Re: Why COPY != SIMULATED COPY

[Jonathan S. Shapiro]

On Wed, 2005-10-19 at 20:41 +0200, Espen Skoglund wrote:
> Just did a LITTLE thinking, and I have a question about what we REALLY
> want here: Do we really want what I just stated?  Or in other words:
> Does B really want to trust the hierarchy between "Cap.1" and
> "Cap.1..x" to not perform any revocation?
> 
> If the answer is NO then it seems to me that what we actually want is:
> 
>      "B has Cap.1.y"
> 
> Comments?

Given a chain of cap transfers of the form


              ANY    ANY    RevCOPY     COPY
        ... S ---> T ---> A --------> B -----> C

We want it to be that case that 

  (1) C's capability gets revoked exactly when B's
      capability gets revoked, and
  (2) any revocation of A's capability causes the
      capabilities held by B and C to be revoked also.

That is, we are trying to simulate the  behavior of the obvious
kernel-implemented COPY operation. This definition of RevCOPY/COPY
composition is required if we are to preserve any possibility of
confinement.

B might overwrite its capability before the revoke occurs, and this
should not cause C's copy to disappear. That is: B and C hold co-equal
copies after the COPY operation.

shap