[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.

[Marcus Brinkmann]

Rob Meijer wrote:
> On Thu, December 31, 2009 01:09, Marcus Brinkmann wrote:
> If we assume however that it is quite possible for many programs to run
> perfectly without any implicit access to /proc/$mypid, and thus can
> restrict quit a lot of programs so that they don't have access to this,
> than it remains useful if we could be able to create unnamed files without
> using a shared namespace.

If programs in general don't have access to /proc (but some programs do) then
you are giving up on the concept of a globally shared namespace, and you can
just go all the way and give each process its own /tmp directory.  You
mentioned that this is already done by MinorFS.

The utility of anonymous files seems dubious, as it makes it hard to account
for resource usage properly.  This seems to be rather a misfeature of Unix.
You are probably better off using named files or, depending on usage,
anonymous (or shared) memory+fopencookie/funopen.  An important class of use
cases for dir_mkfile in the Hurd are atomic operations (files created with
content).  For this, the traditional tmpfile+rename based approach is
certainly usable, and a more ambitious solution would be a transaction-based
filesystem interface.  Nothing of this is directly related to security issues,
though (if implemented correctly).

Thanks,
Marcus