Re: [patch 2.1.97] more capabilities support
Alexander Kjeldaas (astor@guardian.no)
Wed, 22 Apr 1998 17:20:18 +0200
On Wed, Apr 22, 1998 at 04:42:39AM +0200, Andrej Presern wrote:
>
> You have three objects, A, B and C that want to access object D, created
> and held by object E. In the beginning, neither A, B or C has the
> ability to access D.
>
> Obviously, E is the one who controls who gets to access D. If A, B or C
> want to access D, they will need E's permission. E is a friend of A and
> B and it will give them access to D. However, E doesn't like C and
> refuses to give it access to D. So E now needs to implement access
> control to selectively give access to D.
>
> One way to do this is to create a list of objects who are allowed to
> access D.
>
> Then E puts A and B on the list, while leaving out C. Now if A or B want
> to access D, they must contact E and E must look them up in the list so
> that it can verify that A and B are indeed entitled to access. If the
> object that wants access has been found on the list, E executes function
> f(D), which performs the requested action on D. The key notion here is
> 'look them up' and 'verify', which means that resources need to be used
> for authority checking before performing an action on D.
>
> An alternative way to do this is to use pure capabilities.
>
> Instead of keeping a list and then performing f(D) for objects that are
> on the list, E could create a 'capability' to D and then give that out
> to A and B. A capability identifies the object (D) _and_ describes the
> action (f) that will be performed on D. When A or B want to excercise
> their authority over D, they invoke the capability to D to trigger the
> defined action.
>
To put this in some more context..
File descriptors is the closest match to pure capabilities that we
currently have in the kernel.
When we open a file, we get a file descriptor which is a capability
identifying the object _and_ the action(s) that can be performed on
the object. This means that the kernel doesn't have to do extensive
checks for authority on each read and write operation. It is an
optimization. A file descriptor can be transferred from one process to
another by going through the kernel (which we in most cases is what we
want to do when we implement pure capabilities too, unless we want to
play MMU tricks). A file descriptor can also be revoked.
So pure capabilities is a kind of generalization of something we are
already familiar with.
I have nothing against pure capabilities. It's a good idea, but I
don't see why we shouldn't put POSIX capabilities into the kernel just
because someone has made OSes which are based solely on pure
capabilities. POSIX capabilities have been used for many years, pure
capabilities are AFAIK only now being used on commodity hardware in
experimental OSes. But there is nothing stopping anyone from
implementing it in Linux. And when it is done, if they are fast
enough, they will be able to emulate the current POSIX capabilities
interface.
astor
--
Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway
http://www.guardian.no/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu