Re: cgroup: status-quo and userland efforts

From: Luke Kenneth Casson Leighton
Date: Wed Mar 04 2015 - 06:28:00 EST

On Wed, Mar 4, 2015 at 5:08 AM, David Lang <david@xxxxxxx> wrote:
> On Tue, 3 Mar 2015, Luke Leighton wrote:

>> whilst the majority of people view management to be "hierarchical"
>> (so there is a top dog or God process and everything trickles down
>> from that), this is viewed as such an anathema in the security
>> industry that someone came up with a formal specification for the
>> real-world way in which permissions are managed,

sorry i should have said "managed in the security esp. defense industry"

>> and it's called the FLASK model.
> On this topic it's also worth reading Neil Brown's series of articles on
> this over at

oo good background, thank you david. happily reading now :)

> and why he concludes that having a single hierarchy for all resource types.

i think.... having a single hierarchy is fine *if* and only if it is
possible to overlay something similar to SE/Linux policy files -
enforced by the kernel *not* by userspace (sorry serge!) - such that
through those policy files any type of hierarchy be it single or multi
layer, recursive or in fact absolutely anything, may be emulated and
properly enforced.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at