Hi Udo,
NF> But couldn't the revoke syscall take a CRD referring to the targeted PD NF> as argument instead? Why the need to have the to-be-revoked range mapped NF> in the caller's PD at all?
It could, but it allows the holder of the PD cap to manipulate the address space of the PD at arbitrary locations.
indeed. This is consistent with my stance that the possession of a PD cap equals to total power over the PD.
Can you come up with a scenario where anyone would hand out a PD cap to someone else who should not have such power over the referred PD? I can't think of any.
While this may not be a problem for Genode, due to the way PD capabilities are (not) distributed, I'm not sure it generalizes to other environments as well. With a directed revoke rooted in the PD of the invoker, you are guaranteed to be able to revoke only mappings that you established yourself.
If you are uncertain about non-Genode scenarios, a permission bit might do the trick. But think this bit is wasted. As far as I know, both NUL and Genode would leave it untouched. (I haven't looked into Nils' NRE though)
Cheers Norman