IPC Authorization

OKL4 2.1 implements access control for IPC using a capability-based security model. IPC access control was previously performed using the L4_SecurityControl() system call and specifying the security domain as IPC security domain. This domain has been removed in OKL4 2.1

Motivation for Capability-based IPCs

In a capability-based security model, capabilities (caps) encode not only the identity of an object, but also the operations allowed to be performed on that object. As a result, the ability to IPC a thread is considered a capability within this model.

The abstraction of the IPC cap is a useful distinction from the more powerful master cap. Owners of the master cap may perform any kernel operation on the associated thread. The master cap is the equivalent of the global thread identifier which was used perform this function in previous versions of OKL4.

Creating a category of caps used exclusively for IPC enables threads to communicate with each other without holding the other party's master cap.

IPC Caps Usage

Capabilities are further described in the OKL4 library in libs/l4/include/caps.h, and Section A-4 Capabilities of the OKL4 Kernel Programming Manual.