[cap-talk] "ambient authority" on wiki.erights.org
David-Sarah Hopwood
david-sarah at jacaranda.org
Mon Jun 15 13:43:15 EDT 2009
Toby Murray wrote:
> On Mon, 2009-06-15 at 16:22 +0100, David-Sarah Hopwood wrote:
>> Note that this is a property of the request. For example, a system
>> could have one "ambient request" API in which a request succeeds if the
>> subject has any applicable permission [*], and another "non-ambient request"
>> API, in which the permissions must be specified explicitly.
> ...
>> [*] This is not just a theoretical possibility; L4 is a reified permission
>> system that is not (by the definitions I prefer) a capability system,
>> because it uses such an ambient API. I am not sure whether L4 also has
>> a non-ambient API.
>
> The Mungi "capability" OS is the other way around. It is nominally a
> capability-based system in which the capability to authorise a request
> is inferred by the system (by walking the c-list of a process) rather
> than being specified by the requestor.
Isn't that the same way around? Note that the L4 Iguana API, which is what
I imprecisely referred to as "L4" above, is a successor of Mungi. And I
should have said that it is not a pure capability system (whether it
counts as an impure one is debatable; it's in a grey area).
> One could also consider that read and write requests on memory in EROS
> etc. use ambient authority since the capability that authorises the read
> or write request is never designated (the ISA provides no means to do
> so!) but is inferred to exist if no page fault occurs that cannot be
> successfully handled (by the process's keeper if I'm remembering
> correctly.)
Yes, and also because addresses are not themselves capabilities (there
is no restriction on address arithmetic, for instance).
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list