At Thu, 09 Jun 2005 18:30:37 +0200, Marcus Brinkmann@ruhr-uni-bochum de wrote:
There may be security implications in revealing mapping "identities" at all. Maybe this feature needs to be restricted for confined tasks.
I have thought about this a bit more and think that this can be done very easily by using an access right bit, just like rwx are access right bits for memory mappings. If the bit is set, you are allowed to traverse the mapping tree through this node, and if you want to disallow it, you clear the bit in a mapping you give away.
The interesting part about this bit would be that it is entirely local: On every mapping, you can set or clear it. It's not like with rwx, where you can only clear and not set.
For our scheme, this could be used, for example, to hand out a capability temporarily (by delegating a mapping for it), but being sure that we can revoke it later, because the receiving task can not acquire its own reference. Having the guarantee that you can revoke a capability seems to be a useful option to have in a capability system.
But I should add that this is a feature I have still not yet entirely thought through. I just send this mail to frame it in terms of well-known L4 concepts, namely access right bits.
Thanks, Marcus