On Tue, 2005-10-25 at 21:30 +0200, Bas Wijnen wrote: > The requirement that the instantiator should not be allowed to inspect the > instantiated is only needed for programs which receive capabilities that the > instantiater doesn't have. In other cases it doesn't usually harm to allow > the inspection, but there isn't really a reason to try to allow it. It's more > a matter of not spending performance on trying to enforce it.
There *is* a good reason: the principle of least authority. Fortunately, it doesn't involve any extra effort. It is a natural consequence of proper system structure that inspection requires the consent of the inspected process. > > Would it be a good idea to use the ctrl-alt-del-mechanisms of > > "IBM-compatible" PCs on these machines? > > That is a different version of the same idea: the trusted hardware in that > case being a certain combination of keys which cannot be handled by > applications. I very much dislike the idea of reserving key combinations > though, and I think it was a _very_ bad idea from them to use a combination > with an existing, very different, meaning. Yes. However, there is a key that was specifically intended for this purpose: SYSREQ. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
