> Mill does not have the SeL4 problem of needing to know permissions at thread creation. Because we use a grant model rather than a capability model, you can create a turf with no permissions at all and then add permissions dynamically later by subsequent grants of permission.
I don’t think SeL4 sees this as a problem. If you can grant permissions later, you still need a way of referencing the turf. The point is that even the ability to reference the turf is a privledge in SeL4, which I think is actually quite novel and makes sense. Linux has recently had to “fix” this problem with process handles (using a file descriptor), because process IDs sometimes get reused. Which is similar to the question about:
> the set of Well Known Regions
How does this fit into the graph and not level or flat permission model? This sound to me like exactly what I was asking about, but it is not defined.