Dan Sugalski wrote:
All security is done on a per-interpreter basis. (really on a per-thread basis, but since we're one-thread per interpreter it's essentially the same thing)...
* Number of open files * IO operations/sec * IO operations total
...
Can an "application" get more resources simply by spawning threads? If the answer is "no, parent and child must divide share their quotas" then there is a load balancing problem. If the answer is "yes", then there's no real protection at all. A threads-per-second limit isn't an answer here, either (a malicious app could sit around for a few hours, launching threads at a low intensity, until it has enough to bring down the system).
Is a thread really the right thing to apply these limits to? It seems to me that there needs to be some sort of token (cf. cash; cf "capability") that an application can obtain/spend/refresh to do these ops. An application could share its token(s) with any threads it creates. It could probably even "loan" its token to a backgroud thread that does some operation on behalf of many other threads.
