[cap-talk] Modelling capability manipulation
Neal H. Walfield
neal at walfield.org
Thu Nov 20 16:57:50 CST 2008
I've gotten the (perhaps incorrect) impression that an
object-capability system ought to implement exactly one system
call---ipc / object invocation---and that all other functionality
ought to be made available by way of this primitive.
What then is the right way to think about capability copy? The
"natural" syntax is:
cap_copy (target_slot, source_capability)
However, what object is being invoked? We are not invoking the object
designated by target_slot. Indeed, target_slot may not even contain a
capability that designates an object. Rather, we are invoking the
object that contains the slot target_slot with source_capability and
the residual symbolic address after looking up that object. That is,
a more accurate interface would be:
cap_copy (object, source_capability, index)
On Viengoos, for a programmer to identify the object that contains
source_capability, he must essentially walk the address space. The
alternative is to bundle this information. I find this solution
deeply dissatisfying.
What is the right way to expose and think about interfaces such as
cap_copy?
Thanks,
Neal
More information about the cap-talk
mailing list