Re: io_close proposal

[Thomas Bushnell, BSG]

Marcus Brinkmann <address@hidden> writes:

> Well, the real problem, and the explanation why my idea won't work is this:
> 
> If the server sees 1 extant send right, he doesn't know if this is the
> callers extant send right, or if the number of extant send rights has been
> 2 and the caller did:
> 
> io_close_request(port)
> mach_port_deallocate(mach_task_self(), port);

Here, the user has not followed the protocol.  He has the port
*twice*, and if he wants close actions to work properly, he must call
io_close_request on *each*.  

> So my idea doesn't work.  If we would not have asynchronous messages,
> this attack in the client probably wouldn't work (assuming proper guarantees
> by the kernel).  Well, I don't think it was obvious, so it is good to have
> this idea proposed, discussed and dismissed.

It's not dismissed at all; this part works just fine.  If the server
sees exactly one send right, has the receive right locked down so that
other threads in the server won't create new send rights, and the
server itself *has* one send right, then it knows exactly where they
all are.