This is the principle
of complete mediation. All complete mediation says is whenever you make an access, check to be sure the
access is allowed. If you're going to
read from a file, you open the file for reading and check to be sure
that's allowed. Then when you issue
the read system call or command, check to be sure that read is
still allowed and so forth. This is a principle that is
often honored in the breach. For example, Windows,
and Linux systems, and Unix systems will very carefully check file permissions
when you open the file. But once it's open, you've
got a file handler or a file descriptor and the
permissions are not rechecked. Even if on a Linux system
someone blocks read access, if you have that file open for reading and the file permissions are set so that it will not, it will no longer
allow you to read it. Guess what, you're still
going to be able to read it. These file handles
or file descriptors, as they're called, are actually a form of what's
known as capability. Mere possession of a capability which contains
an object name and a write, filename, for example,
and permission to read and to write. Mere possession of that gives
you the ability to execute the permission to
the write on that file. So, if I have a file X
and write permission, even if the file is no
longer writable by me, if you've got that descriptor, I can go ahead and
write to the file.