This is the mail archive of the
systemtap@sources.redhat.com
mailing list for the systemtap project.
separating policy and mechanism
- From: "Chen, Brad" <brad dot chen at intel dot com>
- To: <systemtap at sources dot redhat dot com>
- Date: Tue, 26 Apr 2005 14:34:14 -0700
- Subject: separating policy and mechanism
Separation of policy from mechanism is an established tenet
of Unix system development. Here are a couple results from
a Google search to support this asssertion:
http://www.faqs.org/docs/artu/ch01s06.html
http://c2.com/cgi/wiki?PolicyAndMechanism
An interesting question is how this principle might be applied
on Systemtap. One possibility is in safety policy. We have
talked periodically about "guru" and "safe" modes for Systemtap;
these are both examples of safety policies that might be of
interest to our users. Other examples might include:
- UID protection. A likely requirement for supporting
non-root use of Systemtap
- Script-specific policies. A script developer might
like to be able to allow a few specific kernel
accesses which aren't allowed in 'safe' mode, but
without dropping all the protection as in guru mode.
Here are some of the key questions in this context:
- Do we want to provide a facility to help Systemtap
users specify safety policies?
- What other safety policies would we like Systemtap
to support?
- What safety mechanisms might Systemtap provide? How
could their behavior be configured by policies?
- Are there areas besides safety where we should be
separating policy from mechanism?
Brad