On Mon, 19 Nov 2018 12:53:31 -0500 jnc(a)mercury.lcs.mit.edu (Noel Chiappa) wrote:
All of this would be easily possible on the Mill
arch. if ever it gets
built. Mill has segments and protected function calls.
What I found about that mostly talked about the belt stuff. Do you happen to
have a pointer to the segment/call stuff?
This is a good talk re IPC and protection:
https://www.youtube.com/watch?v=XJasE5aOHSw
In the desciption below the video there is a
list of times where various topics are covered
so you can jump to what you want.
Slides here:
https://millcomputing.com/docs/inter-process-communication/
Ivan's talk on Security should also be of help:
https://www.youtube.com/watch?v=5osiYZV8n3U
https://millcomputing.com/docs/security/
The key implication is a thread can make a "portal" call,
where the same thread is now in a different protection domain.
No need for rendezvous & a couple of extra context switches to
a different thread, or trampoline through a higher privilege
kernel. This callee function can only access what is visible
from its own protection domain. It can operate on caller's
memory data ony if the caller provides one time access to it.
set-uid has
its own issues. Plan9 doesn't have it.
Ah, what were the issues (if you happen to know)?
The issue is setuid(uid,gid) process has *full* access*
available to uid,gid. If uid==0, now the process has superuser
access. Why should an install program have access to
/etc/passwd or have raw disk access or be able to root around
in kernel memory? Typically you only want to provide very
limited access.