l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Design principles and ethics

From: Jonathan S. Shapiro
Subject: Re: Design principles and ethics
Date: Mon, 01 May 2006 21:00:17 -0400 
On Tue, 2006-05-02 at 00:33 +0200, Pierre THIERRY wrote:
> Scribit Bas Wijnen dies 01/05/2006 hora 23:20:
> > > > C. The child cannot have any capability that the parent couldn't
> > > > gain access to. 
> > This is correct, but it isn't an extra requirement.  Just like in the
> > constructor, the child cannot receive a capability that neither the
> > parent nor the instantiator possess.
> 
> Either you or I have misunderstood something in how a constructor works.
> I had understood that the constructor is given a set of capabilities
> along with the process it will instantiates. This capabilities could be
> out of reach for the instantiator.

The constructor has *three* sources of capabilities:

  1. A set provided by the instantiator at instantiation time.
  2. A set of "holes" provided by the builder (the party who set up the
     constructor) at build time. This set is *authorized* by the
     instantiator, but not accessible to them.
  3. A set of capabilities provided by the builder that are determined,
     through use of kernel-supported function, to be transitively
     read-only and therefore harmless.

shap
reply via email to
[Prev in Thread] Current Thread [Next in Thread]