Zatoichi's Engineering Blog

Musings from a firmware engineer

Latest post

AppArmor and Its Performance Impact

14 Nov 2017

Mandatory Access Control

Traditional UNIX based systems restrict what resources different users can access by means of labeling resources so only a given user or group can access them. Controls are discretionary because a given user may be capable of passing a permission (directly or indirectly) to another user. An example would be creating a file then marking its permissions readable by other users. Such a control scheme is referred to as Discretionary Access Control (DAC).

An alternative to DAC is Mandatory Access Control (MAC). A MAC system can further constrain what a system can do, and is based...


All Posts