This is the mail archive of the systemtap@sources.redhat.com mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

separating policy and mechanism


Separation of policy from mechanism is an established tenet 
of Unix system development. Here are a couple results from 
a Google search to support this asssertion:
	http://www.faqs.org/docs/artu/ch01s06.html
	http://c2.com/cgi/wiki?PolicyAndMechanism

An interesting question is how this principle might be applied
on Systemtap. One possibility is in safety policy. We have 
talked periodically about "guru" and "safe" modes for Systemtap; 
these are both examples of safety policies that might be of 
interest to our users. Other examples might include:
- UID protection. A likely requirement for supporting 
  non-root use of Systemtap
- Script-specific policies. A script developer might
  like to be able to allow a few specific kernel
  accesses which aren't allowed in 'safe' mode, but
  without dropping all the protection as in guru mode.

Here are some of the key questions in this context:
- Do we want to provide a facility to help Systemtap
  users specify safety policies?
- What other safety policies would we like Systemtap
  to support?
- What safety mechanisms might Systemtap provide? How
  could their behavior be configured by policies?
- Are there areas besides safety where we should be
  separating policy from mechanism?

Brad


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]