Information flow in genode

[Norman Feske]

Hi Wolfgang,

> Service A is pronounces to “init”.
> “Init” has the capability to Service A (e.g. AHCI).
> Program B is started.
> If Program B requests a service (e.g. read something fromAHCI), Init
> looks up its root list and notifies A that the service is requested, A
> creates a new capability and passes it to “Init”, which passes the
> capability further to B.
>  
> Is this correct? And does this happen always?

yes and yes.

> Can a capability then be revoked? E.g. Program B does something which is
> not wanted and therefore the already given capability will be removed?

Since the common parent of A and B possesses both the root capability of
service A and the session capability created for the client B, the
parent can, at any time, close the session at service A by invoking the
'Root::close' function with the session capability as argument. (note
however that the init process has no such policy) When the service A
destructs the session (the 'Rpc_object') all capabilities that refer the
'Rpc_object' become invalid. The client is no longer able to reach the
service using the now invalidated session capability.

Hence, in principle, a common parent is able to break the relationship
between a client and a server by closing the corresponding sessions. In
practice, a partial revocation of access rights to once-established
sessions, is not common. "Revocation" should better be done by
destructing a subsystem altogether and starting a new one.

Best regards
Norman

-- 
Dr.-Ing. Norman Feske
Genode Labs

http://www.genode-labs.com · http://genode.org

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth