[cap-talk] More Heresey: ACLs not inherently bad

Tue Sep 9 22:30:43 CDT 2008

Jed Donnelley wrote:
> At 08:12 AM 9/9/2008, Charles Landau wrote:
>> Jed Donnelley wrote:
>>> Charlie,
>>>
>>> I'm just trying to understand what you describe:
>>>
>>> At 10:38 PM 9/8/2008, Charles Landau wrote:
>>>> ...
>>>> (3) Construct a directory-like object (whose behavior is described
>>>> below) and pass a capability to it to the new process to use as its root
>>>> directory/namespace. When the new process first attempts to fetch a
>>>> subdirectory or leaf object from the directory-like object, the latter
>>>> determines whether it wants the new process to have access to that
>>>> object, and if so makes it available for that and subsequent requests.
>>> When you say, "the latter <I assume the subdirectory or leaf object>
>>> determines whether it wants the new process to have access..."
>> I meant "the latter, i.e. the directory-like object". The subdirectory
>> or leaf object isn't being invoked at that point, you are only fetching
>> a capability to it.
> 
> Sorry - I was clear on that.  I shouldn't have included the leaf
> object in the above <> (see below as to what I was thinking).  What
> I don't understand is how such a directory-like object distinguishes
> between a fetch by the "new process" from a fetch by some other
> process (old process).  Are you imagining some Horton-like mechanism
> where the relevant processes get different capabilities to the
> directory-like object so that the directory-like object can
> distinguish the fetches?

Each time you pass a different set of capabilities to a process, you 
construct a new directory-like object that will give access to that set. 
So in general, different processes will receive capabilities to 
different directory-like objects. It needn't use Horton.

> E.g. when you say in response to JonathanS:
> 
> At 08:20 AM 9/9/2008, Charles Landau wrote:
> 
>> The directory-like object is constructed to have a policy based on
>> what you choose to give to the new process.
> 
> it seems to me you are suggesting that the "new process" has some
> capability to the directory-like object that is different from
> that which some other (old) process has.  

They have capabilities to different directory-like objects.

> In this case, however, when the new process fetches a 

capability to a sub-

> directory-like object from
> the directory-like object capability that it has, it seems
> that the returned second directory-like object capability
> must be different from that which would be fetched by the
> old process making the same fetch.  It would seem that the
> second directory-like object must inherit the "new process"ness
> if future fetches by the new process on the newly fetched
> directory-like object are to be able to enforce an appropriate
> policy (distinguish between that directory-like object fetched
> by new-process from that fetched by old-process)?

Yes, the sub-directories must also be different, unless they happen to 
grant the same access.