Capabilities
- Такая возможность реализуется в виде мандата (capability), который включает не только указатель на порт, но и список прав, которыми другой процесс обладает по отношению к данному порту (например, право выполнить операцию ПОСЛАТЬ - SEND).
- Capabilities (All references between low-level objects in Fluke are represented as kernel-mediated capabilities [37]. Each primitive object type contains a number of “capability slots.” For example, each thread object contains an address space slot, which refers to the address space in which the thread is to run. Processes can store and manipulate individual capabilities using reference objects, which are kernel objects that hold a single capability of any type. System calls are provided to produce capabilities pointing to existing kernel objects, copy capabilities between reference objects and the special-purpose slots in other kernel objects, pass capabilities through IPC, and compare them against each other. A process only refers to a capability by the virtual address of the kernel object in which it is contained; it never has direct access to the capability itself.) Capabilities in our API provide the relativity property for cross-address-space references, such as references within a child process to objects implemented by its parent. Since only the kernel can access the actual contents of a capability, capabilities can be passed freely between arbitrary processes in our system, allowing communication to short-circuit the process hierarchy when appropriate.
A parent process can locate all of the capabilities contained in a child process, discover to which objects they point, and transparently make substitutions of these capabilities, analogous to “pointer swizzling”.
Capabilities also provide border control. Since a parent process determines what capabilities it passes to its child, it can interpose on any of these capabilities, as well as on capabilities subsequently passed into or out of the child through communication channels on which the parent has interposed. This way, the parent can completely monitor and control all communication into or out of a process by intercepting IPC messages. However, the capability model also allows the parent to interpose selectively on only a subset of the capabilities provided to a child.
However, the original Fluke system was capability-based and was not in itself adequate to meet the requirements of the Flask architecture.
^ wtf?
