On Sat, Jul 25, 2009 at 07:36:11PM +0300, Bahadir Balban wrote: > Having all capabilities maintained by the microkernel will add policy to > it and inflate it, so it will somewhat deviate from a rigorous > microkernel design. If you believe that to be more appropriate for > maintaining security, it may be a reasonable tradeoff for you. > > However, a significant goal in Codezero is to remain generic for > building any OS core on top. In that respect, no OS specific policy is > allowed inside. Keeping userspace capabilities in the kernel would be > against that principle.
I keep getting the feeling that you've "missed" the point of object-capability systems. I'd recommend a read through the literature available on it, say: http://www.erights.org/ http://www.eros-os.org/ http://www.cap-lore.com/ Coyotos is dead now, but the kernel design docs are still up and very elegant: http://www.coyotos.org/docs/ Marcus and others (sorry for minimizing everyone else, it was Marcus who was most vocal when I joined) tried *very* hard to make a l4 work; maybe a fresh perspective was all that was needed, but it looked pretty terminal at the time to most people. I've had a look back through the archives and the following looks like a nice early reference: http://lists.gnu.org/archive/html/l4-hurd/2002-12/msg00003.html Jonathan Shapiro, of EROS and Coyotos, seemed to join properly here: http://lists.gnu.org/archive/html/l4-hurd/2005-09/msg00060.html and the earliest I could find was: http://lists.gnu.org/archive/html/l4-hurd/2003-08/msg00000.html The cap-talk mailing list is active and I'm sure would welcome any questions you may have: http://www.eros-os.org/mailman/listinfo/cap-talk -- Sam http://samason.me.uk/
