Scribit Marcus Brinkmann dies 08/01/2007 hora 09:31: > > So it all boils down to avoid givind to a process you can inspect a > > capability to a process you can't inspect. > Uhm, but then it can't use any service requiring opaque allocation of > user-provided memory resources. Wasn't that the whole point of the > exercise?
Well, obviously you will give such a capability if you trust the service. But at no point you have to give authority you'd like to prevent the use, and that's the point of a capability-based system. As I trust the Ethernet driver, I will happily give to my TCP/IP stack a capability to it, but not to any other process. Same goes for some custom FS I use in my home directory, which could access the USB driver to store data in an USB disk. And if the USB driver happens to need some client-provided memory that the client can't even read, so be it, but I wouldn't give a capability to any other process to it. Capabilities to processes able to opacify memory are no different than capabilities to any other process able to to do anything that could be turned against me. While adhering to POLA, I protect myself from any such threat... Simply, Pierre -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
