marcus.brinkmann at ruhr-uni-bochum.de
Sun Jun 12 19:00:01 CEST 2005
At Thu, 09 Jun 2005 18:30:37 +0200,
Marcus Brinkmann at ruhr-uni-bochum de wrote:
> There may be security implications in revealing mapping "identities"
> at all. Maybe this feature needs to be restricted for confined tasks.
I have thought about this a bit more and think that this can be done
very easily by using an access right bit, just like rwx are access
right bits for memory mappings. If the bit is set, you are allowed to
traverse the mapping tree through this node, and if you want to
disallow it, you clear the bit in a mapping you give away.
The interesting part about this bit would be that it is entirely
local: On every mapping, you can set or clear it. It's not like with
rwx, where you can only clear and not set.
For our scheme, this could be used, for example, to hand out a
capability temporarily (by delegating a mapping for it), but being
sure that we can revoke it later, because the receiving task can not
acquire its own reference. Having the guarantee that you can revoke a
capability seems to be a useful option to have in a capability system.
But I should add that this is a feature I have still not yet entirely
thought through. I just send this mail to frame it in terms of
well-known L4 concepts, namely access right bits.
More information about the l4-hackers