Re: Codezero v0.2 Capabilities

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Codezero v0.2 Capabilities

From:	Bahadir Balban
Subject:	Re: Codezero v0.2 Capabilities
Date:	Sun, 13 Dec 2009 14:16:00 +0200
User-agent:	Thunderbird 2.0.0.23 (X11/20090817)

Sam Mason wrote:

On Tue, Dec 08, 2009 at 02:08:18PM +0200, Bahadir Balban wrote:
To your ambient authority argument, wikipedia reads:
The authority is "ambient" in the sense that it exists in a broadlyvisible environment (often, but not necessarily a global environment)where any subject can request it by name.
"
This is not true for this case, since designation, authorization andownership information is all bundled in the capability structure andgets checked on each operation.
It depends on the level of abstraction you're thinking about.  Within
codezero a single process can exercise all authority in error because
the kernel checks which capabilities determine whether an operation has
enough authority to proceed.  When the capabilities are directly exposed
to the process it's "harder" for it to go wrong because the code is
directly naming the authority needed for every operation.

Admittedly this is a qualitative appeal rather than a quantitative one,
but I don't possess the experience to argue the point in any other way.

I thought that once a process has a certain capability, it doesn'tmatter how it is invoked. It may be explicitly by a capid, orimplicitly. Keeping the existing L4 interface was highly desirable fordesign reasons so I implemented it this way.

I didn't get how a process would exercise authority in error. If youstart the process with a single capability, it may try all it wants withthe syscalls. It will always end up with an -ENOCAP error unless it isthat very operation that corresponds to that possessed capability.

When you say the code is directly naming the authority you areapproaching it with a pure capability way of thinking. It is doing thatbecause it comes natural to name entities with their direct name whenyou get to use them. I believe this is more practical. While this mightbe an issue on a capability way of thinking, I think it is anaesthetical one, security-wise it seems to me that they are no different.


--
Bahadir Balban

[Prev in Thread]

Current Thread

[Next in Thread]

Codezero v0.2 Capabilities, Bahadir Balban, 2009/12/07
- Re: Codezero v0.2 Capabilities, Tom Bachmann, 2009/12/07
  - Re: Codezero v0.2 Capabilities, Bahadir Balban, 2009/12/07
    - Re: Codezero v0.2 Capabilities, Tom Bachmann, 2009/12/07
    - Re: Codezero v0.2 Capabilities, Sam Mason, 2009/12/08
    - Re: Codezero v0.2 Capabilities, Bahadir Balban, 2009/12/08
    - Re: Codezero v0.2 Capabilities, Sam Mason, 2009/12/08
    - Re: Codezero v0.2 Capabilities, Bahadir Balban <=
    - Message not available
    - Re: Codezero v0.2 Capabilities, Bahadir Balban, 2009/12/13
    - Re: Codezero v0.2 Capabilities, Bas Wijnen, 2009/12/13
    - Re: Codezero v0.2 Capabilities, olafBuddenhagen, 2009/12/16

Prev by Date: Re: Codezero v0.2 Capabilities
Next by Date: Re: Codezero v0.2 Capabilities
Previous by thread: Re: Codezero v0.2 Capabilities
Next by thread: Re: Codezero v0.2 Capabilities
Index(es):
- Date
- Thread