[Jonathan S Shapiro]
> Simply "telling" a subsystem that it cannot use certain names, of
> course, accomplishes nothing. This is why enforcement is
> required.
Sorry. I of course meant telling *and* enforcing.
> The argument for local names has two parts:
> 1. It is probably the simplest mechanism for enforcing the access
> check.
And if the local name space is always idempotently "mapped" to the
global name space then the access chech is a lookup in a bitmap. This
is essentially the Jaeger-Elphinstone redirection model [1].
> 2. By encapsulating the true name of the service, it allows the
> service to alter its behavior or implementation in ways that
> can be transparent to the client.
> The second is an argument about a kind of virtualizability. In my
> opinion, this is very nearly as important as the protection
> argument.
Agreed. Virtualizability was one of my main motivations for doing
local name spaces.
eSk
[1] http://l4ka.org/publications/paper.php?docid=670
_______________________________________________
L4-hurd mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/l4-hurd
