> On Mon, May 01, 2006 at 12:33:33AM -0400, Jonathan S. Shapiro wrote:
> > > > 1. I create a new constructor, so I am the creator. I put stuff
> > > > into the constructor. I instantiate programs. So far
> this is all
> > > > just "trivial confinement" as you call it.
> > >
> > > In my current system design, there is no constructor.
> There is also
> > > no meta-constructor, and the space bank will happily let
> you inspect
> > > and alter the content of any memory that is taken from
> your reserve
> > > (well, the last point may or may not be true, but for the
> purposes
> > > of analysis, we can assume it to be true).
> >
> > It follows immediately that the system administrator can
> inspect all
> > storage, since all space banks are ultimately derived from
> the primary
> > space bank, which is owned by the system administrator.
>
> This is getting annoying. I wrote at least twice already
> that the primary space bank is *not* owned by the system
> administrator. It is owned by the TCB, which is an entity
> itself. It will restrict access to it carefully, in
> particular it will not give anyone (and that includes the
> administrator) direct access to the prime space bank.
Ah, yes. Who owns the TCB?
Oh - no one. Cool. So who gets permission to update the TCB?
Ah, of course, no one. It's not like you ever need to patch a piece of
software, because all software is perfect once released.
-={C}=-
_______________________________________________
L4-hurd mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/l4-hurd
