Scribit Marcus Brinkmann dies 08/01/2007 hora 12:10: > Remember that the scenario is that process A wants to give an > inspectable process B access to a service S which requires opaque > storage allocations, without giving B access to opaque storage > allocation.
Either I don't get something or you're confused: how would an inspectable process make use of opaque storage in a way that is a threat for inspection? > You seem to be missing that in the discussed scenario we have three > processes A, B, and S, where the delegation chain is "A->B->S", and A > trusts S with a certain resource (like opaque allocation) but not B. In the capability system as it would be implemented by Hurd, if A gives the same capability to B and S, or gives a capability to B that gives it to S (without proxying it, but by merely copying the untouched capability), would A be able to discriminate when invocation of the capability is made by B or S? Isn't it the whole point of reference monitors? Curiously, Pierre -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
