diff options
| -rw-r--r-- | abac.mdwn | 2 | ||||
| -rw-r--r-- | capability.mdwn (renamed from capabilities.mdwn) | 10 | ||||
| -rw-r--r-- | confused_deputy.mdwn (renamed from confuseddeputy.mdwn) | 2 | ||||
| -rw-r--r-- | hurd/authentication.mdwn | 4 | ||||
| -rw-r--r-- | ipc.mdwn | 2 | ||||
| -rw-r--r-- | microkernel/mach/concepts.mdwn | 11 | ||||
| -rw-r--r-- | microkernel/mach/external_pager_mechanism.mdwn (renamed from microkernel/mach/externalpagermechanism.mdwn) | 0 | ||||
| -rw-r--r-- | microkernel/mach/port.mdwn | 10 | ||||
| -rw-r--r-- | naming_context.mdwn (renamed from namingcontext.mdwn) | 0 | ||||
| -rw-r--r-- | persistency.mdwn (renamed from persistent.mdwn) | 0 |
10 files changed, 20 insertions, 21 deletions
@@ -20,6 +20,6 @@ In this model, access is not granted based on the identity of the caller but by an authorizing agent that delegates access to a particular resource. Such authorization is then encapsulated in -[[capabilities]] allowing them to be freely [[delegated]]. +[[capabilities|capability]] allowing them to be freely [[delegated|delegation]]. See also [[IBAC]]. diff --git a/capabilities.mdwn b/capability.mdwn index a483c0e7..06d3cf4a 100644 --- a/capabilities.mdwn +++ b/capability.mdwn @@ -23,18 +23,18 @@ carries the authority to manipulate it. By binding [[designation]] and [[authorization]] together, capabilities simplify [[delegation]]. Imagine that program instance A wants to tell program B to use a particular file to store some data. -Further imagine that A and B are running in different [[TrustDomains]] +Further imagine that A and B are running in different [[trust_domains]] (e.g., with different UIDs). If A sends B just the name of the file, B needs to first ensure that he does not accidentally enable A to access the file on his own authority. That is, B wants to protect against A hijacking his authority. (This problem is -refused to the [[ConfusedDeputy]] problem.) Also, since A likely +refused to the [[confused_deputy]] problem.) Also, since A likely sent a string to identify the file to B, the identifier lacks a -[[NamingContext]] and therefore may resolve to a different object -than A intended. Be ensuring that designation and authorization are +[[naming_context]] and therefore may resolve to a different object +than A intended. Be ensuring that [[designation]] and [[authorization]] are always bound together, these problems are avoided. Unix file descriptors can be viewed as capabilities. Unix file descriptors do not survive reboot, that is, they are not -[[persistent]]. To work around this, [[ACL]]s are used to +[[persistent|persistency]]. To work around this, [[ACL]]s are used to recover authority. diff --git a/confuseddeputy.mdwn b/confused_deputy.mdwn index 07df292b..1f03194b 100644 --- a/confuseddeputy.mdwn +++ b/confused_deputy.mdwn @@ -17,5 +17,5 @@ redistribute your contributions. [The confused deputy](http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html) problem was articulated by Norm Hardy. It is a possible consequence -when [[designation]] and [[authorization]] are separated. [[Capabilities]] +when [[designation]] and [[authorization]] are separated. [[Capabilities|capability]] help with this problem. diff --git a/hurd/authentication.mdwn b/hurd/authentication.mdwn index 4170c818..7ccd9b45 100644 --- a/hurd/authentication.mdwn +++ b/hurd/authentication.mdwn @@ -16,9 +16,9 @@ redistribute your contributions. """]] UIDs on the Hurd are separate from processes. A process has -[[capabilities]] designating so-called UID vectors that +[[capabilities|capability]] designating so-called UID vectors that are implemented by an [[auth]] server. This -makes them easily [[virtualizable]]. +makes them easily [[virtualizable|virtualization]]. When a process wishes to gain access to a resource provided by a third party (e.g., a file system) and that party wishes to authenticate the client @@ -32,5 +32,5 @@ any [[destructive_interference]] thereby removing the need for the caller to [[trust]] the callee thus reducing the former's [[tcb]]. When done systematically, this can increase the system's [[robustness]]. To this end, microkernels provide richer IPC semantics that include -the ability to transfer [[capabilities]] and to use [[virtual_memory]] +the ability to transfer [[capabilities|capability]] and to use [[virtual_memory]] [[mechanism]]s to copy data. diff --git a/microkernel/mach/concepts.mdwn b/microkernel/mach/concepts.mdwn index f81e4e4f..04dbb1c6 100644 --- a/microkernel/mach/concepts.mdwn +++ b/microkernel/mach/concepts.mdwn @@ -1,7 +1,6 @@ -[[Mach]] is a first-generation [[microkernel]]. Mach's basic abstractions include -[[AddressSpace]]s in the form of [[Mach/Task]]s, execution contexts in the -form of threads, [[Mach/IPC]], [[capabilities]] in the form of -[[Mach/Ports]], and [[Mach/MemoryObjects]], which enable -Mach's [[Mach/ExternalPagerMechanism]]. +[[Mach]] is a first-generation [[microkernel]]. Mach's basic abstractions +include [[address_space]]s in the form of [[task]]s, execution contexts in the +form of [[thread]]s, [[IPC]], [[capabilities|capability]] in the form of [[port]]s, and +[[memory_object]]s, which enable Mach's [[external_pager_mechanism]]. -Mach's API is well-[[documented|Mach/Documentation]].
\ No newline at end of file +Mach's [[API]] is well-[[documented|documentation]]. diff --git a/microkernel/mach/externalpagermechanism.mdwn b/microkernel/mach/external_pager_mechanism.mdwn index 169745fb..169745fb 100644 --- a/microkernel/mach/externalpagermechanism.mdwn +++ b/microkernel/mach/external_pager_mechanism.mdwn diff --git a/microkernel/mach/port.mdwn b/microkernel/mach/port.mdwn index 47ef427a..5dcc9ba3 100644 --- a/microkernel/mach/port.mdwn +++ b/microkernel/mach/port.mdwn @@ -15,7 +15,7 @@ your rights under copyright, including the rights to copy, modify, and redistribute your contributions. """]] -Mach ports are [[capabilities]]. +Mach ports are [[capabilities|capability]]. A Mach port is a kernel queue. Each port has associated with it a receive right and one or more send and send-once rights. @@ -33,15 +33,15 @@ a single message). Enqueuing a message is equivalent to [[invoke|invoking]] a capability. Send and receive rights are named using local names. Each -task has associated with it a port address space. A ports +task has associated with it a port [[address_space]]. A ports are addressed via this table. Each task thus has its own -private [[NamingContext]] for ports. +private [[naming_context]] for ports. -Ports can be [[delegate]]d in an IPC message. When the +Ports can be [[delegate]]d in an [[IPC]] message. When the receiver dequeues the message, the right is made available to it. -A thread can only block receiving on a single port. To work +A [[thread]] can only block receiving on a single port. To work around this, the concept of a port set was introduced. A receive right can be added to (at most) one port set. When a thread receives from a port set, it dequeues from any of the ports that diff --git a/namingcontext.mdwn b/naming_context.mdwn index be041211..be041211 100644 --- a/namingcontext.mdwn +++ b/naming_context.mdwn diff --git a/persistent.mdwn b/persistency.mdwn index e9d0a248..e9d0a248 100644 --- a/persistent.mdwn +++ b/persistency.mdwn |