For OSes, there's a completely different thing about system integrity. That again revolves around making the computer its own stand-alone system with its self-defence systems and so on. That's more about what can and can not enter the kernel and who is or is not to be seen as a true user of the system.
The can/cannot go into kernel bit can be handled by a number of items. Most of these are to do with computer integrity and therefore need a way of indicating whether or not they are approved by somebody, whoever they are. There also needs to be, as far as I'm concerned, a way for the user to override whatever the system says and/or recommends. The recommendations must be relevant and correct as far as the computer can tell. The user should, at all times, have full control over his or her computer, no matter what.
Then you get to the "who is a user" question. There are a number of cases for this, the three most likely (imo) are:
-Private environment
- System owner (dad or such)
- The system owner should always be allowed to do whatever he or she likes to do.
- Normal user (dad, son, mom, daughter, friends)
- The normal users should be able to run all programs they please, but may not interfere with system integrity. They may also have their own files, may share files and directories, may form ad-hoc groups and so on. They can also use the computer for connecting to other systems, but should not be able to use the computer to host services unless explicitly permitted.
- Guest user
- This is a special case of a normal user with the local storage strongly limited and preferably in RAM. The guest should not be a full user, should be strongly limited in connectivity and should not be given or allowed to modify the local storage.
- Foreign (illegal) user
- This user should not be allowed access to any bit of the computer and should, in no circumstances, be allowed system level access.
- Corporate environment:
- System management / administrator, equal to system owner above
- Normal user, equal to normal user above
- Guest user does not apply
- Illegal users may not do anything, as above
- Power users. The power user is a user that may not be administrator by original definition (IE, he/she should not be able to harm system integrity) but he/she should be able to set everything up and modify the system to suit his/her needs. The power user should only be shielded from the system integrity, not from any bit of power.
That pretty much defines a few categories of limitation:
- No limits.
- Just system integrity
- System integrity and giving rights to unknown executables (not scripts)
- System proper, including all installation, storage and connectivity except for removable storage. May only log in locally.
- As much as possible.
The first category should be as much limited as possible, the last should be applied to any the rest can't be found applicable to. The fourth class is limited to local users only, since the removable storage is only applicable to local users and the class is equal to the bottom one for other purposes. The bottom class limits as much as possible, including that all resources used in repelling the user should be as limited as possible.
Then you get the question, how do you save system integrity?
The easiest way, which I'm going to use, is to limit expanding the system function permanently to the top users and by using a capability-inspired logic to limit programs and subprograms they spawn to a certain limit. This includes a subspawn limit and capabilities such as accessing sockets and so forth. Users can then install self-permanently programs in their own area for personal use.
Ok, that's pretty much a useless blurb. I'm going to post it still
