On Sun, Apr 30, 2006 at 11:17:53PM +0200, Marcus Brinkmann wrote: > Propose a use case for non-trivial confinement.
Just thought of a use case on the ride in to work today -- hope it hasn't been mentioned already, I've done a quick search and didn't come up with anything! How about the little (image) preview window that appears in some graphical open file dialogs? The open dialog should allow processes to register a "previewer" that allows the dialog to preview the file in a manner appropriate to the application showing the dialog. I.e. a graphical viewer could elect to display Postscript files graphically, whereas a text editor would show the same file's source (if it elected to have a preview at all). To me this seems as though the application would pass a capability to the open dialog naming a preview constructor in the calling application. The dialog window would then be able to instantiate a single previewer for each file, destroying the old one when the user selects a new file. Non-trivial confinement is needed because the open dialog doesn't trust the calling program to not grant itself permission to the previewers address space and to pull information out of it after the user has selected a file. I hope that makes sense and hasn't been covered before! Sam _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
