[cap-talk] More Heresey: ACLs not inherently bad

Charles Landau clandau at macslab.com
Tue Sep 9 00:38:28 CDT 2008 

Jonathan S. Shapiro wrote:
> My point is that the execution environment of real-world applications
> tends to involve a very large number of objects that are conventionally
> organized using hierarchical name spaces (directories). It is only
> simple to provide these environments if the name spaces are conveyed to
> the applications as a single "root" capability. 

I'll accept for purpose of discussion that you want to run such programs 
in this way. I think I'm starting to understand one of your core issues:

> If selectivity becomes
> necessary, filtering at exec time becomes a burden on program startup,
> and it becomes better to filter dynamically.

and:

> And somewhere around O(20) capabilities, it
> becomes performance prohibitive to construct those organizations on the
> fly. 

I see at least three designs for passing many capabilities:

(1) Construct a directory containing the capabilities you want to pass, 
and pass the directory to the new process. As you say this is "a burden 
on program startup" and may be "performance prohibitive" because it 
constructs directory entries that may never be used.

(2) Pass an existing full directory/namespace and posit some ACL-like 
mechanism for restricting the new process's access to the objects named 
therein.

(3) Construct a directory-like object (whose behavior is described 
below) and pass a capability to it to the new process to use as its root 
directory/namespace. When the new process first attempts to fetch a 
subdirectory or leaf object from the directory-like object, the latter 
determines whether it wants the new process to have access to that 
object, and if so makes it available for that and subsequent requests. 
Most likely this decision would be the same as in design (1) above.

It seems to me that (3) addresses the performance issues of (1) 
mentioned above, without adding the complexity of an ACL mechanism. Or 
more precisely, it encapsulates the complexity of an access policy 
inside the directory-like object. This encapsulation allows it to be 
viewed as either an ACL mechanism, or (as I prefer) simply an 
optimization of design (1).

More information about the cap-talk mailing list