On Wed, 2005-10-19 at 20:41 +0200, Espen Skoglund wrote:
> Just did a LITTLE thinking, and I have a question about what we REALLY
> want here: Do we really want what I just stated? Or in other words:
> Does B really want to trust the hierarchy between "Cap.1" and
> "Cap.1..x" to not perform any revocation?
>
> If the answer is NO then it seems to me that what we actually want is:
>
> "B has Cap.1.y"
>
> Comments?
Given a chain of cap transfers of the form
ANY ANY RevCOPY COPY
... S ---> T ---> A --------> B -----> C
We want it to be that case that
(1) C's capability gets revoked exactly when B's
capability gets revoked, and
(2) any revocation of A's capability causes the
capabilities held by B and C to be revoked also.
That is, we are trying to simulate the behavior of the obvious
kernel-implemented COPY operation. This definition of RevCOPY/COPY
composition is required if we are to preserve any possibility of
confinement.
B might overwrite its capability before the revoke occurs, and this
should not cause C's copy to disappear. That is: B and C hold co-equal
copies after the COPY operation.
shap
_______________________________________________
L4-hurd mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/l4-hurd
