[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Codezero v0.2 Capabilities

From: Sam Mason
Subject: Re: Codezero v0.2 Capabilities
Date: Tue, 8 Dec 2009 11:15:49 +0000
User-agent: Mutt/1.5.13 (2006-08-11)

On Mon, Dec 07, 2009 at 09:09:50PM +0100, Tom Bachmann wrote:
> Bahadir Balban wrote:
> >When it comes to making the ipc call though, you don't pass the 
> >capability id to the call. You pass the thread id you want to ipc to. 
> >The system call signature is the same as if capabilities were not there 
> >at all. But it surely gets checked, the relevant capability is found, 
> >it's resource id is matched with the passed thread id, and resolved.
> Moreover, this breaks (at the kernel boundary!) one important design 
> principle (which I value): explicit designation of authority. How can 
> your system avoid the confused deputy problem?

Yup, this looks very much like you've just turned what could be a nice
capability system into one that implicitly relies completely on ambient
authority---namely the "capids" that a thread holds.  This is finer
grain than the userid of a conventional process, but still feels like
ambient authority to me.

  Sam  http://samason.me.uk/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]