On Tue, 24 Jul 2012 23:39:47 +0200 Norman Feske (NF) wrote:
NF> it seems I slightly misunderstood your proposal. In your solution, the NF> revoke CRD argument refers to the address space of the the caller, not NF> the targeted PD, right? If so, your phrasing makes sense.
Correct.
NF> But couldn't the revoke syscall take a CRD referring to the targeted PD NF> as argument instead? Why the need to have the to-be-revoked range mapped NF> in the caller's PD at all?
It could, but it allows the holder of the PD cap to manipulate the address space of the PD at arbitrary locations. While this may not be a problem for Genode, due to the way PD capabilities are (not) distributed, I'm not sure it generalizes to other environments as well. With a directed revoke rooted in the PD of the invoker, you are guaranteed to be able to revoke only mappings that you established yourself.
Cheers, Udo