From mboxrd@z Thu Jan  1 00:00:00 1970
From: bakul at bitblocks.com (Bakul Shah)
Date: Mon, 19 Nov 2018 11:48:46 -0800
Subject: [COFF] [TUHS] man-page style
In-Reply-To: Your message of "Mon, 19 Nov 2018 12:53:31 -0500."
 <20181119175331.A0A9A18C076@mercury.lcs.mit.edu>
References: <20181119175331.A0A9A18C076@mercury.lcs.mit.edu>
Message-ID: <20181119194853.657EE156E40C@mail.bitblocks.com>

On Mon, 19 Nov 2018 12:53:31 -0500 jnc at mercury.lcs.mit.edu (Noel Chiappa) wrote:
>
>     > All of this would be easily possible on the Mill arch. if ever it gets
>     > built. Mill has segments and protected function calls.
>
> What I found about that mostly talked about the belt stuff. Do you happen to
> have a pointer to the segment/call stuff?

This is a good talk re IPC and protection:

https://www.youtube.com/watch?v=XJasE5aOHSw

In the desciption below the video there is a
list of times where various topics are covered
so you can jump to what you want.

Slides here:
https://millcomputing.com/docs/inter-process-communication/

Ivan's talk on Security should also be of help:
https://www.youtube.com/watch?v=5osiYZV8n3U
https://millcomputing.com/docs/security/

The key implication is a thread can make a "portal" call,
where the same thread is now in a different protection domain.
No need for rendezvous & a couple of extra context switches to
a different thread, or trampoline through a higher privilege
kernel.  This callee function can only access what is visible
from its own protection domain. It can operate on caller's
memory data ony if the caller provides one time access to it.

>     > set-uid has its own issues. Plan9 doesn't have it.
>
> Ah, what were the issues (if you happen to know)?

The issue is setuid(uid,gid) process has *full* access*
available to uid,gid. If uid==0, now the process has superuser
access. Why should an install program have access to
/etc/passwd or have raw disk access or be able to root around
in kernel memory?  Typically you only want to provide very
limited access.