[cap-talk] More Heresey: ACLs not inherently bad

Jed Donnelley capability at webstart.com
Tue Sep 9 11:34:04 CDT 2008 

At 08:12 AM 9/9/2008, Charles Landau wrote:
>Jed Donnelley wrote:
> > Charlie,
> >
> > I'm just trying to understand what you describe:
> >
> > At 10:38 PM 9/8/2008, Charles Landau wrote:
> >> ...
> >> (3) Construct a directory-like object (whose behavior is described
> >> below) and pass a capability to it to the new process to use as its root
> >> directory/namespace. When the new process first attempts to fetch a
> >> subdirectory or leaf object from the directory-like object, the latter
> >> determines whether it wants the new process to have access to that
> >> object, and if so makes it available for that and subsequent requests.
> >
> > When you say, "the latter <I assume the subdirectory or leaf object>
> > determines whether it wants the new process to have access..."
>
>I meant "the latter, i.e. the directory-like object". The subdirectory
>or leaf object isn't being invoked at that point, you are only fetching
>a capability to it.

Sorry - I was clear on that.  I shouldn't have included the leaf
object in the above <> (see below as to what I was thinking).  What
I don't understand is how such a directory-like object distinguishes
between a fetch by the "new process" from a fetch by some other
process (old process).  Are you imagining some Horton-like mechanism
where the relevant processes get different capabilities to the
directory-like object so that the directory-like object can
distinguish the fetches?

E.g. when you say in response to JonathanS:

At 08:20 AM 9/9/2008, Charles Landau wrote:

>The directory-like object is constructed to have a policy based on
>what you choose to give to the new process.

it seems to me you are suggesting that the "new process" has some
capability to the directory-like object that is different from
that which some other (old) process has.  In this case, however,
when the new process fetches a directory-like object from
the directory-like object capability that it has, it seems
that the returned second directory-like object capability
must be different from that which would be fetched by the
old process making the same fetch.  It would seem that the
second directory-like object must inherit the "new process"ness
if future fetches by the new process on the newly fetched
directory-like object are to be able to enforce an appropriate
policy (distinguish between that directory-like object fetched
by new-process from that fetched by old-process)?

Am I way off on this?  I'm just trying to figure out how
your proposed mechanism works.  I may still have Horton
on the brain.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list