[cap-talk] A Taxonomy of Current Object-Cap Systems

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Fri Mar 6 08:11:46 EST 2009

Rob Meijer wrote:
> On Thu, March 5, 2009 17:36, David Wagner wrote:
>> Rob Meijer wrote:
>>> In the light of recent discussions possibly:
>>> * Linux + AppArmor + UNIX domain sockets.
>>> AppArmor can be used to remove ambient authority on Linux. UNIX domain
>>> sockets can be used for IPC and can transfer other UNIX domain sockets.
>>> I feel the combination of these two would qualify as a rudimentary
>>> object
>>> capability system, that is however pretty wide spread (Ubuntu + Suse).
>>> It is currently indeed possible but pretty hard to write code for this
>>> system today.
>> I think this is a real stretch.
>> AppArmor is not an objcap system.  It's permissions are based
>> upon pathnames.
>> I don't think "could be used as a basis to build an objcap system"
>> is the same as "a working objcap system where it is possible to write
>> workin gcode today".
> In my view UNIX domain sockets when used for IPC have all the properties
> needed to be considered object capabilities.

That's not the point. A lot of work would be required to construct a
working objcap system from these ingredients.

"Linux + AppArmor + UNIX domain sockets" is not an objcap system any
more than "eggs + sugar + flour + butter" is a wedding cake.

David-Sarah Hopwood ⚥

More information about the cap-talk mailing list