[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Clarification (was: Re: Challenge: Find potential use cases for non-
|
From: |
Michal Suchanek |
|
Subject: |
Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement |
|
Date: |
Wed, 3 May 2006 20:39:24 +0200 |
Let my try then :)
First I would like to clarify what is the feature you want to avoid.
If I did not understand that my example is probably invalid.
Here goes some terminology:
1) confinement
We are talking about confinement all the time but there are
misunderstandigs about meaning of the term.
Marcus suggests that confinement is the property that when a process
is created it has acces only to certain limited resources that was
given it on its creation.
In marcus' proposal there is only one parent that creates the process.
2) isolation
Shap suggests that confinement means more. He designed a constructor
that allows the created process to have two parents: a builder - the
constructor, and a requestor - a procaess that uses the constructor to
create (instantiate) the new process. iirc when marcus is speaking
about constructors he uses the term instantiator, and it is not clear
if it means the builder or the requestor (probably the later). So
let's stick to the terminology with builder.
Now shap suggests that to guarantee process confinement the
constructor should be able to prevent the requestor access the new
process. After looking in my fine copy of Cambridge dictionary it
looks like Shap has the terminology backwards here. The new process is
indeed confined (restricted) when Marcus' semantic is used. But Shap
wants the ability to also restrict the requestror, one of the parents
of the new process. I would call this an ability to create an
_isolated_ process. On one side, it may be confined - allowed to
access only defined part of the system. On the other side the
requestor may not be allowed access to the process.
Now if isolation is what marcus does not want I have one use case he
himself mentioned a few times: the instantiation of user sessions.
Here the administrator uses a constructor to create isolated
processes. If he did not the user sessions would be inside his session
and he could observe them.
In my view reducing the number of constructors from potentionally
limited only by system memory to exactly one does not eliminate the
concept of isolation (ie the software that wants it may request a
separate user session for itself). So it is a needless limitation.
Thanks
Michal
- Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Marcus Brinkmann, 2006/05/03
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement,
Michal Suchanek <=
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Marcus Brinkmann, 2006/05/04
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Michal Suchanek, 2006/05/19
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Bas Wijnen, 2006/05/19
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Michal Suchanek, 2006/05/19
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Bas Wijnen, 2006/05/19
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Michal Suchanek, 2006/05/19
- Re: Clarification (was: Re: Challenge: Find potential use cases for non-trivial confinement, Bas Wijnen, 2006/05/19