[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Capability object revocation
|
From: |
Neal H. Walfield |
|
Subject: |
Re: Capability object revocation |
|
Date: |
Sat, 09 Apr 2005 22:55:02 +0100 |
|
User-agent: |
Wanderlust/2.10.1 (Watching The Wheels) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.3 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI) |
There are two scenarios here: 1) implementing revoke which means
revoking the capability for all capability entries but the one used by
the caller; and 2) destroying a capability.
In the former case, you inhibit all RPCs on the capability object
(hurd_cap_obj_inhibit), mark all capability entries as dead *except*
the one on which this RPC is made and then resume RPCs on the
capability object (hurd_cap_obj_resume). Note that marking a
capability entry as dead means not only setting entry->dead to true
but 1) removing an internal reference and if the reference count is
zero, dereferencing the underlying cap object (this should be its own
function); and 2) removing it from the CLIENT->CAPS_REVERSE list as
per client-release.c.
To destroy a capability, you'll want to do the same as before except
revoke all capability entries and instead of calling
hurd_cap_obj_resume, call hurd_cap_obj_end. As you'll notice
hurd_cap_obj_end is not yet implemented. It should set OBJ->STATE to
_HURD_CAP_STATE_BLACK a la _hurd_cap_client_end and
_hurd_cap_bucket_end. This is necessary because in,
e.g. manager_demuxer, after looking up the capability entry and
verifying that it is not dead, we wait until OBJ->STATE returns to
_GREEN but don't again check that the entry is not dead. This change
also requires updating the comment for the hurd_cap_obj structure in
cap-server.h and changing bucket-manage-mt.c:manage_demuxer and
ctx-cap-use.c to bail when OBJ->STATE is _BLACK.
Thanks,
Neal