[cap-talk] MinorFS Philosophy

Karp, Alan H alan.karp at hp.com
Wed Jul 30 11:11:43 CDT 2008


Rob Meijer wrote:
>
> I think what Alice "sees" can be divided into two, what Editor0 shows
> her
> and what Shell0 shows her. Initialy resume.txt would be only available
> in
> the Editor0 scope, so only Editor0 would be able to show Alice the
> existence of resume.txt . Alice could ask Editor0 to delegate (full?)
> access to the resume.txt file to Shell0 as a way to simulate the
> user-global scope.
>
If each editor instance is used to edit exactly one file, then Editor0 *is* resume.txt as far as Alice is concerned.  If each editor instance is used to edit many files, then Alice may end up mixing files with different protection needs in a single process, a problem we decided to document but otherwise ignore in Polaris.  As with Polaris, Alice can have different editor instances for different sets of files, but then she has to remember which editor instance to use for each file.
>
> If you take the Shell0 scope to be the (user perceived) 'user-global'
> scope, the amount of node's available and the extend of the authority
> carried by these node's would be greatly reduced, making both the
> margin
> for user error smaller and the ability of the user to maintain a mental
> overview of the tree graph better. Both these I feel would thus help to
> have Alice use POLA on herself, what just as with POLA for any active
> object should be beneficial IMO.
>
I think this description is confusing "permission" and "authority".  The capabilities in Alices's Shell0 scope are the permissions she has.  The set of rights reachable from those capabilities constitutes her authority.  Accessing the permission to use Editor0 in Shell0 grants authority identical to that of having the appropriate permission to resume.txt in Shell0.

I'm not convinced about the mental model advantage, either.  Alice must ask Editor0 to show her which files it edits.  That's equivalent to traveling to an Editor0 directory in a file system, but with less flexibility on how files are organized.

Rob, I think your goal is laudable, which is why I'm spending time examining your approach.  I'm just trying to understand how it can be made to work.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp




More information about the cap-talk mailing list