[cap-talk] MinorFS Philosophy

[Toby Murray]

Hi Rob, and all cap-talkers who are interested here,

I want to ask a question about the philosophy behind MinorFS. It appears
to be unique amongst other POLA-related filesystem projects, such as
Plash.

The fundamental difference appears, to me at least, to be this:

 - Programs run under MinorFS need to protect their secrets (and yours)
from the rest of the system. Hence, there is inherently some trust being
placed in a MinorFS'd program (like the ssh example you gave), while the
rest of the system is potentially untrusted.

 - In contrast, Plash is used to guard your secrets (and those of your
trusted applications) from Plash'd programs, which are inherently
untrusted. 

Hence, the two approaches appear to be almost mirror-images of the other
with the trust relations inverted.

I'd like to get your thoughts, and those of others, on this
characterisation of the two approaches.

Taking this further, one can build a "capability metaphor" for a Plash'd
program as follows: A program running under Plash runs in its own
filesystem namespace. Each name within that namespace can be thought of
a handle to a capability that the process can access by using the open()
syscall. Then the propagation of capabilities between Plsah'd processes,
follows (roughly) the rules of the object-capability model.

I wonder whether one can do likewise for MinorFS. I haven't yet been
able to do so, which makes me think that the philosphy behind MinorFS is
unique indeed. However, because of this, I have trouble trying to figure
out how I could make best use of MinorFS, as opposed to Plash which I
can immediately see how it can help me to enforce POLA.

Am I limited by trying to think of least authority solely within terms
of the object-capability model, or is it that MinorFS is meant to solve
a different problem altogether?

At any rate, I tip my hat to you, Rob, for building such an interesting
system. I hope you can help shed some light on the above so that I can
better understand it.

Cheers

Toby