Let my try then :) First I would like to clarify what is the feature you want to avoid. If I did not understand that my example is probably invalid.
Here goes some terminology: 1) confinement We are talking about confinement all the time but there are misunderstandigs about meaning of the term. Marcus suggests that confinement is the property that when a process is created it has acces only to certain limited resources that was given it on its creation. In marcus' proposal there is only one parent that creates the process. 2) isolation Shap suggests that confinement means more. He designed a constructor that allows the created process to have two parents: a builder - the constructor, and a requestor - a procaess that uses the constructor to create (instantiate) the new process. iirc when marcus is speaking about constructors he uses the term instantiator, and it is not clear if it means the builder or the requestor (probably the later). So let's stick to the terminology with builder. Now shap suggests that to guarantee process confinement the constructor should be able to prevent the requestor access the new process. After looking in my fine copy of Cambridge dictionary it looks like Shap has the terminology backwards here. The new process is indeed confined (restricted) when Marcus' semantic is used. But Shap wants the ability to also restrict the requestror, one of the parents of the new process. I would call this an ability to create an _isolated_ process. On one side, it may be confined - allowed to access only defined part of the system. On the other side the requestor may not be allowed access to the process. Now if isolation is what marcus does not want I have one use case he himself mentioned a few times: the instantiation of user sessions. Here the administrator uses a constructor to create isolated processes. If he did not the user sessions would be inside his session and he could observe them. In my view reducing the number of constructors from potentionally limited only by system memory to exactly one does not eliminate the concept of isolation (ie the software that wants it may request a separate user session for itself). So it is a needless limitation. Thanks Michal
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
