[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Codezero v0.2 Capabilities

From: Sam Mason
Subject: Re: Codezero v0.2 Capabilities
Date: Tue, 8 Dec 2009 16:19:12 +0000
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Dec 08, 2009 at 02:08:18PM +0200, Bahadir Balban wrote:
> To your ambient authority argument, wikipedia reads:

> The authority is "ambient" in the sense that it exists in a broadly 
> visible environment (often, but not necessarily a global environment) 
> where any subject can request it by name.
> "
> This is not true for this case, since designation, authorization and 
> ownership information is all bundled in the capability structure and 
> gets checked on each operation.

It depends on the level of abstraction you're thinking about.  Within
codezero a single process can exercise all authority in error because
the kernel checks which capabilities determine whether an operation has
enough authority to proceed.  When the capabilities are directly exposed
to the process it's "harder" for it to go wrong because the code is
directly naming the authority needed for every operation.

Admittedly this is a qualitative appeal rather than a quantitative one,
but I don't possess the experience to argue the point in any other way.

  Sam  http://samason.me.uk/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]