75d3f97085
This commit removes the grant right from reply caps on MCS. This is the second alternative discussed in seL4 RFC-13: https://sel4.atlassian.net/browse/RFC-13 Grant rights on reply object caps in MCS have limited use, because any server with sufficient untyped memory can create new reply objects with full grant rights. A previous change restricted a server's ability to grant to its clients by requiring that the server has grant rights on both the reply object cap and the endpoint cap it used to receive a call. This change removes grant rights from reply object caps, so that only the grant rights on the receive endpoint matter. This second change is motivated by the observation that there is no clear use for a grant right on reply object caps once the first change is implemented. We did consider a hypothetical use case for this grant right. Suppose there is a server T that is trusted to grant to its clients, but which may delegate some calls to another server U that is *not* trusted to grant to its clients. One way to perform the delegation would be for T to pass the reply object capability to U, so that U can reply directly. T would need grant rights on its receive endpoint, but would need to be able to diminish grant rights on any reply object capability before passing it to U. However, we concluded that the protocol that would be needed to manage reply objects between T and U would be more complex and less efficient than simply proxying the reply via T. Additionally, it's not even possible to construct such a system in a non-MCS configuration, because the non-MCS kernel does not provide an API to diminish the rights on a reply capability, other than using the grant right on the receiver's endpoint capability. Signed-off-by: Matthew Brecknell <matt@kry10.com>
The seL4 microkernel
This project contains the source code of seL4 microkernel.
For details about the seL4 microkernel, including details about its formal
correctness proof, please see the sel4.systems website and associated
FAQ.
DOIs for citing recent releases of this repository:
We welcome contributions to seL4. Please see the website for information on how to contribute.
This repository is usually not used in isolation, but as part of the build system in a larger project.
seL4 Basics
- Tutorials
- Documentation
- seL4 libraries
- seL4Test
- Debugging guide
- Benchmarking guide
- Virtualization on seL4
- Host Build Dependencies
- Porting seL4
Community
See the contact links on the seL4 website for the full list.
Reporting security vulnerabilities
If you believe you have found a security vulnerability in seL4 or related software, we ask you to follow our vulnerability disclosure policy.
Manual
A hosted version of the manual for the most recent release can be found here.
A web version of the API can be found here
Repository Overview
includeandsrc: C and ASM source code of seL4tools: build toolslibsel4: C bindings for the seL4 ABImanual: LaTeX sources of the seL4 reference manual
Build Instructions
See the seL4 website for build instructions.
Status
A list of releases and current project status can be found under seL4 releases.
- Roadmap: new features in development
- Hardware Support: information about hardware platform ports
- Kernel Features: information about available kernel features
- Userland Components and Drivers: available device drivers and userland components
License
See the file LICENSE.md.