How Much Confinement Do We Want?

NOTE: I am absolutely sure this is incredibely incomplete and/or wrong. This is not up to date!


There has been a lot of traffic on the l4-hurd list lately. A good bit of this is related to the question this entry is about: How much confinement do we want? The idea not to implement the full confinement was (accidently?) raised by marcus, who planned to raise it somewhen, but not yet.


In this section I try to sketch some terminology that came up during the discussion.


Creator we call the creator of the confined (constructor) object.[2]


Instantiator we call the user of the confined (constructor) object. [2]


Encapsulation means that information (including authority) cannot be extracted from a program without its consent. This is a restriction on "read in" behavior. [3]


Confinement means that a program cannot communicate outward through unauthorized channels. This is a restriction on "write out" behavior. [3]

non-trivial confinement

Marcus: ``[non-trivial confinement] is the confined constructor design pattern.'' [1]

We speak about non-trivial confinement when creator != instantiator. [2]

trivial confinement

Marcus: ``[trivial confinement] is what the Hurd will do'' [1]

We speak about trivial confinement when creator == instantiator [2]

principle of user freedom/autonomity

The principle of user freedom and autonomity means the right to use, inspect, alter and copy all resources attributed to/owned by the user.[4]

freedom of digital information


The Positions

Here I try to sketch the different positions.

Use and Implement Only Trivial Confinement by Default


  • Follows the principle of user freedom
  • add more here


  • Possibly use cases for non-trivial confinement exist we cannot yet think of.
  • add more here

Implement Full Confinement and Utilize It


  • There are many years of experience with confinement.
  • add more here


  • It does not follow the principle of user freedom.
  • add more here

Preliminary Summary Statements

A Try to Push the Discussion into a Constructive Direction

Marcus started a challenge [5] to find a use case for non-trivial confinement that is interesting for the Hurd and cannot be implemented otherwise. The exact challenge definition can be found in the mail.

-- ?TomBachmann - 01 May 2006