Re: what's next for the linux kernel?

[Valdis . Kletnieks]

On Thu, 06 Oct 2005 11:31:59 +0200, Helge Hafting said:

> You can have a restricted "copy" program, but nothing prevents a
> user from making his own copy program, if he can read the file.

Right, but a properly functioning and sufficiently fascist MAC system won't let
the user create a file in other security contexts that can be read by people
outside that context. See the recent work on supporting MLS (multi-level
security) and MCS (multi-category) in the SELinux tree...

> Or the user can load the file into the intended app, and "save as"

Again, "save as" doesn't create a file the other person can read unless the
other person is authorized.

> to some other filename and directory.  Or the user can do a screendump,

You *did* know that there's X hooks for Selinux, so that unauthorized applications
can't snarf the pixels of somebody else's window, right? ;)

> or even take a picture of the screen.

Not much we can do here.  On the other hand, it certainly creates a very low
upper limit on how much info you can extract how quickly... ;)

> Company policy may of course forbid the user to bring a camera, just as it
> might forbid the user to do "chmod o+r" on important files.  I am not
> sure that we need the OS to try to enforce such things. 

No, that is indeed outside the kernel's area.

Attachment: pgp00000.pgp
Description: PGP signature