Have the spawn interface for the process manager require cap_procmng.
The process manager now sends cap_procmng with spawn requests. Spawnd then
identifies the capability and only proceeds with obliging the request if the
latter is indeed of ObjType_ProcessManager.
The idea behind this change is that, even if spawnd does not register with the
nameservice anymore (hence its iref is not publicly retrievable), a malicious
domain could still attempt to bypass process management spawn validation by
brute-force sending spawn requests to a range of irefs. If one of those irefs
happened to belong to a spawnd, then the latter would assume the spawn request
to be valid. Having the spawn API require cap_procmng ensures that only
requests issued by the process manager and entities it trusts will be obliged.
Signed-off-by: Razvan Damachi <razvan.damachi@gmail.com>
projects / barrelfish / commit