Re: ACL vs Capability

["Thomas E. Spanjaard" <tgen@xxxxxxxxxxxxx>]

TongKe Xue wrote:
> Thomas E. Spanjaard wrote:
> > The granularity of capabilities is actually per 'object', not per 
> > process necessarily. You can control virtual memory mappings with 
> > capabilities too, and that's far more fine-grained than just per 
> > process (which would result in an 'everything-or-nothing' approach 
> > because of per process capabilities).
> When a process P wants an access to an object O, ACL's look at the user 
> who P is executing as and decide whether to grant access. Capabilities 
> on the other hand, will make the decision based on P instead. Correct? I 
> don't understand the virtual memory example.

Actually, capabilities check whether the entity that wants access to 
object O has a capability for the type of access to this particular 
object. It doesn't have to be a process per se to have capabilities to 
an object, other 'entities' in the 'universe' can as well (threads, 
light-weight processes, users, network connections, etc). What I meant 
with virtual memory, is that when for example entity E has a read 
capability for object O, then the memory object O is residing in is 
mapped as read-only into the virtual memory space of entity E. Ofcourse 
entity E has to be in PL >0, otherwise it could work around the kernel 
capability check and memory manager :).

Cheers,
--
        Thomas E. Spanjaard
        tgen@xxxxxxxxxxxxx

Attachment: signature.asc
Description: OpenPGP digital signature