Path: ...!npeer.as286.net!npeer-ng0.as286.net!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Lawrence D'Oliveiro Newsgroups: comp.arch Subject: Re: Privilege Levels Below User Date: Sat, 8 Jun 2024 00:06:41 -0000 (UTC) Organization: A noiseless patient Spider Lines: 25 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Sat, 08 Jun 2024 02:06:41 +0200 (CEST) Injection-Info: dont-email.me; posting-host="41ddd3104c6f00811ea81eed5288e7ff"; logging-data="2408106"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19ALFEIqYAwRccl+cr6RkMi" User-Agent: Pan/0.158 (Avdiivka; ) Cancel-Lock: sha1:BqhcJ6dhhRPJxELuONFNzxPyr6c= Bytes: 2146 On Fri, 07 Jun 2024 12:03:03 -0600, John Savard wrote: > So I am thinking it might be useful to have, for example, two states > less privileged than the user state, and some mechanism for user > programs to call subroutines which are in that state until they return - > the return instruction being limited, sort of like a supervisor call, so > it can only return in a proper manner. MULTICS lives! That was the next-generation kitchen-sink OS from the latter 1960s that was taking so long to develop, Bell Labs pulled out of the project and set about creating their own, much less ambitious OS instead, which they initially called “UNICS” (to indicate it was the opposite of “MULTICS”). MULTICS required hardware with 8 different privilege levels (rings), from 0 (most privileged) to 7 (least privileged). User code normally ran at ring 4. This left 5, 6 and 7 available for ordinary users to impose their own additional isolation on code they didn’t quite trust. Another option, less of a hierarchy and more of a privilege matrix, would be to use capabilities. I think I mentioned CHERI in this newsgroup previously.