I propose to list here some technologies that have some capability characteristics but ultimatly fail to provide capability benefits.
BSD beside Mach
Apple’s description of the Mach kernel within the OS X system for the Mac seems to describe a capability system.
The italic section at the end, however, seems peculiar from our perspective.
They seem to say that the ability to send messages on ports is dangerous and must be limited to very trusted programs.
From our perspective the issue is not whether bad programs hold port rights, but which port rights they hold.
If this is just a misunderstanding of the writer (and reviewers), there may be gold to be mined in OSX.
See some earlier Mach notes and this concept map.
From the Kernel Programming Guide: Architecture:
In Mac OS X, however, the kernel environment contains much more than the Mach kernel itself.
The Mac OS X kernel environment includes the Mach kernel, BSD, the I/O Kit, file systems, and networking components.
These are often referred to collectively as the kernel.
Each of these components is described briefly in the following sections.
For further details, refer to the specific component chapters or to the reference material listed in the bibliography.
I understand from this that all of BSD and the “I/O Kit” is in everyone’s TCB.
From the Mach Overview we hear:
Mach 3.0 was originally conceived as a simple, extensible, communications microkernel.
It is capable of running as a stand-alone kernel, with other traditional operating-system services such as I/O, file systems, and networking stacks running as user-mode servers.
It seems clear that this extended kernel all runs in privileged mode.
Still it does not yet preclude adding cages for untrusted code which limit their content by lack of “port rights”.
However, in Mac OS X, Mach is linked with other kernel components into a single kernel address space.
This is primarily for performance; it is much faster to make a direct call between linked components than it is to send messages or do remote procedure calls (RPC) between separate tasks.
This modular structure results in a more robust and extensible system than a monolithic kernel would allow, without the performance penalty of a pure microkernel.
Tasks and Threads is a clear description of concepts and constructs.