On Tue, 2006-05-02 at 00:33 +0200, Pierre THIERRY wrote:
> Scribit Bas Wijnen dies 01/05/2006 hora 23:20:
> > > > C. The child cannot have any capability that the parent couldn't
> > > > gain access to.
> > This is correct, but it isn't an extra requirement. Just like in the
> > constructor, the child cannot receive a capability that neither the
> > parent nor the instantiator possess.
>
> Either you or I have misunderstood something in how a constructor works.
> I had understood that the constructor is given a set of capabilities
> along with the process it will instantiates. This capabilities could be
> out of reach for the instantiator.
The constructor has *three* sources of capabilities:
1. A set provided by the instantiator at instantiation time.
2. A set of "holes" provided by the builder (the party who set up the
constructor) at build time. This set is *authorized* by the
instantiator, but not accessible to them.
3. A set of capabilities provided by the builder that are determined,
through use of kernel-supported function, to be transitively
read-only and therefore harmless.
shap
_______________________________________________
L4-hurd mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/l4-hurd
