Capability-based security supposedly makes security easy to use by providing an
intuitive way to manage authority without the need for an all-encompassing and
complex global system policy.
I don't understand why ignore this principle with the hello world code example:
#include <base/printf.h>
int main()
{
Genode::printf("Hello world\n");
return 0;
}
Why appeal to ambient authority to print to the console? Why not pass a capability to main, as pony does with
env,
capsicum at cap_enter(), etc?
At lower levels of the architecture, genode has this structure; e.g. 3.5 component creation:
The environment is constructed by successively requesting the component’s RM, RAM, CPU, and PD sessions from its parent.
Why not continue this structure in the base API?
--