From: bakul at bitblocks.com (Bakul Shah)
Subject: [COFF] Other OSes?
Date: Mon, 09 Jul 2018 22:30:32 -0700 [thread overview]
Message-ID: <20180710053039.BA35C156E400@mail.bitblocks.com> (raw)
In-Reply-To: Your message of "Sun, 08 Jul 2018 22:44:23 -0400." <CAEoi9W6ZiYGzRPTcD5eX7UqG0KWEOKp95cGsA=E2AhAqceiVPA@mail.gmail.com>
On Sun, 08 Jul 2018 22:44:23 -0400 Dan Cross <crossd at gmail.com> wrote:
Dan Cross writes:
>
> On Sun, Jul 8, 2018 at 4:31 PM Perry E. Metzger <perry at piermont.com> wrote:
>
> > [snip]
> > On Wed, 4 Jul 2018 23:40:36 -0700 Bakul Shah <bakul at bitblocks.com>
> > wrote:
> > > - Capabilities (a number of OSes implemented them -- See Hank
> > > Levy's book: https://homes.cs.washington.edu/~levy/capabook/
> >
> > A fascinating resurrection of capabilities in a kind of pleasant
> > Unixy-way can be found in Robert Watson's "Capsicum" add-ons for
> > FreeBSD and Linux. I wish it was more widely known about and adopted.
> >
> > > - Namespaces (plan9)
> >
> > A good choice I think.
>
>
> Interestingly, it was in talking with Ben Laurie about a potential security
> model for Akaros that I realized the correspondence between Plan9-style
> namespaces and capabilities.
I tend to think they are orthogonal. Namspaces map names to
objects -- they control what objects you can see.
Capabilities control what you can do with such an object. Cap
operations such as revoke, grant, attenunating rights
(subsetting the allowed ops) don't translate to namespaces.
A cap is much like a file descriptor but it doesn't have to be
limited to just open files or directories.
As an example, a client make invoke "read(fd, buffer, count)"
or "write(fd, buffer, count)". This call may be serviced by a
remote file server. Here "buffer" would be a cap on a memory
range within the client process -- we don't want the server to
have any more access to client's memory. When the fileserver
is ready to read or write, it has to securely arrange data
transfer to/from this memory range[1].
You can even think of a cap as a "promise" -- you can perform
certain operations in future as opposed to right now. [Rather
than read from memory and send the data along with the write()
call, the server can use the buffer cap in future. The file
server in turn can pass on the buffer cap to a storage server,
there by reducing latency and saving a copy or two]
> Since Akaros had imported a lot of plan9
> namespace code, we concluded that we already had the building blocks for a
> capability-style security model with minimal additional work. I
> subsequently concluded that Capsicum wasn't strong enough to be complete.
The point of my original comment was that if capabilities were
integral to a system (as opposed to being an add-on like
Capsicum) a much simpler Unix might've emerged.
[1] In the old days we used copyin/copyout for this sort of
data transfer between a user process address space and the
kernel. This is analogous.
next prev parent reply other threads:[~2018-07-10 5:30 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-05 5:56 wkt
2018-07-05 6:29 ` spedraja
2018-07-05 6:40 ` bakul
2018-07-05 15:23 ` clemc
2018-07-05 20:49 ` scj
2018-07-05 21:25 ` david
2018-07-06 15:42 ` gtaylor
2018-07-05 22:38 ` ralph
2018-07-05 23:11 ` bakul
2018-07-06 0:06 ` lm
2018-07-06 15:49 ` gtaylor
2018-07-06 0:52 ` tytso
2018-07-06 5:59 ` ralph
2018-07-06 15:59 ` gtaylor
2018-07-06 16:10 ` ralph
2018-07-06 16:47 ` gtaylor
2018-07-06 15:57 ` gtaylor
2018-07-06 15:38 ` gtaylor
2018-07-09 1:56 ` tytso
2018-07-09 3:25 ` gtaylor
2018-07-09 3:35 ` crossd
2018-07-09 3:43 ` gtaylor
2018-07-09 3:52 ` imp
2018-07-09 11:32 ` perry
2018-07-09 11:50 ` perry
2018-07-09 11:34 ` crossd
2018-07-09 5:23 ` tytso
2018-07-09 12:52 ` clemc
2018-07-09 13:06 ` [COFF] PiDP Obsolesces Guaranteed clemc
2018-07-09 14:39 ` [COFF] Other OSes? tytso
2018-07-09 14:46 ` clemc
2018-07-09 11:24 ` perry
2018-07-05 22:51 ` ewayte
2018-07-08 20:31 ` perry
2018-07-08 20:53 ` perry
2018-07-09 2:44 ` crossd
2018-07-10 5:30 ` bakul [this message]
2018-07-16 14:49 ` crossd
2018-07-16 16:59 ` [COFF] Capabilities (was " bakul
2018-07-06 0:55 ` [COFF] " crossd
2018-07-06 5:42 ` bakul
2018-07-09 2:51 ` crossd
2018-07-10 5:41 ` bakul
2018-07-06 4:04 ` grog
2018-07-06 16:10 ` gtaylor
2018-07-06 18:27 ` [COFF] Editor Scripts scj
2018-07-06 19:04 ` gtaylor
2018-07-08 20:50 ` [COFF] Other OSes? perry
2018-07-08 23:27 ` bakul
2018-07-09 0:00 ` grog
2018-07-09 0:13 ` perry
2018-07-09 0:05 ` crossd
2018-07-09 0:56 ` lm
2018-07-09 2:23 ` crossd
2018-07-09 0:11 ` perry
2018-07-09 0:19 ` crossd
2018-07-09 2:00 ` bakul
2018-07-09 3:02 ` [COFF] Origination of awful security design [COFF, COFF] bill
2018-07-09 13:10 ` [COFF] Other OSes? david
2018-07-09 13:17 ` perry
2018-07-09 13:13 ` perry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180710053039.BA35C156E400@mail.bitblocks.com \
--to=coff@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).