Information flow in genode
norman.feske at ...1...
Mon Aug 11 15:52:53 CEST 2014
> Service A is pronounces to “init”.
> “Init” has the capability to Service A (e.g. AHCI).
> Program B is started.
> If Program B requests a service (e.g. read something fromAHCI), Init
> looks up its root list and notifies A that the service is requested, A
> creates a new capability and passes it to “Init”, which passes the
> capability further to B.
> Is this correct? And does this happen always?
yes and yes.
> Can a capability then be revoked? E.g. Program B does something which is
> not wanted and therefore the already given capability will be removed?
Since the common parent of A and B possesses both the root capability of
service A and the session capability created for the client B, the
parent can, at any time, close the session at service A by invoking the
'Root::close' function with the session capability as argument. (note
however that the init process has no such policy) When the service A
destructs the session (the 'Rpc_object') all capabilities that refer the
'Rpc_object' become invalid. The client is no longer able to reach the
service using the now invalidated session capability.
Hence, in principle, a common parent is able to break the relationship
between a client and a server by closing the corresponding sessions. In
practice, a partial revocation of access rights to once-established
sessions, is not common. "Revocation" should better be done by
destructing a subsystem altogether and starting a new one.
Dr.-Ing. Norman Feske
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
More information about the users