Mill Computing, Inc. Forums The Mill Architecture Inter-process Communication Reply To: Inter-process Communication

Christophe Biocca
Post count: 3

As far as the wiki is concerned, whether a call is a portal call or a regular call is not determined by the caller (both use the same call opcode). Portal-call vs. in-turf execution vs. fault is determined by the
permissions of the calling turf on the entry point of the called code.

In addition to the above, a turf can grant/revoke portal/execute permissions on their code to other turfs, as a way to achieve microkernel-style privilege separation.

This protects the caller, but the callee can’t know for certain that the foreign code they’re calling into will actually run in a different turf. I could write an evil portal service that grants plain execute to would be callers, and they wouldn’t be able to tell.

Am I missing something? Is this just a matter of policy (always have a separate, trusted, turf control the portal permissions so that you can trust that they’re set properly and never changed out from under you), or is there a way for a caller to say “this must be a portal call, fault otherwise”?