On that note, I actually agree with the article that "a capabilities-based distribution would be interesting to see" -- except with, you know, real capabilities :-). Unix has them, after all -- fds are exactly capabilities. (A pipe is a kernel-space ring buffer with two facets, etc.) The model is a little inelegant because you have normal numbered fds, the quasi-fds for "current directory" and "root directory" (all the syscalls that take filenames are effectively calls against the interface these fds provides), and the vast number of syscalls that are available to every process provides a little more exposure than one would like... (kill(2), for instance, is annoying). But these seem mostly solveable, and in these days of bind mounts, FUSE, containers, etc., one could do pretty credible POLA/capability-style containment with the stock Linux kernel and a custom userspace. Plus it seems worthwhile to try, because capabilities are the best chance for surviving worms and all the other wonderful conveniences of the modern internet, but so long as they only live in pure-research OSes they aren't going anywhere. Building on Linux gives you its existing userspace to use as a base, and lets you move quickly to dealing with the real problems of building a practical system that one can deploy, administer, etc. (Eros is very cool, but how the heck could one ever practically administer or even understand a system whose whole state is a blob of gigabytes of memory tied together willy-nilly by pointers?)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds