[cap-talk] MinorFS Philosophy
Karp, Alan H
alan.karp at hp.com
Mon Jul 28 17:51:56 CDT 2008
Rob Meijer wrote:
>
> > Doesn't
> > that lose the advantage of not having all the user's permissions in a
> > single context?
>
> I don't quite understand what you mean by this.
In an earlier note, you commented that concentrating all the user's rights in a powerbox was something you avoided by having the program own the right and delegate to the user, rather than the other way around. That sounds like a good thing, but I'm having trouble understanding how it works across restarts.
>
> What MinorViewFs does is that it delegates the right to the pseudo
> persistent process context to the active process that it views as an
> incarnation of the identified pseudo persistent process. It does this
> by
> means of puting a symbolic link /mnt/minorfs/priv/home that points to
> the
> relevant subgraph under /mnt/minorfs/cap/<DIR_NODE_PASSWORD_CAP>/ .
> For each distinct combination of user id, callchain and slot,
> <DIR_NODE_PASSWORD_CAP> would point at a different subgraph, thus
> ensuring
> the (initialy) private view.
>
That's the part I don't understand. Can you be more specific, showing an example with a user Alice and a program Edit? Your description makes it sound like Alice's home directory has links to all her capabilities, which seems to me to be a powerbox.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list