[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Sun Jan 17 07:30:46 PST 2010
David-Sarah Hopwood wrote:
>> The utility of anonymous files seems dubious, as it makes it hard to account
>> for resource usage properly. This seems to be rather a misfeature of Unix.
>
> Not really. You need a way to account for resources (including memory
> segments) held by processes and not linked into the filesystem, anyway.
> So files held open by a process can just be accounted to that process.
> Files linked from multiple places should be accounted to all of those
> places (each for the full size).
In Unix, the traditional way is to attribute the disk blocks to the user's
disk quota, and that should already work out as expected.
But I don't think there is a kernel interface to be able to associate unnamed
disk blocks with open file descriptors that hold on to them, and thus the
chain of information is broken for the user at that point (the kernel still
knows what's going on). The user then can only find out what's going on in a
destructive manner (close the fd and check if that releases the disk space) or
by some heroic forensic effort.
This is a defect in the kernel interface that could be fixed, of course. One
"just" needs to change the kernel and write, test, publish and teach about
tools that make this information detectable. However, the absence of such
tools (and the kernel interface to base them on) in this particular case shows
that there is a diminishing return for such niche features.
Capability design theory suggests that the whole system is built from
individual objects, each potentially having its own interface and
implementation, thus creating an explosion of niches. This has the potential
to drive up the cost of tool development and makes me think that "just" is
potentially a gross understatement. Every individual issue may "just" be
fixable in a simple manner, but they all add up to a big pile. There is a lot
of value in the Unix ideal that "everything is a file" (even if that ideal is
not fully realized).
Thanks,
Marcus
More information about the cap-talk
mailing list