[cap-talk] More Heresey: ACLs not inherently bad
Jonathan S. Shapiro
shap at eros-os.com
Sun Sep 14 16:30:06 CDT 2008
On Sun, 2008-09-14 at 12:36 -0700, Mark Miller wrote:
> On Sun, Sep 14, 2008 at 12:26 PM, Jonathan S. Shapiro
> <shap at eros-os.com> wrote:
> Finally, we have
> long since agreed that no feasible design exists for a
> transitively
> extended horton-style membrane in an OS-based capability
> system.
>
> IIRC, the argument that horton is impractical in a OS-based ocap
> system is really: We have no good answers about who pays for the extra
> allocations or gets to reclaim that memory. In other list traffic, it
> seems like you're staring to consider OS design points which are
> somewhat sloppy on memory accounting issues. If the memory accounting
> constraints are relaxed, the horton question should be revisited.
Perhaps.
But another large issue is the simple system call overhead and the fact
that no proposed Horton protocol is recoverable in the right ways when
transitive grants across parties occur, which is part of the problem in
my previously identified scenario. I see no reason to believe that the
presence or absence of memory accounting impacts the recovery problem
one way or the other.
shap
More information about the cap-talk
mailing list