Rights Amplification
Bernhard Kauer
kauer at os.inf.tu-dresden.de
Tue Jun 14 11:10:22 CEST 2005
> We are turning in circles. This is exactly the same model as you
> suggested in your first reply. And it is exactly the model I have
> already tried to implement, and that we rejected because of
> performance, wrong security properties, impossibility of transparent
> interposition, code complexity, etc.
I forgot to explain why I switched back to the initial model.
We have here 2 models in our discussion:
1. Using a 1:1 mapping between objects and endpoints. This requires a
cmp() function.
2. Using the features of L4.sec (local names, endpoints and badges) to
implement a capability system in user-level.
We all agree that the first one can be build, looking from a functional
point of view. This does not mean that it is the best solution.
Or in other words some disadvantages (waste kernel memory, needs an
additional kernel operation,...) leads to the question whether the
second model could also be built.
Perhaps we should split the discussion here and try to answer in one
thread the question of the first model (e.g. why cmp() and not
map_lookup(),...)
and in another one the problems with the second model you mention
in your last mail.
Bernhard
More information about the l4-hackers
mailing list