At Sat, 08 Oct 2005 16:27:57 -0400, Jonathan S. Shapiro wrote: > In fact, there is a hierarchy problem in L4.x2 today in the memory > manager. Consider two process A, B with respective pagers A', B'. Now: > > A' maps to A > A maps to B > A' revokes > B' knows nothing and cannot reconstruct the mapping. > > This problem is now well-known by the L4 designers, and it is a direct > consequence of using REVOCABLE COPY as the primitive operation. In every > real system that has been constructed on top of L4.x2, the solution has > been to require that either > > A' and B' are identical, or > A' and B' have a commonly trusted parent who knows how to > recover, or > The design is broken, so unmaps are not performed. > > The current L4sec design will require that every capability interaction > must use the same kinds of solutions.
A can only map to be B if B accepts an IPC containing a map item. That is, B always knows when someone maps to it and can inform B' about such a mapping. If B' doesn't trust B or if B' is unwilling to accept this information this is not a problem: B can still create a new thread (LB) and set it as its pager (B' cannot prevent this). When a page fault occurs, LB looks up how to reconstruct the mapping. If it doesn't have the required information, it simply propagates the fault to B': B -page fault-> LB -fault propagation -> B' Do you find this a reasonable solution? Thanks, Neal _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
