[anonsec] BYPASS OR PROTECT
Nicolas.Williams at sun.com
Wed Apr 4 08:47:59 PDT 2007
On Wed, Apr 04, 2007 at 11:17:57AM -0400, Stephen Kent wrote:
> Good points. I think this says we may need another SPD extension,
> one that marks rules as ones that are inviolable, vs. ones that may
> be overridden by a user/app as you described above.
Another way to look at it is to have system policy determine insertion
points into the SPD for app-requested rules -- since the SPD is ordered
then the insertion points determine what rules the apps can "punch
holes" into. There could be multiple such insertion points,
corresponding to multiple local privilege levels.
So the SPD extension, then, would be a rule type that declares an
insertion point for specific applications or local privileges.
Since there's more than one way to represent this we need English-
language text and a canonical representation that implementors can
ignore, provided that they provide equivalent functionality.
Personally I prefer the insertion point approach since it does not
require modifying existing rules. Your notion of "inviolable" rules
maps into placing such rules ahead of any insertion points.
More information about the ANONSEC