Hi OSDevvers, I have a question for you:
Are they useful?
What to you is a security policy?
How do you implement them? Or if you don't use them, how do you do security?
For me:
YES.
A security policy is a rule enforced on the system to prevent it from doing a supported action.
I implement this as a module to the AppAuthority user-kernel service that adds a rule and a level.
What do you guys do?
Thanks,
Lionel
Security Policies
Re: Security Policies
Hi,
A security policy is a policy intended for security.
I implement them carefully.
Note: Please ask your professor/lecturer/teacher to supply sensible questions next time.
Cheers,
Brendan
They may or may not be useful; depending specific type of security you're talking about (file system, network, IPC, processes?), and what sort of system it is for (e.g. games machine, public internet kiosk, file server, etc).Lionel wrote:Hi OSDevvers, I have a question for you:
Are they useful?
What to you is a security policy?
How do you implement them? Or if you don't use them, how do you do security?
A security policy is a policy intended for security.
I implement them carefully.
Note: Please ask your professor/lecturer/teacher to supply sensible questions next time.
Cheers,
Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Re: Security Policies
IMO there is two very different aspect for security policy - policy for user management and policy for application activities.
For policy of application activities, I very liked the security policy model for application in the android, except it might be too technical to present to normal user (and they just skip the authorization altogather).
Things like firewall has already moving to this idea:
You approve an application to do some sort of activities, instead of approving the individual low level API/port access.
For user management, I have nothing new to say.
For policy of application activities, I very liked the security policy model for application in the android, except it might be too technical to present to normal user (and they just skip the authorization altogather).
Things like firewall has already moving to this idea:
You approve an application to do some sort of activities, instead of approving the individual low level API/port access.
For user management, I have nothing new to say.
-
Combuster
- Member
- Posts: 9301
- Joined: Wed Oct 18, 2006 3:45 am
- Libera.chat IRC: [com]buster
- Location: On the balcony, where I can actually keep 1½m distance
- Contact:
Re: Security Policies
Detailed policies confuse users. And stupid users are the biggest cause of concern. They don't read the warnings an Android throws at them. They are annoyed by UAE because it costs you another ten seconds before you can see if you can get something done. And neither provides a decent way to tell the requester to GTFO and deal with the permissions *I* give you. In that regard Apple does it somewhat better by making the decision for its users, although their vendor lock-in methodology has tendencies towards unfair competition.
At any rate, keeping the stupid user safe is essential. Providing a somewhat arcane but otherwise properly documented developing backdoor should be sufficient to allow the wiser people to make use of the system without getting into the security war like the ios jailbreaks.
At any rate, keeping the stupid user safe is essential. Providing a somewhat arcane but otherwise properly documented developing backdoor should be sufficient to allow the wiser people to make use of the system without getting into the security war like the ios jailbreaks.
-
Lionel
- Member
- Posts: 117
- Joined: Fri Jul 16, 2010 2:16 pm
- Libera.chat IRC: ryanel
- Location: California
Re: Security Policies
Thank you guys, this really helped me understand. I really like the capabilities idea, it seems sane. The problem for me is to incorporate that into a kernel space module and allowing it to communicate with my kernel, but not make it required to exist. Possibly part of the kernel? Also, I would make them process specific, but also have system wide ones ( think group policy editor for windows, but for stuff that isn't useless and not security related)
Brendan: Not all of us have teachers, especially since I am in 8th grade.
Combuster: Since I plan to keep my security in a module, they could just unload it (as root, then re-entering password while big red scary letters tell them that if they do this, they can damage their system, and making them wait 5 seconds, and them making them say o instead of y to work). As for asking for permissions, I think I should do it Chrome style (dialog saying "you need this permission" it needs it to "do stuff", enter the administrator password)
Brendan: Not all of us have teachers, especially since I am in 8th grade.
Combuster: Since I plan to keep my security in a module, they could just unload it (as root, then re-entering password while big red scary letters tell them that if they do this, they can damage their system, and making them wait 5 seconds, and them making them say o instead of y to work). As for asking for permissions, I think I should do it Chrome style (dialog saying "you need this permission" it needs it to "do stuff", enter the administrator password)