2 Aug
2021
2 Aug
'21
4:32 a.m.
On Aug 1, 2021, at 6:05 PM, Theodore Ts'o <tytso(a)mit.edu> wrote:
On Sun, Aug 01, 2021 at 06:13:18PM -0600, Andrew Warkentin wrote:
From the "KeyKOS Nanokernel Architecture" (1992) paper:
----
KeyKOS processes are created by building a segment that will
become the program address space, obtaining a fresh domain,
and inserting the segment key in the domain's address slot.
The domain is created in the waiting state, which means that
it is waiting for a message. A threads paradigm can be
supported by having two or more domains share a common
address space segment.
Because domain initialization is such a common operation,
KeyKOS provides a mechanism to generate "prepackaged"
domains. A factory is an entity that constructs other
domains. Every factory creates a particular type of domain.
For example, the queue factory creates domains that provide
queuing services. An important aspect of factories is the
ability of the client to determine their trustworthiness. It
is possible for a client to determine whether an object
created by a factory is secure.
----
This paper also talks about their attempt to emulate Unix on
top.
http://css.csail.mit.edu/6.858/2009/readings/keykos.pdf
There's a third kind of primitive that is
superior to either spawn()
or fork() IMO, specifically one that creates a completely empty child
process and returns a context that lets the parent set up the child's
state using normal APIs.
I've seen this argument a number of times, but what's never been clear
to me is what *would* the "normal APIs" be which would allow a parent
to set up the child's state? How would that be accomplished? Lots of
new system calls? Magic files in /proc/<pid>/XXX which get
manipulated somehow? (How, exactly, does one affect the child's
memory map via magic read/write calls to /proc/<pid>/XXX.... How
about environment variables, etc.)
And what are the access rights by which a process gets to reach out
and touch another process's environment? Is it only allowed only for
child processes? And is it only allowed before the child starts
running? What if the child process is going to be running a setuid or
setgid executable?