why use ambient authority in genode hello world?

[Dan Connolly]

In a 2 Dec twitter conversation
<https://twitter.com/GenodeLabs/status/671941252162678784>, I was invited
to elaborate here; so...

I wholeheartedly agree when the Genode book
<http://genode.org/documentation/genode-foundations-15-05.pdf> says:

*Capability-based security* supposedly makes security easy to use by
> providing an
> intuitive way to manage authority without the need for an all-encompassing
> and
> complex global system policy.


I don't understand why ignore this principle with the hello world code
example:

#include <base/printf.h>
> int main()
> {
>   Genode::printf("Hello world\n");
>   return 0;
> }


Why appeal to ambient authority to print to the console? Why not pass a
capability to main, as pony does with env
<https://github.com/CausalityLtd/ponyc/blob/master/packages/builtin/env.pony>,
capsicum at cap_enter() <http://lwn.net/Articles/482858/>, etc?

At lower levels of the architecture, genode has this structure; e.g. 3.5
component creation:

The environment is constructed by successively requesting the component’s
> RM, RAM, CPU, and PD sessions from its parent.


Why not continue this structure in the base API?




-- 
Dan Connolly
http://www.madmode.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genode.org/pipermail/users/attachments/20160123/ebe22f69/attachment.html>