On Mon, 2005-10-24 at 23:25 +0200, Bas Wijnen wrote: > On Mon, Oct 24, 2005 at 04:00:05PM -0400, Jonathan S. Shapiro wrote: > > The predictor needs access to the file system to make its prediction, > > and this is *precisely* the access that we must not give it! Even > > disclosing the *names* of my files to the hostile code must not occur. > > This is where confinement comes in. Since constructors can guarantee this, we > can know that the predictor cannot communicate with anyone, in particular with > the program it predicts for. We give it read only access to the whole file > system, and simply ignore everything it does except the prediction.
It doesn't work. Even if the file system is read-only, the files themselves are not. Remember that in a persistent system many entities named in the directory space are actually processes. The kernel has no way to enforce the read-only restriction for IPC's to those processes, because it does not know what they do. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
