l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: secure exec

From: Marcus Brinkmann
Subject: Re: secure exec
Date: Fri, 23 May 2003 14:32:29 +0200
User-agent: Mutt/1.5.3i 
On Thu, May 22, 2003 at 07:54:29PM +0200, Marcus Brinkmann wrote:
> The filesystem server does this:
> 
> error_t
> file_exec (file, task_server, new_task_obj_id, trans, &thread_id)
> {
>   if (task_server != my_trusted_task_server)
>     return EINVAL;
>   err = task_use_transaction_record (task_server, new_task_obj_id, trans,
>                                      &new_task);
>   if (!err)
>     err = task_revoke (new_task);
>   if (!err)
>     err = task_get_state (new_task, &state);
>   if (state != just_created_and_empty)
>     {
>       /* We trust the filesystem to do this here.  But if it really wanted
>          to steal the the task, it could do it anyway.  This is still better
>          than having to wait for the user to accept the task we give to it.  
> */
>       task_destroy (new_task);
>       return EINVAL;
>     }

At this (or an earlier) point, the filesystem also has to insert a task ID
handle to itself into new_task, so that it is guaranteed that new_task will
notice if the filesystem dies prematurely.  This can not be left to the
caller (old task).  The task server can easily allow this, as the filesystem
has total control over the task.

>   /* The task is all ours now.  */
>   thread_id = setup_task (new_task);
>   /* thread_id now is the thread that will wait for the user's startup
>      message.  */
>   return thread_id;
> }

-- 
`Rhubarb is no Egyptian god.' GNU      http://www.gnu.org    address@hidden
Marcus Brinkmann              The Hurd http://www.gnu.org/software/hurd/
address@hidden
http://www.marcus-brinkmann.de/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]