[seL4] Re: seL4 service discovery question

On Wed, Apr 7, 2021 at 12:17 PM William ML Leslie < william.leslie.ttg@gmail.com> wrote:

On Wed, 7 Apr 2021 at 19:27, Matt Rice wrote:

...

It is a bit difficult to introduce string -> capability lookups without introducing some form of ambient authority, where the object connectivity graph of a typical capability system is heavily reliant on application and services having direct connectivity. service managers of the sort introduce a difficult many to many applications -> service manager, service manager -> services type of

object

...

graph, which in turn loses many valuable properties...

historically capability systems have typically avoided introducing such a mechanism. Instead relying on some kind of reflection mechanism or protocol. Some systems (keykos and eros) had an allegedType message that could be sent to capabilities, so if you know the allegedType of a network capability,

I can't speak for EROS as I don't have the full source, but its descendant CapROS only supports static association of an application with the network driver.

https://gitlab.com/william-ml-leslie/capros/-/blob/master/src/tutorials/http...

For something like network access which tends to be a static requirement of an application, a slightly more capability-oriented pattern would be to include network access in an application manifest, to be granted at install time (or stubbed, or switched on/off via the system settings menu), as approximated by mobile operating systems. The manifest could limit access to specific interfaces and ports, or to addresses obtained by resolving a limited set of hostnames (though think carefully about exactly what that buys you).

FWIW CapROS does have the mechanism I described it's somewhat hidden in the IDL compiler, Certainly install time could leverage the dynamic check of alleged type, I'm somewhat assuming you might have a capability like a crypto layer which acts as/proxies a network capability like a vpn tunnel... i.e. a capability which is not a genuine network but has one, and exposes the same interface. https://gitlab.com/william-ml-leslie/capros/-/blob/master/src/base/domain/ne... https://gitlab.com/william-ml-leslie/capros/-/blob/master/src/sys/eros/key.i... I do believe all the KeyKOS/EROS/CapROS/Coyotos systems had such a mechanism, can't speak for KeyKOS but it was documented, If you look at the netlistener.idl and it's lack of any presence there. but presumably someone somewhere needs to have gotten one statically for a network capability to be reachable in the domain... I was more responding in regards to dynamic aspects rather than network specifically... anyhow