ACL vs Capability

Thomas E. Spanjaard tgen at netphreax.net
Mon Jul 3 06:02:35 PDT 2006


TongKe Xue wrote:
Is the plan to have Dragonfly be ACL or Capability (I see the word 
capability mentioned around here and there, but no conclusive doc saying 
"Dragonfly will be capability based control.)
I'm not sure if anyone has really thought about that, but I reckon 
TrustedBSD ACLs are easiest to integrate.

If there will be support for the latter, is it correct to say that ACL 
== control at the level of trainualarity based on user running the 
process, Capability == control at the level of grainualarity of the 
process.
The granularity of capabilities is actually per 'object', not per 
process necessarily. You can control virtual memory mappings with 
capabilities too, and that's far more fine-grained than just per process 
(which would result in an 'everything-or-nothing' approach because of 
per process capabilities).

Cheers,
--
        Thomas E. Spanjaard
        tgen at xxxxxxxxxxxxx
Attachment:
signature.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00001.pgp
Type: application/octet-stream
Size: 186 bytes
Desc: "Description: OpenPGP digital signature"
URL: <http://lists.dragonflybsd.org/pipermail/kernel/attachments/20060703/b50a18be/attachment-0020.obj>


More information about the Kernel mailing list