[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Codezero v0.2 Capabilities
From: |
Sam Mason |
Subject: |
Re: Codezero v0.2 Capabilities |
Date: |
Tue, 8 Dec 2009 11:15:49 +0000 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
On Mon, Dec 07, 2009 at 09:09:50PM +0100, Tom Bachmann wrote:
> Bahadir Balban wrote:
> >When it comes to making the ipc call though, you don't pass the
> >capability id to the call. You pass the thread id you want to ipc to.
> >The system call signature is the same as if capabilities were not there
> >at all. But it surely gets checked, the relevant capability is found,
> >it's resource id is matched with the passed thread id, and resolved.
>
> Moreover, this breaks (at the kernel boundary!) one important design
> principle (which I value): explicit designation of authority. How can
> your system avoid the confused deputy problem?
Yup, this looks very much like you've just turned what could be a nice
capability system into one that implicitly relies completely on ambient
authority---namely the "capids" that a thread holds. This is finer
grain than the userid of a conventional process, but still feels like
ambient authority to me.
--
Sam http://samason.me.uk/