-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello Udo,
do you see any issues to extend the revoke syscall by a protection domain (pd) parameter ? Currently implicitly the current protection domain of the caller is used. With the extension the caller would have to specify explicitly the pd where the revoke operation should apply to.
Genode core currently revokes all memory of the client pd subject to destruction. However core has no means to make sure that references to kernel objects are freed which creation has been issued by the client pd directly using the kernel syscalls. Additionally core can't make sure to revoke any mappings of memory, i/o ports and object capabilities which the client received via other channels (services/sessions provided not by core).
The same issue also applies to NUL[0], where sigma0 can't clean up the object space of the vancouvers subject to destruction.
With the remote revoke core and sigma0 in NUL would be able to make sure that all user level references inside a pd subject to destruction can be freed.
Cheers,
Alex.
[0] http://os.inf.tu-dresden.de/nul