>The one challenge with using
>them, though, is that it completely guts your hope of being POSIX.1
>compatible. For example, the open() system call must now take a new
>argument, which is the capability. So does unlink(), and rename(), and
>bind(), and accept().....
Actually, *these* system calls aren't the problem, as most of them take file descriptors, which are capabilities.
The question comes down to: do you want to facilitate secure collaboration, or do you want to run POSIX apps. Pick one, because you cannot do both.
>On the flip side, the lack of compatibility means that lose all of the
>Unix utilities (the GNU suite of utilities, the X window system, etc.).
It's surprising how well a compatibility box works. The truth is that most of your day to day environment can stay in POSIX without much of a problem. Especially when your compatibility box is about the same speed as the real POSIX system.
Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595