NOVA: remote revoke

Norman Feske norman.feske at ...1...
Wed Jul 25 19:22:56 CEST 2012


Hi Udo,

> NF> But couldn't the revoke syscall take a CRD referring to the targeted PD
> NF> as argument instead? Why the need to have the to-be-revoked range mapped
> NF> in the caller's PD at all?
> 
> It could, but it allows the holder of the PD cap to manipulate the address
> space of the PD at arbitrary locations.

indeed. This is consistent with my stance that the possession of a PD
cap equals to total power over the PD.

Can you come up with a scenario where anyone would hand out a PD cap to
someone else who should not have such power over the referred PD? I
can't think of any.

> While this may not be a problem for
> Genode, due to the way PD capabilities are (not) distributed, I'm not sure
> it generalizes to other environments as well. With a directed revoke rooted in
> the PD of the invoker, you are guaranteed to be able to revoke only mappings
> that you established yourself.

If you are uncertain about non-Genode scenarios, a permission bit might
do the trick. But think this bit is wasted. As far as I know, both NUL
and Genode would leave it untouched. (I haven't looked into Nils' NRE
though)

Cheers
Norman




More information about the users mailing list