[cap-talk] "ambient authority" on wiki.erights.org
Toby Murray
toby.murray at comlab.ox.ac.uk
Mon Jun 15 11:52:22 EDT 2009
On Mon, 2009-06-15 at 16:22 +0100, David-Sarah Hopwood wrote:
> Note that this is a property of the request. For example, a system
> could have one "ambient request" API in which a request succeeds if the
> subject has any applicable permission [*], and another "non-ambient request"
> API, in which the permissions must be specified explicitly.
...
> [*] This is not just a theoretical possibility; L4 is a reified permission
> system that is not (by the definitions I prefer) a capability system,
> because it uses such an ambient API. I am not sure whether L4 also has
> a non-ambient API.
The Mungi "capability" OS is the other way around. It is nominally a
capability-based system in which the capability to authorise a request
is inferred by the system (by walking the c-list of a process) rather
than being specified by the requestor.
One could also consider that read and write requests on memory in EROS
etc. use ambient authority since the capability that authorises the read
or write request is never designated (the ISA provides no means to do
so!) but is inferred to exist if no page fault occurs that cannot be
successfully handled (by the process's keeper if I'm remembering
correctly.)
More information about the cap-talk
mailing list