[cap-talk] Deep attenuation, typed operations
Charles Landau
clandau at macslab.com
Tue Aug 14 13:39:50 EDT 2007
At 9:01 PM -0700 8/13/07, Jed Donnelley wrote:
>A variation on this theme that I've considered is
>one in which the permitted operations are
>typed. That is, each operation is listed with
>a type, like [insert,directory] noting that the
>"insert" operation will be explicitly allowed
>when the "allow-only" operation is performed
>on a returned object of type 'directory'.
1. This seems like a lot of responsibility to place on the directory,
and a lot of state to remember.
2. Types have limitations. Suppose you have a directory with [read,
file] as its deep attenuation rule. Now I create an object of type
newFile that also has read and write operations. (The type is
newFile, not file, because it has other differences from the file
object.) Using my unattenuated capability to a subdirectory, I put a
cap to the newFile in the subdirectory. Given that the type of my
object is different from file, there is no way I can permit you to
get a read-only capability to my object.
More information about the cap-talk
mailing list