On 23 August 2012 18:51, Matt Rice <[email protected]> wrote: > On 8/23/12, Jiří Zárevúcky <[email protected]> wrote: >> [...] > > hi, i'm not really involved in helenos at all, just my thoughts on the > approach. >
Thanks, I appreciate it. > It's interesting in that you seem to have come to some of the same > ideas found in capability systems (e.g. the lack of filesystem > permissions, that having merely access to a file grants the permission > to do something with it), Not surprising, it's a real-life metaphor. > but maintain the use of filenames which > would seem to open the door to ambient authority[1] and the confused > deputy problem[1] which capabilities were invented to fix. The filenames themselves are local to the namespace, and there are in fact no global names for any file. I.e. communicating a filename to a task running with different namespace (and by extension, different permissions) is pointless, as it's relative to something the task doesn't have access to at all. Doesn't that solve the problems you are referring to? > Capability > systems in general tend to do away with filesystems all together, as > much discussed in many threads e.g. 'Explicit Persistence Considered > Harmful'[3], but it would be good to consider how your VFS reacts to > the confused deputy problem in particular when a program serves 2 > masters. > What exactly do you mean by "serving two masters"? _______________________________________________ HelenOS-devel mailing list [email protected] http://lists.modry.cz/cgi-bin/listinfo/helenos-devel
