At Thu, 13 Oct 2005 17:23:35 -0400, "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > > The "weak" part needs explanation. > > Suppose that you hold a read-only capability to a node that contains a > read-write capability? You fetch the read-write capability and you have > now broken confinement. > > The effect of the "weak" restriction is to downgrade each capability as > it is fetched, ensuring that the fetched capability is both weak and > read-only. This downgrade is conservative. Endpoint capabilities, for > example, become Void capabilities.
I always wondered about something related to weak. What you say applies, presumably, to all kernel objects, and to a certain set of "standard objects". But what if I introduce a new type of objects, where even a "read only" capability supports "writish operations"? Can I then break out of confinement with the support of the server providing that capability? I am not really sure if I am asking a security question. Well, I am, but maybe there is some obvious answer to it, for example that the constructor will only insert capabilities of the known, good types, and that any unsafe capability comes from the instantiator. That would do the trick I think, but note that I am only guessing. The actual question I think I am asking is if the interpretation of read/write/weak only applies to the standard objects, or if it can be extended to new object types, and what happens if you have object types that don't fit this pattern at all. Thanks, Marcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
