Push/Pull

[Bryan Ford]

>   OK, I see.  However, note that in the presence of external pagers,
>   there is really no need for a "segment" or "composed memory object"
>   to be a basic system abstraction at all - it can be implemented as
>   an arbitrary layer between the "real" memory object and the kernel/VMM.
>   The semantics of this intermediate "composition" layer can be whatever
>   you want.
>
>I don't think you can get access rights correct if you go at it that
>way.  The kernel needs to be able to determine what the access rights
>should be.  Suppose it does this by asking the composed object's
>manager.
>
>Imagine that you are a hostile user.  I hand you an RO segment.  You
>compose it into a segment which you assert to the OS has RW access
>rights.  Basically, the OS must know enough to ask MY segment manager
>rather than the composed segment manager.

This is a non-problem.  To continue your example, I (the hostile user)
map the composed segment into my address space with RW access, and
the kernel happily obliges on the assumption that I'm telling the
truth about the permissions.  If I actually to write to that memory,
the kernel will allow that.  But eventually the kernel will have to
flush the page back to the external pager: first it sends the page
to the (untrusted) segment manager, and then the segment manager
forwards the page on to the _real_ backing store manager, which fails
the page-out request because it knows that I only have RO permission.
So the page-out fails and I'm probably hosed - basically, by lying to
the kernel I can only hurt myself.

				Bryan