll attempt to explain how I'd address this, then let y'all
shread my arguments.

If a system has audit (What? I though we we talking about ACLs.
Yes, we are. I said it was a systemic issue, didn't I? now be
patient) we want to record not only whether an operation
succeeded of failed, but why. Thus, I want to do a complete
access control check (in this case, completely resolve the ACL)
before I check for any capabilities. Why? so that I can mark
which capabilities are actually used in the audit record.
If I do capability checks first, or if I intermix them with
strict policy checking, that information can be incorrect.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey at sgi.com				voice: 650.933.1634
casey_p at pager.sgi.com			Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message