> On Jun 6, 2019, at 11:33 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > >> On 6/6/2019 10:11 AM, Andy Lutomirski wrote: >>> On Thu, Jun 6, 2019 at 9:43 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >>> ... >>> I don't agree. That is, I don't believe it is sufficient. >>> There is no guarantee that being able to set a watch on an >>> object implies that every process that can trigger the event >>> can send it to you. >>> >>> Watcher has Smack label W >>> Triggerer has Smack label T >>> Watched object has Smack label O >>> >>> Relevant Smack rules are >>> >>> W O rw >>> T O rw >>> >>> The watcher will be able to set the watch, >>> the triggerer will be able to trigger the event, >>> but there is nothing that would allow the watcher >>> to receive the event. This is not a case of watcher >>> reading the watched object, as the event is delivered >>> without any action by watcher. >> I think this is an example of a bogus policy that should not be >> supported by the kernel. > > At this point it's pretty hard for me to care much what > you think. You don't seem to have any insight into the > implications of the features you're advocating, or their > potential consequences. > > Can you try to spell it out, then? A mostly or fully worked out example might help. As Stephen said, it looks like you are considering cases where there is already a full communication channel between two processes, and you’re concerned that this new mechanism might add a side channel too. If this is wrong, can you explain how?
