ACL vs Capability

Thomas E. Spanjaard tgen at
Mon Jul 3 11:43:27 PDT 2006

TongKe Xue wrote:
Thomas E. Spanjaard wrote:
The granularity of capabilities is actually per 'object', not per 
process necessarily. You can control virtual memory mappings with 
capabilities too, and that's far more fine-grained than just per 
process (which would result in an 'everything-or-nothing' approach 
because of per process capabilities).
When a process P wants an access to an object O, ACL's look at the user 
who P is executing as and decide whether to grant access. Capabilities 
on the other hand, will make the decision based on P instead. Correct? I 
don't understand the virtual memory example.
Actually, capabilities check whether the entity that wants access to 
object O has a capability for the type of access to this particular 
object. It doesn't have to be a process per se to have capabilities to 
an object, other 'entities' in the 'universe' can as well (threads, 
light-weight processes, users, network connections, etc). What I meant 
with virtual memory, is that when for example entity E has a read 
capability for object O, then the memory object O is residing in is 
mapped as read-only into the virtual memory space of entity E. Ofcourse 
entity E has to be in PL >0, otherwise it could work around the kernel 
capability check and memory manager :).

        Thomas E. Spanjaard
        tgen at xxxxxxxxxxxxx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00002.pgp
Type: application/octet-stream
Size: 186 bytes
Desc: "Description: OpenPGP digital signature"
URL: <>

More information about the Kernel mailing list