On Mon, Dec 07, 2009 at 09:09:50PM +0100, Tom Bachmann wrote: > Bahadir Balban wrote: > >When it comes to making the ipc call though, you don't pass the > >capability id to the call. You pass the thread id you want to ipc to. > >The system call signature is the same as if capabilities were not there > >at all. But it surely gets checked, the relevant capability is found, > >it's resource id is matched with the passed thread id, and resolved. > > Moreover, this breaks (at the kernel boundary!) one important design > principle (which I value): explicit designation of authority. How can > your system avoid the confused deputy problem?
Yup, this looks very much like you've just turned what could be a nice capability system into one that implicitly relies completely on ambient authority---namely the "capids" that a thread holds. This is finer grain than the userid of a conventional process, but still feels like ambient authority to me. -- Sam http://samason.me.uk/
