At Tue, 18 Oct 2005 08:42:55 -0400, Jonathan S. Shapiro wrote: > In order to implement the protocol that you describe, the cap server > requires: > > a) sufficient authority to inspect the content of every capability
I am not sure that this much authority is required depending on the design of the server. (See below.) > b) sufficient authority to fabricate any capability (because it > must be able to exchange any capability). I take issue with the any "qualifier" here. The cap server needs to be able to exchange any capability that is *manages*. Marcus designed a protocol to do this based on the addition of the so-called map_lookup function: [I]f there was a system call which allowed the caller to check if a mapping was derived from another mapping in the same address space, then we can use that to "unroll" mapping loops like the one in the first scenario, i.e. Server -> Client -> Server, or in the second, i.e. Server -> Reference Counter -> Client A -> Client B -> Reference Counter.[1] The requirement is that capabilities which can be exchanged must be registered with a mutually trusted capability server. Thanks, Neal [1] http://os.inf.tu-dresden.de/pipermail/l4-hackers/2005/002140.html _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
