Codezero v0.2 Capabilities

[Bahadir Balban]

Hi All,

I would like to share with you the current status of Codezero
development as we make the 0.2 release. I am looking into feedback on
various design issues, particularly on capabilities.

I think I have understood Hurd requirements to a good extent, and
Codezero has different final goals compared to the ideal kernel that
Hurd needs.

That said, Codezero has a lot of common grounds with Hurd kernel
requirements, and I would like to focus discussion on these common areas.

What I need is your opinion on our existing capability design, in any
aspect. Security, usability, applicability ... We have implemented
capabilities in Codezero to a good extent, and the design requires
feedback (details to follow on my next email).

What this will bring back to you is that you have the chance to see a
live kernel that has a capability implementation with resources reduced
to a useful small set (e.g. kernel resources), and one that is
attempting to apply it to real practice. You will see your feedback
being implemented in short periods of time, and have the opportunity to
see how it behaves in real. Potentially the same work can be extended,
or copied over to your _desired_ Hurd kernel later on. Think of it as a
small pilot project for your future capability-based Hurd kernel.

If you believe that you already have explored capability-based design to
the extent that you don't need to see any further experimentation, well,
you might just be interested to help.

OK, so here are some final disclaimers:

- The design is very rigorous, i.e. fully covering kernel resources,
system calls, but only those. I think this is very useful even for Hurd,
you can experiment on a small set of sample data, improve your design,
and extend it.

- The user API has been purposefully simplified, i.e. the capabilities
are hidden as much as possible from the userspace. The average
programmer need to know as little as possible about capability design.
For example you don't pass a capid to a system call. You pass resource
ids directly, but they get cap-checked internally. Once you want to
manipulate resource allocation in the system, you then need to
manipulate (unavoidably) capabilities and need to know what's going
on at that level.

- No protection from covert channels. This is because covert channels
cannot be completely eliminated, and they are less of a focus for
current discussion. I am more interested in tackling elegant resource
management at this time.

- The approach I took is probably different to what you have seen before
on capabilities. I tried to make things as practical as possible.

Please see my release email for sources and guides on the API.


Thanks,

--
Bahadir Balban