[cap-talk] OLPC talk - implications of cap-like security?
Mark Miller
erights at gmail.com
Sun Jul 1 01:45:57 EDT 2007
On 6/25/07, Ivan Krstić <krstic at solarsail.hcs.harvard.edu> wrote:
> I clearly didn't want to reinvent the Unix ways of reading, seeking and
> writing bytes, but talking to the object store takes place over a
> separate, non-standard channel (currently D-BUS). Once you convince the
> store that you should be given access to a file -- that's what the
> powerbox will do for you -- a Unix file "materializes" in your
> application's namespace, and from there on, the byte-operation semantics
> are known. To store a modified file in the object store requires another
> conversation with the object store.
Hi Ivan,
I watched your talk, which I quite enjoyed. My compliments. In the
talk you refer to a "bitfrost specification". Has an actual spec been
posted yet? (I'm not being snide -- we have yet to post an E spec :(.)
I'm curious to know what you mean by "object store" above. D-BUS seems
to be a technology for delivering messages to objects within other
processes, which may therefore be encapsulated from the invoking
process. Above, you talk about accessing the object as if it's a UNIX
file, implying that the "object" is just an usencapsulated sequence of
bytes.
Do you use D-BUS for communication between mutually suspicious
processes? Do you treat D-BUS object "names" as unguessable (sparse)
capabilities?
It occurs to me that Plash <http://plash.beasts.org> may already solve
many of the same problems you're facing. AFAIK, it uses Unix Domain
Sockets for inter-process communication, so it can use file
descriptors directly as object-capabilities. Have you looked at it?
<terminology-quibble>
> Sort of. Each user program executes in its own VM,
I like your choice of VServer for what you're doing. But every time
you use the term "VM" to describe it, I get confused and then have to
remind myself: "He means virtual operating system, not virtual
machine." If it were a VM, then I could run different OSes in
different VMs.
</terminology-quibble>
Can VServers within one host Linux communicate with each other using
Unix Domain Sockets? If the answer is currently "no", how easy would
it be to fix this?
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list