[cap-talk] Capabilities for immutable data
Rob Meijer
capibara at xs4all.nl
Wed Feb 23 01:39:54 PST 2011
On Wed, February 23, 2011 00:08, David Wagner wrote:
> Sandro Magi wrote:
>> Consider a trusted program that executes an untrusted sub-program by
>> providing it with a file handle. With the deferred I/O implementation
>> and your definitions, we would conclude that the trusted program caused
>> invalid data to be written to the file, since the untrusted program did
>> not wield any capabilities.
>
> I didn't follow the example.
>
> Do you mean a program written in an object capability language, like
> Joe-E? When you say file handle, do you mean, e.g., a reference to a
> File object? If yes, then a File reference is indeed a capability.
>
> If by file handle, you mean a small integer, then how does the
> untrusted sub-program cause I/O to happen? In an object capability
> system, an integer does not provide authority to cause I/O; the
> untrusted code has to have some other source of authority (e.g.,
> a capability which the untrusted code passes the integer to).
A file handle is a handle. It can be passed to other processes as an act
of delegation. It holds the permission to use the file in a way determined
by the process that created it. Its a capability. Its an object
capability. Dont confuse the fact that the handle within a process is has
an integer representing it with the file handle being the integer.
More information about the cap-talk
mailing list