At Wed, 19 Oct 2005 15:42:12 -0400, "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > At any point in the node tree, one may insert a wrapper node "in front" > of an existing subtree. This wrapper node may specify a start (entry) > capability in the CF slot, and set a control bit. The control bit > indicates that a "keeper" is defined defined by this wrapper.
Is the following true: If the pager gives the start capability _only_ to the wrapper object, then _only_ the kernel can invoke page fault messages on this start capability. If this is true, then this could be a significant difference. In L4, page fault messages can be emulated (either by unmapping and faulting, or by direct IPC), and this means that the pager needs to protect against DoS attacks --- at least somewhere in the hierarchy (the first pager of a task is usually local, and there is a mutual trust relationship. If in EROS you can ensure that only the kernel can generate page faults, then, because the kernel also controls the page eviction policy, this seems to protect against DoS attacks. Thanks, Marcus _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
