[cap-talk] ... enforcement - hope? Capabilities as clumsy, not
daw at cs.berkeley.edu
Wed Sep 29 19:03:02 EDT 2004
Jed Donnelley writes:
>>Systrace [is] an ambient authority system where the process does not
>>run with all the rights of the user who started the process.
>In that sense I don't consider it an ambient authority system.
>It provides an additional 'filter' on the ambient authority, so it is
>something more. As you say, though, a terminological nit.
To continue the picking of minor nits:
Then I think you are using the terminology in a way different from
what I've seen others use (as far as I can tell). The benefit of using
accepted terminology is that communication is often easier when we avoid
Based on what I've read here, the definition of "ambient authority system"
on this list seems to be any system where a process has associated
with it an implicit set of rights, where when the process performs
some operation (e.g., makes a syscall), the reference monitor checks
whether there exists any right in the processes' set that would permit
the operation to succeed.
In other words, ambient authority systems are ones where the process does
not explicitly state which of its rights it is wielding (which of its
rights it thinks demonstrates that the operation should be permitted).
Rather, this is left implicit, and as a result the reference monitor has
to guess at which right the process intended to use for this operation.
At least, that's my understanding of the accepted meaning of this term
among this community. (Caveat: I've learned this notion from others,
so I could well have it wrong; if so, I hope others will let me know.)
End of nit pick. Sorry for that. I hope I'm not beating a dead horse...
More information about the cap-talk