From c1b981ede4ccb0cef320ec9fe8c5ee2b01a2dec0 Mon Sep 17 00:00:00 2001
From: Norman Feske <norman.feske@genode-labs.com>
Date: Sun, 7 May 2017 22:03:25 +0200
Subject: [PATCH] Annotate session interfaces with CAP_QUOTA

The new 'CAP_QUOTA' enum value denotes the capability quota to be
transferred from the client to the server at session-creation time.

Issue #2398
---
 repos/base-hw/include/vm_session/connection.h            | 2 +-
 repos/base-hw/include/vm_session/vm_session.h            | 2 ++
 .../test/cpu_quota/include/sync_session/sync_session.h   | 2 ++
 repos/base-nova/src/test/platform/server.h               | 2 ++
 repos/base/include/cpu_session/connection.h              | 4 ++--
 repos/base/include/cpu_session/cpu_session.h             | 7 +++++++
 repos/base/include/io_mem_session/connection.h           | 4 ++--
 repos/base/include/io_mem_session/io_mem_session.h       | 7 +++++++
 repos/base/include/io_port_session/connection.h          | 4 ++--
 repos/base/include/io_port_session/io_port_session.h     | 2 ++
 repos/base/include/irq_session/connection.h              | 2 +-
 repos/base/include/irq_session/irq_session.h             | 2 ++
 repos/base/include/log_session/connection.h              | 8 ++++----
 repos/base/include/log_session/log_session.h             | 6 ++++++
 repos/base/include/pd_session/connection.h               | 4 ++--
 repos/base/include/pd_session/pd_session.h               | 8 ++++++++
 repos/base/include/ram_session/connection.h              | 6 +++---
 repos/base/include/ram_session/ram_session.h             | 2 ++
 repos/base/include/rm_session/connection.h               | 5 +++--
 repos/base/include/rm_session/rm_session.h               | 6 ++++++
 repos/base/include/rom_session/connection.h              | 3 ++-
 repos/base/include/rom_session/rom_session.h             | 7 +++++++
 repos/base/include/trace_session/trace_session.h         | 2 ++
 repos/base/src/test/mp_server/main.cc                    | 2 ++
 repos/hello_tutorial/include/hello_session/connection.h  | 2 +-
 .../hello_tutorial/include/hello_session/hello_session.h | 2 ++
 repos/os/include/audio_in_session/audio_in_session.h     | 2 ++
 repos/os/include/audio_in_session/connection.h           | 4 ++--
 repos/os/include/audio_out_session/audio_out_session.h   | 2 ++
 repos/os/include/audio_out_session/connection.h          | 4 ++--
 repos/os/include/block_session/block_session.h           | 2 ++
 repos/os/include/block_session/connection.h              | 4 ++--
 repos/os/include/file_system_session/connection.h        | 2 ++
 .../os/include/file_system_session/file_system_session.h | 2 ++
 repos/os/include/framebuffer_session/connection.h        | 3 ++-
 .../os/include/framebuffer_session/framebuffer_session.h | 7 +++++++
 repos/os/include/gpio_session/connection.h               | 3 ++-
 repos/os/include/gpio_session/gpio_session.h             | 2 ++
 repos/os/include/input_session/connection.h              | 6 ++++--
 repos/os/include/input_session/input_session.h           | 7 +++++++
 repos/os/include/loader_session/loader_session.h         | 2 ++
 repos/os/include/nic_session/connection.h                | 4 ++--
 repos/os/include/nic_session/nic_session.h               | 8 ++++++++
 repos/os/include/nitpicker_session/connection.h          | 1 +
 repos/os/include/nitpicker_session/nitpicker_session.h   | 9 +++++++++
 repos/os/include/platform_session/connection.h           | 3 ++-
 repos/os/include/regulator_session/connection.h          | 4 ++--
 repos/os/include/regulator_session/regulator_session.h   | 2 ++
 repos/os/include/report_session/connection.h             | 4 ++--
 repos/os/include/report_session/report_session.h         | 7 +++++++
 repos/os/include/rtc_session/rtc_session.h               | 2 ++
 .../spec/imx53/platform_session/platform_session.h       | 2 ++
 .../include/spec/rpi/platform_session/platform_session.h | 2 ++
 repos/os/include/spec/x86/platform_session/connection.h  | 6 ++++--
 .../include/spec/x86/platform_session/platform_session.h | 2 ++
 repos/os/include/terminal_session/connection.h           | 4 ++--
 repos/os/include/terminal_session/terminal_session.h     | 7 +++++++
 repos/os/include/timer_session/connection.h              | 4 +++-
 repos/os/include/timer_session/timer_session.h           | 2 ++
 repos/os/include/usb_session/connection.h                | 4 ++--
 repos/os/include/usb_session/usb_session.h               | 2 ++
 .../os/src/drivers/platform/spec/x86/pci_device_pd_ipc.h | 2 ++
 repos/ports/include/noux_session/noux_session.h          | 2 ++
 63 files changed, 193 insertions(+), 45 deletions(-)

diff --git a/repos/base-hw/include/vm_session/connection.h b/repos/base-hw/include/vm_session/connection.h
index ac952f22d0..31fa9b56b2 100644
--- a/repos/base-hw/include/vm_session/connection.h
+++ b/repos/base-hw/include/vm_session/connection.h
@@ -32,7 +32,7 @@ struct Genode::Vm_connection : Connection<Vm_session>, Vm_session_client
 	                                unsigned long affinity)
 	{
 		return session(parent,
-		               "priority=0x%lx, affinity=0x%lx, ram_quota=16K, label=\"%s\"",
+		               "priority=0x%lx, affinity=0x%lx, ram_quota=16K, cap_quota=10, label=\"%s\"",
 		               priority, affinity, label);
 	}
 
diff --git a/repos/base-hw/include/vm_session/vm_session.h b/repos/base-hw/include/vm_session/vm_session.h
index c390f75b6d..cc1c1b951f 100644
--- a/repos/base-hw/include/vm_session/vm_session.h
+++ b/repos/base-hw/include/vm_session/vm_session.h
@@ -26,6 +26,8 @@ namespace Genode {
 	{
 			static const char *service_name() { return "VM"; }
 
+			enum { CAP_QUOTA = 3 };
+
 			class Invalid_dataspace : Exception { };
 
 			/**
diff --git a/repos/base-hw/src/test/cpu_quota/include/sync_session/sync_session.h b/repos/base-hw/src/test/cpu_quota/include/sync_session/sync_session.h
index 902b586da0..2f4253cae6 100644
--- a/repos/base-hw/src/test/cpu_quota/include/sync_session/sync_session.h
+++ b/repos/base-hw/src/test/cpu_quota/include/sync_session/sync_session.h
@@ -31,6 +31,8 @@ struct Sync::Session : Genode::Session
 {
 	static const char *service_name() { return "Sync"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual ~Session() { }
 
 	virtual void threshold(unsigned threshold) = 0;
diff --git a/repos/base-nova/src/test/platform/server.h b/repos/base-nova/src/test/platform/server.h
index 8808d2e0ef..cac9573abd 100644
--- a/repos/base-nova/src/test/platform/server.h
+++ b/repos/base-nova/src/test/platform/server.h
@@ -39,6 +39,8 @@ struct Test::Session : Genode::Session
 {
 	static const char *service_name() { return "TEST"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	GENODE_RPC(Rpc_cap_void, bool, cap_void, Genode::Native_capability,
 	           Genode::addr_t &);
 	GENODE_RPC(Rpc_void_cap, Genode::Native_capability,
diff --git a/repos/base/include/cpu_session/connection.h b/repos/base/include/cpu_session/connection.h
index a9e38ff966..9ba8976421 100644
--- a/repos/base/include/cpu_session/connection.h
+++ b/repos/base/include/cpu_session/connection.h
@@ -33,8 +33,8 @@ struct Genode::Cpu_connection : Connection<Cpu_session>, Cpu_session_client
 	                                 long priority, Affinity const &affinity)
 	{
 		return session(parent, affinity,
-		               "priority=0x%lx, ram_quota=128K, label=\"%s\"",
-		               priority, label);
+		               "priority=0x%lx, ram_quota=128K, cap_quota=%u, label=\"%s\"",
+		               priority, CAP_QUOTA, label);
 	}
 
 	/**
diff --git a/repos/base/include/cpu_session/cpu_session.h b/repos/base/include/cpu_session/cpu_session.h
index d5583df973..60f00835c9 100644
--- a/repos/base/include/cpu_session/cpu_session.h
+++ b/repos/base/include/cpu_session/cpu_session.h
@@ -34,6 +34,13 @@ struct Genode::Cpu_session : Session
 {
 	static const char *service_name() { return "CPU"; }
 
+	/*
+	 * A CPU session consumes a dataspace capability for the session-object
+	 * allocation, its session capability, the capability of the 'Native_cpu'
+	 * RPC interface, and a capability for the trace-control dataspace.
+	 */
+	enum { CAP_QUOTA = 4 };
+
 	typedef Cpu_session_client Client;
 
 
diff --git a/repos/base/include/io_mem_session/connection.h b/repos/base/include/io_mem_session/connection.h
index 5b51a5308e..a52c26cba7 100644
--- a/repos/base/include/io_mem_session/connection.h
+++ b/repos/base/include/io_mem_session/connection.h
@@ -30,8 +30,8 @@ struct Genode::Io_mem_connection : Connection<Io_mem_session>, Io_mem_session_cl
 	Capability<Io_mem_session> _session(Parent &parent, addr_t base, size_t size,
 	                                    bool write_combined)
 	{
-		return session("ram_quota=6K, base=0x%p, size=0x%lx, wc=%s",
-		               base, size, write_combined ? "yes" : "no");
+		return session("cap_quota=%u, ram_quota=6K, base=0x%p, size=0x%lx, wc=%s",
+		               CAP_QUOTA, base, size, write_combined ? "yes" : "no");
 	}
 
 	/**
diff --git a/repos/base/include/io_mem_session/io_mem_session.h b/repos/base/include/io_mem_session/io_mem_session.h
index fbfded5588..2ed9b71d27 100644
--- a/repos/base/include/io_mem_session/io_mem_session.h
+++ b/repos/base/include/io_mem_session/io_mem_session.h
@@ -33,6 +33,13 @@ struct Genode::Io_mem_session : Session
 {
 	static const char *service_name() { return "IO_MEM"; }
 
+	/*
+	 * An I/O-memory session consumes a dataspace capability for the
+	 * session-object allocation, its session capability, and a dataspace
+	 * capability for the handed-out memory-mapped I/O dataspace.
+	 */
+	enum { CAP_QUOTA = 3 };
+
 	virtual ~Io_mem_session() { }
 
 	/**
diff --git a/repos/base/include/io_port_session/connection.h b/repos/base/include/io_port_session/connection.h
index 5e340da66b..357b8edebb 100644
--- a/repos/base/include/io_port_session/connection.h
+++ b/repos/base/include/io_port_session/connection.h
@@ -30,8 +30,8 @@ struct Genode::Io_port_connection : Connection<Io_port_session>,
 	 */
 	Capability<Io_port_session> _session(Parent &parent, unsigned base, unsigned size)
 	{
-		return session(parent, "ram_quota=6K, io_port_base=%u, io_port_size=%u",
-		               base, size);
+		return session(parent, "ram_quota=6K, cap_quota=%u, io_port_base=%u, io_port_size=%u",
+		               CAP_QUOTA, base, size);
 	}
 
 	/**
diff --git a/repos/base/include/io_port_session/io_port_session.h b/repos/base/include/io_port_session/io_port_session.h
index 6b8616f82b..b33d430e71 100644
--- a/repos/base/include/io_port_session/io_port_session.h
+++ b/repos/base/include/io_port_session/io_port_session.h
@@ -35,6 +35,8 @@ struct Genode::Io_port_session : Session
 {
 	static const char *service_name() { return "IO_PORT"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual ~Io_port_session() { }
 
 	/******************************
diff --git a/repos/base/include/irq_session/connection.h b/repos/base/include/irq_session/connection.h
index 2da19773c1..e2485aac1f 100644
--- a/repos/base/include/irq_session/connection.h
+++ b/repos/base/include/irq_session/connection.h
@@ -32,7 +32,7 @@ struct Genode::Irq_connection : Connection<Irq_session>, Irq_session_client
 	                                 Irq_session::Polarity polarity,
 	                                 Genode::addr_t        device_config_phys)
 	{
-		return session("ram_quota=6K, irq_number=%u, irq_trigger=%u, "
+		return session("ram_quota=6K, cap_quota=4, irq_number=%u, irq_trigger=%u, "
 		               " irq_polarity=%u, device_config_phys=0x%lx",
 		               irq, trigger, polarity, device_config_phys);
 	}
diff --git a/repos/base/include/irq_session/irq_session.h b/repos/base/include/irq_session/irq_session.h
index ac7b53b966..58370d97f7 100644
--- a/repos/base/include/irq_session/irq_session.h
+++ b/repos/base/include/irq_session/irq_session.h
@@ -75,6 +75,8 @@ struct Genode::Irq_session : Session
 
 	static const char * service_name() { return "IRQ"; }
 
+	enum { CAP_QUOTA = 3 };
+
 
 	/*********************
 	 ** RPC declaration **
diff --git a/repos/base/include/log_session/connection.h b/repos/base/include/log_session/connection.h
index 2b427ac798..dcc8daf53a 100644
--- a/repos/base/include/log_session/connection.h
+++ b/repos/base/include/log_session/connection.h
@@ -31,8 +31,8 @@ struct Genode::Log_connection : Connection<Log_session>, Log_session_client
 	Log_connection(Env &env, Session_label label = Session_label())
 	:
 		Connection<Log_session>(env, session(env.parent(),
-		                                     "ram_quota=%ld, label=\"%s\"",
-		                                     RAM_QUOTA, label.string())),
+		                                     "ram_quota=%ld, cap_quota=%ld, label=\"%s\"",
+		                                     RAM_QUOTA, CAP_QUOTA, label.string())),
 		Log_session_client(cap())
 	{ }
 
@@ -45,8 +45,8 @@ struct Genode::Log_connection : Connection<Log_session>, Log_session_client
 	 */
 	Log_connection(Session_label label = Session_label()) __attribute__((deprecated))
 	:
-		Connection<Log_session>(session("ram_quota=%ld, label=\"%s\"",
-		                                RAM_QUOTA, label.string())),
+		Connection<Log_session>(session("ram_quota=%ld, cap_quota=%ld, label=\"%s\"",
+		                                RAM_QUOTA, CAP_QUOTA, label.string())),
 		Log_session_client(cap())
 	{ }
 };
diff --git a/repos/base/include/log_session/log_session.h b/repos/base/include/log_session/log_session.h
index 3bc1663e4d..e61ba4dfc5 100644
--- a/repos/base/include/log_session/log_session.h
+++ b/repos/base/include/log_session/log_session.h
@@ -30,6 +30,12 @@ struct Genode::Log_session : Session
 {
 	static const char *service_name() { return "LOG"; }
 
+	/*
+	 * A LOG connection consumes a dataspace capability for the session-object
+	 * allocation and its session capability.
+	 */
+	enum { CAP_QUOTA = 2 };
+
 	typedef Log_session_client Client;
 
 	virtual ~Log_session() { }
diff --git a/repos/base/include/pd_session/connection.h b/repos/base/include/pd_session/connection.h
index 40462faffe..463341b955 100644
--- a/repos/base/include/pd_session/connection.h
+++ b/repos/base/include/pd_session/connection.h
@@ -32,8 +32,8 @@ struct Genode::Pd_connection : Connection<Pd_session>, Pd_session_client
 	Pd_connection(Env &env, char const *label = "")
 	:
 		Connection<Pd_session>(env, session(env.parent(),
-		                                    "ram_quota=%u, label=\"%s\"",
-		                                    RAM_QUOTA, label)),
+		                                    "ram_quota=%u, cap_quota=%u, label=\"%s\"",
+		                                    RAM_QUOTA, CAP_QUOTA, label)),
 		Pd_session_client(cap())
 	{ }
 
diff --git a/repos/base/include/pd_session/pd_session.h b/repos/base/include/pd_session/pd_session.h
index 2f02355c0c..ebbfca0ac6 100644
--- a/repos/base/include/pd_session/pd_session.h
+++ b/repos/base/include/pd_session/pd_session.h
@@ -35,6 +35,14 @@ struct Genode::Pd_session : Session
 {
 	static const char *service_name() { return "PD"; }
 
+	/*
+	 * A PD session consumes a dataspace capability for the session-object
+	 * allocation, a capability for the 'Native_pd' RPC interface, its
+	 * session capability, and the RPC capabilities for the 3 contained
+	 * region maps.
+	 */
+	enum { CAP_QUOTA = 6 };
+
 	typedef Pd_session_client Client;
 
 	virtual ~Pd_session() { }
diff --git a/repos/base/include/ram_session/connection.h b/repos/base/include/ram_session/connection.h
index 20e7d5b225..83e5d90e68 100644
--- a/repos/base/include/ram_session/connection.h
+++ b/repos/base/include/ram_session/connection.h
@@ -22,7 +22,7 @@ namespace Genode { struct Ram_connection; }
 
 struct Genode::Ram_connection : Connection<Ram_session>, Ram_session_client
 {
-	enum { RAM_QUOTA = 4*1024*sizeof(long) };
+	enum { RAM_QUOTA = 4096*sizeof(long) };
 
 	/**
 	 * Issue session request
@@ -33,8 +33,8 @@ struct Genode::Ram_connection : Connection<Ram_session>, Ram_session_client
 	                                 addr_t phys_start, size_t phys_size)
 	{
 		return session(parent,
-		               "ram_quota=%u, phys_start=0x%lx, phys_size=0x%lx, "
-		               "label=\"%s\"", RAM_QUOTA, phys_start, phys_size, label);
+		               "ram_quota=%u, cap_quota=%u, phys_start=0x%lx, phys_size=0x%lx, "
+		               "label=\"%s\"", RAM_QUOTA, CAP_QUOTA, phys_start, phys_size, label);
 	}
 
 	/**
diff --git a/repos/base/include/ram_session/ram_session.h b/repos/base/include/ram_session/ram_session.h
index 2d3e706e36..fe21cbe206 100644
--- a/repos/base/include/ram_session/ram_session.h
+++ b/repos/base/include/ram_session/ram_session.h
@@ -42,6 +42,8 @@ struct Genode::Ram_session : Session
 {
 	static const char *service_name() { return "RAM"; }
 
+	enum { CAP_QUOTA = 8 };
+
 	typedef Ram_session_client Client;
 
 
diff --git a/repos/base/include/rm_session/connection.h b/repos/base/include/rm_session/connection.h
index 4419551018..607740a87d 100644
--- a/repos/base/include/rm_session/connection.h
+++ b/repos/base/include/rm_session/connection.h
@@ -29,7 +29,8 @@ struct Genode::Rm_connection : Connection<Rm_session>, Rm_session_client
 	 */
 	Rm_connection(Env &env)
 	:
-		Connection<Rm_session>(env, session(env.parent(), "ram_quota=%u", RAM_QUOTA)),
+		Connection<Rm_session>(env, session(env.parent(), "ram_quota=%u, cap_quota=%u",
+		                       RAM_QUOTA, CAP_QUOTA)),
 		Rm_session_client(cap())
 	{ }
 
@@ -42,7 +43,7 @@ struct Genode::Rm_connection : Connection<Rm_session>, Rm_session_client
 	 */
 	Rm_connection() __attribute__((deprecated))
 	:
-		Connection<Rm_session>(session("ram_quota=%u", RAM_QUOTA)),
+		Connection<Rm_session>(session("ram_quota=%u, cap_quota=%u", RAM_QUOTA, CAP_QUOTA)),
 		Rm_session_client(cap())
 	{ }
 };
diff --git a/repos/base/include/rm_session/rm_session.h b/repos/base/include/rm_session/rm_session.h
index e4d9362de5..f01c867748 100644
--- a/repos/base/include/rm_session/rm_session.h
+++ b/repos/base/include/rm_session/rm_session.h
@@ -24,6 +24,12 @@ struct Genode::Rm_session : Session
 {
 	static const char *service_name() { return "RM"; }
 
+	/*
+	 * An RM session consumes a dataspace capability for the session-object
+	 * allocation and its session capability.
+	 */
+	enum { CAP_QUOTA = 2 };
+
 	/**
 	 * Exception types
 	 *
diff --git a/repos/base/include/rom_session/connection.h b/repos/base/include/rom_session/connection.h
index b443d56b94..c68ec3adea 100644
--- a/repos/base/include/rom_session/connection.h
+++ b/repos/base/include/rom_session/connection.h
@@ -34,7 +34,8 @@ class Genode::Rom_connection : public Connection<Rom_session>,
 
 		Rom_session_capability _session(Parent &parent, char const *label)
 		{
-			return session("ram_quota=%ld, label=\"%s\"", RAM_QUOTA, label);
+			return session("ram_quota=%ld, cap_quota=%ld, label=\"%s\"",
+			               RAM_QUOTA, CAP_QUOTA, label);
 		}
 
 	public:
diff --git a/repos/base/include/rom_session/rom_session.h b/repos/base/include/rom_session/rom_session.h
index 3bd742ba20..b38df4cc83 100644
--- a/repos/base/include/rom_session/rom_session.h
+++ b/repos/base/include/rom_session/rom_session.h
@@ -38,6 +38,13 @@ struct Genode::Rom_session : Session
 {
 	static const char *service_name() { return "ROM"; }
 
+	/*
+	 * A ROM session consumes a dataspace capability for the session-object
+	 * allocation, a dataspace capability for the ROM dataspace, and its
+	 * session capability.
+	 */
+	enum { CAP_QUOTA = 3 };
+
 	typedef Rom_session_client Client;
 
 	virtual ~Rom_session() { }
diff --git a/repos/base/include/trace_session/trace_session.h b/repos/base/include/trace_session/trace_session.h
index f39dcad76e..c7be9f1412 100644
--- a/repos/base/include/trace_session/trace_session.h
+++ b/repos/base/include/trace_session/trace_session.h
@@ -26,6 +26,8 @@ struct Genode::Trace::Session : Genode::Session
 {
 	static const char *service_name() { return "TRACE"; }
 
+	enum { CAP_QUOTA = 4 };
+
 	/**
 	 * Allocate policy-module backing store
 	 *
diff --git a/repos/base/src/test/mp_server/main.cc b/repos/base/src/test/mp_server/main.cc
index 52a52056ad..4c8be4b76e 100644
--- a/repos/base/src/test/mp_server/main.cc
+++ b/repos/base/src/test/mp_server/main.cc
@@ -28,6 +28,8 @@ namespace Test {
 	{
 		static const char *service_name() { return "MP_RPC_TEST"; }
 
+		enum { CAP_QUOTA = 2 };
+
 		GENODE_RPC(Rpc_test_untyped, void, test_untyped, unsigned);
 		GENODE_RPC(Rpc_test_cap, void, test_cap, Genode::Native_capability);
 		GENODE_RPC(Rpc_test_cap_reply, Genode::Native_capability,
diff --git a/repos/hello_tutorial/include/hello_session/connection.h b/repos/hello_tutorial/include/hello_session/connection.h
index 787b866fa1..a21b0109fe 100644
--- a/repos/hello_tutorial/include/hello_session/connection.h
+++ b/repos/hello_tutorial/include/hello_session/connection.h
@@ -26,7 +26,7 @@ struct Hello::Connection : Genode::Connection<Session>, Session_client
 	:
 		/* create session */
 		Genode::Connection<Hello::Session>(env, session(env.parent(),
-		                                                "ram_quota=6K")),
+		                                                "ram_quota=6K, cap_quota=4")),
 
 		/* initialize RPC interface */
 		Session_client(cap()) { }
diff --git a/repos/hello_tutorial/include/hello_session/hello_session.h b/repos/hello_tutorial/include/hello_session/hello_session.h
index 5fb163ee77..8ff65e2ea8 100644
--- a/repos/hello_tutorial/include/hello_session/hello_session.h
+++ b/repos/hello_tutorial/include/hello_session/hello_session.h
@@ -24,6 +24,8 @@ struct Hello::Session : Genode::Session
 {
 	static const char *service_name() { return "Hello"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual void say_hello() = 0;
 	virtual int add(int a, int b) = 0;
 
diff --git a/repos/os/include/audio_in_session/audio_in_session.h b/repos/os/include/audio_in_session/audio_in_session.h
index 84d5a3bf48..bc3cfb8a41 100644
--- a/repos/os/include/audio_in_session/audio_in_session.h
+++ b/repos/os/include/audio_in_session/audio_in_session.h
@@ -271,6 +271,8 @@ class Audio_in::Session : public Genode::Session
 
 		static const char *service_name() { return "Audio_in"; }
 
+		enum { CAP_QUOTA = 4 };
+
 		/**
 		 * Return stream of this session, see 'Stream' above
 		 */
diff --git a/repos/os/include/audio_in_session/connection.h b/repos/os/include/audio_in_session/connection.h
index 3293c8cd5e..998e604729 100644
--- a/repos/os/include/audio_in_session/connection.h
+++ b/repos/os/include/audio_in_session/connection.h
@@ -30,8 +30,8 @@ struct Audio_in::Connection : Genode::Connection<Session>, Audio_in::Session_cli
 	 */
 	Capability<Audio_in::Session> _session(Genode::Parent &parent, char const *channel)
 	{
-		return session(parent, "ram_quota=%ld, channel=\"%s\"",
-		               10*1024 + sizeof(Stream), channel);
+		return session(parent, "ram_quota=%ld, cap_quota=%ld, channel=\"%s\"",
+		               10*1024 + sizeof(Stream), CAP_QUOTA, channel);
 	}
 
 	/**
diff --git a/repos/os/include/audio_out_session/audio_out_session.h b/repos/os/include/audio_out_session/audio_out_session.h
index dc095ca60f..601a65f4af 100644
--- a/repos/os/include/audio_out_session/audio_out_session.h
+++ b/repos/os/include/audio_out_session/audio_out_session.h
@@ -307,6 +307,8 @@ class Audio_out::Session : public Genode::Session
 
 		static const char *service_name() { return "Audio_out"; }
 
+		enum { CAP_QUOTA = 4 };
+
 		/**
 		 * Return stream of this session, see 'Stream' above
 		 */
diff --git a/repos/os/include/audio_out_session/connection.h b/repos/os/include/audio_out_session/connection.h
index acd446743b..e3690cb594 100644
--- a/repos/os/include/audio_out_session/connection.h
+++ b/repos/os/include/audio_out_session/connection.h
@@ -30,8 +30,8 @@ struct Audio_out::Connection : Genode::Connection<Session>, Audio_out::Session_c
 	 */
 	Capability<Audio_out::Session> _session(Genode::Parent &parent, char const *channel)
 	{
-		return session(parent, "ram_quota=%ld, channel=\"%s\"",
-		               2*4096 + 2048 + sizeof(Stream), channel);
+		return session(parent, "ram_quota=%ld, cap_quota=%ld, channel=\"%s\"",
+		               2*4096 + 2048 + sizeof(Stream), CAP_QUOTA, channel);
 	}
 
 	/**
diff --git a/repos/os/include/block_session/block_session.h b/repos/os/include/block_session/block_session.h
index f1205924e9..16b7a69059 100644
--- a/repos/os/include/block_session/block_session.h
+++ b/repos/os/include/block_session/block_session.h
@@ -129,6 +129,8 @@ struct Block::Session : public Genode::Session
 
 	static const char *service_name() { return "Block"; }
 
+	enum { CAP_QUOTA = 5 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/block_session/connection.h b/repos/os/include/block_session/connection.h
index 3bf6b51fe2..3bedafcb59 100644
--- a/repos/os/include/block_session/connection.h
+++ b/repos/os/include/block_session/connection.h
@@ -30,8 +30,8 @@ struct Block::Connection : Genode::Connection<Session>, Session_client
 	Capability<Block::Session> _session(Genode::Parent &parent,
 	                                    char const *label, Genode::size_t tx_buf_size)
 	{
-		return session(parent, "ram_quota=%ld, tx_buf_size=%ld, label=\"%s\"",
-		               14*1024 + tx_buf_size, tx_buf_size, label);
+		return session(parent, "ram_quota=%ld, cap_quota=%ld, tx_buf_size=%ld, label=\"%s\"",
+		               14*1024 + tx_buf_size, CAP_QUOTA, tx_buf_size, label);
 	}
 
 	/**
diff --git a/repos/os/include/file_system_session/connection.h b/repos/os/include/file_system_session/connection.h
index 60b7d5e3a3..b7d511387c 100644
--- a/repos/os/include/file_system_session/connection.h
+++ b/repos/os/include/file_system_session/connection.h
@@ -48,11 +48,13 @@ struct File_system::Connection_base : Genode::Connection<Session>, Session_clien
 	{
 		return session(parent,
 		               "ram_quota=%ld, "
+		               "cap_quota=%ld, "
 		               "tx_buf_size=%ld, "
 		               "label=\"%s\", "
 		               "root=\"%s\", "
 		               "writeable=%d",
 		               8*1024*sizeof(long) + tx_buf_size,
+		               CAP_QUOTA,
 		               tx_buf_size,
 		               label, root, writeable);
 	}
diff --git a/repos/os/include/file_system_session/file_system_session.h b/repos/os/include/file_system_session/file_system_session.h
index 8fc9d29a26..97e037f887 100644
--- a/repos/os/include/file_system_session/file_system_session.h
+++ b/repos/os/include/file_system_session/file_system_session.h
@@ -256,6 +256,8 @@ struct File_system::Session : public Genode::Session
 
 	static const char *service_name() { return "File_system"; }
 
+	enum { CAP_QUOTA = 5 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/framebuffer_session/connection.h b/repos/os/include/framebuffer_session/connection.h
index b96266a8d6..1e40048a67 100644
--- a/repos/os/include/framebuffer_session/connection.h
+++ b/repos/os/include/framebuffer_session/connection.h
@@ -43,8 +43,9 @@ class Framebuffer::Connection : public Genode::Connection<Session>,
 			char argbuf[ARGBUF_SIZE];
 			argbuf[0] = 0;
 
-			/* donate ram quota for storing server-side meta data */
+			/* donate ram and cap quota for storing server-side meta data */
 			Arg_string::set_arg(argbuf, sizeof(argbuf), "ram_quota", RAM_QUOTA);
+			Arg_string::set_arg(argbuf, sizeof(argbuf), "cap_quota", CAP_QUOTA);
 
 			/* set optional session-constructor arguments */
 			if (width)
diff --git a/repos/os/include/framebuffer_session/framebuffer_session.h b/repos/os/include/framebuffer_session/framebuffer_session.h
index e5d57b1229..75dc336ede 100644
--- a/repos/os/include/framebuffer_session/framebuffer_session.h
+++ b/repos/os/include/framebuffer_session/framebuffer_session.h
@@ -82,6 +82,13 @@ struct Framebuffer::Session : Genode::Session
 {
 	static const char *service_name() { return "Framebuffer"; }
 
+	/*
+	 * A framebuffer session consumes a dataspace capability for the server's
+	 * session-object allocation, a dataspace capability for the framebuffer
+	 * dataspace, and its session capability.
+	 */
+	enum { CAP_QUOTA = 3 };
+
 	typedef Session_client Client;
 
 	virtual ~Session() { }
diff --git a/repos/os/include/gpio_session/connection.h b/repos/os/include/gpio_session/connection.h
index 2a7d395a01..cdedb32867 100644
--- a/repos/os/include/gpio_session/connection.h
+++ b/repos/os/include/gpio_session/connection.h
@@ -29,7 +29,8 @@ struct Gpio::Connection : Genode::Connection<Session>, Session_client
 	Connection(Genode::Env &env, unsigned long gpio_pin)
 	:
 		Genode::Connection<Session>(env, session(env.parent(),
-		                                         "ram_quota=8K, gpio=%ld", gpio_pin)),
+		                                         "ram_quota=8K, cap_quota=%ld, gpio=%ld",
+		                                         CAP_QUOTA, gpio_pin)),
 		Session_client(cap())
 	{ }
 
diff --git a/repos/os/include/gpio_session/gpio_session.h b/repos/os/include/gpio_session/gpio_session.h
index 7d347cc5f3..e4df1f7b7d 100644
--- a/repos/os/include/gpio_session/gpio_session.h
+++ b/repos/os/include/gpio_session/gpio_session.h
@@ -28,6 +28,8 @@ struct Gpio::Session : Genode::Session
 {
 	static const char *service_name() { return "Gpio"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	enum Direction { IN, OUT };
 
 	enum Irq_type  { LOW_LEVEL, HIGH_LEVEL, FALLING_EDGE, RISING_EDGE };
diff --git a/repos/os/include/input_session/connection.h b/repos/os/include/input_session/connection.h
index d1b38da8c1..c01e0b5ccd 100644
--- a/repos/os/include/input_session/connection.h
+++ b/repos/os/include/input_session/connection.h
@@ -27,7 +27,8 @@ struct Input::Connection : Genode::Connection<Session>, Session_client
 	 * \noapi
 	 */
 	Capability<Input::Session> _session(Genode::Parent &parent, char const *label) {
-		return session(parent, "ram_quota=18K, label=\"%s\"", label); }
+		return session(parent, "ram_quota=18K, cap_quota=%u, label=\"%s\"",
+		               CAP_QUOTA, label); }
 
 	/**
 	 * Constructor
@@ -48,7 +49,8 @@ struct Input::Connection : Genode::Connection<Session>, Session_client
 	Connection() __attribute__((deprecated))
 	:
 		Genode::Connection<Input::Session>(
-			session(*Genode::env_deprecated()->parent(), "ram_quota=18K")),
+			session(*Genode::env_deprecated()->parent(),
+			        "ram_quota=18K, cap_quota=3")),
 		Session_client(*Genode::env_deprecated()->rm_session(), cap())
 	{ }
 };
diff --git a/repos/os/include/input_session/input_session.h b/repos/os/include/input_session/input_session.h
index 3d2703ae91..5695bf4ae5 100644
--- a/repos/os/include/input_session/input_session.h
+++ b/repos/os/include/input_session/input_session.h
@@ -26,6 +26,13 @@ struct Input::Session : Genode::Session
 {
 	static const char *service_name() { return "Input"; }
 
+	/*
+	 * An input session consumes a dataspace capability for the server's
+	 * session-object allocation, a dataspace capability for the input
+	 * buffer, and its session capability.
+	 */
+	enum { CAP_QUOTA = 3 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/loader_session/loader_session.h b/repos/os/include/loader_session/loader_session.h
index 34df8d2466..6098884c5b 100644
--- a/repos/os/include/loader_session/loader_session.h
+++ b/repos/os/include/loader_session/loader_session.h
@@ -56,6 +56,8 @@ struct Loader::Session : Genode::Session
 
 	static const char *service_name() { return "Loader"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/nic_session/connection.h b/repos/os/include/nic_session/connection.h
index a8873290c0..1d33bd2993 100644
--- a/repos/os/include/nic_session/connection.h
+++ b/repos/os/include/nic_session/connection.h
@@ -34,9 +34,9 @@ struct Nic::Connection : Genode::Connection<Session>, Session_client
 	                                  Genode::size_t rx_buf_size)
 	{
 		return session(parent,
-		               "ram_quota=%ld, tx_buf_size=%ld, rx_buf_size=%ld, label=\"%s\"",
+		               "ram_quota=%ld, cap_quota=%ld, tx_buf_size=%ld, rx_buf_size=%ld, label=\"%s\"",
 		               32*1024*sizeof(long) + tx_buf_size + rx_buf_size,
-		               tx_buf_size, rx_buf_size, label);
+		               CAP_QUOTA, tx_buf_size, rx_buf_size, label);
 	}
 
 	/**
diff --git a/repos/os/include/nic_session/nic_session.h b/repos/os/include/nic_session/nic_session.h
index 2dae632870..2d63d61612 100644
--- a/repos/os/include/nic_session/nic_session.h
+++ b/repos/os/include/nic_session/nic_session.h
@@ -68,6 +68,14 @@ struct Nic::Session : Genode::Session
 
 	static const char *service_name() { return "Nic"; }
 
+	/*
+	 * A NIC session consumes a dataspace capability for the server-side
+	 * session object, a session capability, two packet-stream dataspaces for
+	 * rx and tx, and four signal context capabilities for the data-flow
+	 * signals.
+	 */
+	enum { CAP_QUOTA = 8 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/nitpicker_session/connection.h b/repos/os/include/nitpicker_session/connection.h
index 9f6d8ec354..e918268017 100644
--- a/repos/os/include/nitpicker_session/connection.h
+++ b/repos/os/include/nitpicker_session/connection.h
@@ -53,6 +53,7 @@ class Nitpicker::Connection : public Genode::Connection<Session>,
 			 */
 			using Genode::Arg_string;
 			Arg_string::set_arg(argbuf, sizeof(argbuf), "ram_quota", RAM_QUOTA);
+			Arg_string::set_arg(argbuf, sizeof(argbuf), "cap_quota", CAP_QUOTA);
 
 			return session(parent, argbuf);
 		}
diff --git a/repos/os/include/nitpicker_session/nitpicker_session.h b/repos/os/include/nitpicker_session/nitpicker_session.h
index 977c27997b..207b2724b6 100644
--- a/repos/os/include/nitpicker_session/nitpicker_session.h
+++ b/repos/os/include/nitpicker_session/nitpicker_session.h
@@ -38,6 +38,15 @@ struct Nitpicker::Session : Genode::Session
 {
 	static const char *service_name() { return "Nitpicker"; }
 
+	/*
+	 * A nitpicker session consumes a dataspace capability for the server's
+	 * session-object allocation, a session capability, a dataspace capability
+	 * for the command buffer, and the capabilities needed for the aggregated
+	 * 'Framebuffer' and 'Input' sessions.
+	 */
+	enum { CAP_QUOTA = Framebuffer::Session::CAP_QUOTA
+	                 + Input::Session::CAP_QUOTA + 3 };
+
 	typedef Session_client Client;
 
 	/**
diff --git a/repos/os/include/platform_session/connection.h b/repos/os/include/platform_session/connection.h
index 5800cb2e69..1c58723bcb 100644
--- a/repos/os/include/platform_session/connection.h
+++ b/repos/os/include/platform_session/connection.h
@@ -27,7 +27,8 @@ struct Platform::Connection : Genode::Connection<Session>, Client
 	 * Constructor
 	 */
 	Connection(Genode::Env &env)
-	: Genode::Connection<Session>(env, session(env.parent(), "ram_quota=6K")),
+	: Genode::Connection<Session>(env, session(env.parent(),
+	                              "ram_quota=6K, cap_quota=%ld", CAP_QUOTA)),
 	  Client(cap()) { }
 
 	/**
diff --git a/repos/os/include/regulator_session/connection.h b/repos/os/include/regulator_session/connection.h
index f60b6faff8..7d7275f592 100644
--- a/repos/os/include/regulator_session/connection.h
+++ b/repos/os/include/regulator_session/connection.h
@@ -32,8 +32,8 @@ struct Regulator::Connection : Genode::Connection<Session>, Session_client
 	                                        char const *label,
 	                                        Regulator_id regulator)
 	{
-		return session("ram_quota=8K, regulator=\"%s\", label=\"%s\"",
-		               regulator_name_by_id(regulator), label);
+		return session("ram_quota=8K, cap_quota=%ld, regulator=\"%s\", label=\"%s\"",
+		               CAP_QUOTA, regulator_name_by_id(regulator), label);
 	}
 
 	/**
diff --git a/repos/os/include/regulator_session/regulator_session.h b/repos/os/include/regulator_session/regulator_session.h
index 7a258a591c..0f68f0e696 100644
--- a/repos/os/include/regulator_session/regulator_session.h
+++ b/repos/os/include/regulator_session/regulator_session.h
@@ -23,6 +23,8 @@ struct Regulator::Session : public Genode::Session
 {
 	static const char *service_name() { return "Regulator"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/report_session/connection.h b/repos/os/include/report_session/connection.h
index 5c2ae6021b..ccce05e10e 100644
--- a/repos/os/include/report_session/connection.h
+++ b/repos/os/include/report_session/connection.h
@@ -32,8 +32,8 @@ struct Report::Connection : Genode::Connection<Session>, Session_client
 	Capability<Report::Session> _session(Genode::Parent &parent,
 	                                     char const *label, size_t buffer_size)
 	{
-		return session(parent, "label=\"%s\", ram_quota=%ld, buffer_size=%zd",
-		               label, 10*1024 + buffer_size, buffer_size);
+		return session(parent, "label=\"%s\", ram_quota=%ld, cap_quota=%ld, buffer_size=%zd",
+		               label, 10*1024 + buffer_size, CAP_QUOTA, buffer_size);
 	}
 
 	/**
diff --git a/repos/os/include/report_session/report_session.h b/repos/os/include/report_session/report_session.h
index d17c78c935..d3c2e8819e 100644
--- a/repos/os/include/report_session/report_session.h
+++ b/repos/os/include/report_session/report_session.h
@@ -52,6 +52,13 @@ struct Report::Session : Genode::Session
 {
 	static const char *service_name() { return "Report"; }
 
+	/*
+	 * A report session consumes a dataspace capability for the server's
+	 * session-object allocation, the session capability, and a dataspace
+	 * capability for the report buffer.
+	 */
+	enum { CAP_QUOTA = 3 };
+
 	typedef Session_client Client;
 
 	/**
diff --git a/repos/os/include/rtc_session/rtc_session.h b/repos/os/include/rtc_session/rtc_session.h
index fa830181a9..8c5b3007da 100644
--- a/repos/os/include/rtc_session/rtc_session.h
+++ b/repos/os/include/rtc_session/rtc_session.h
@@ -42,6 +42,8 @@ struct Rtc::Session : Genode::Session
 {
 	static const char *service_name() { return "Rtc"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual Timestamp current_time() = 0;
 
 	GENODE_RPC(Rpc_current_time, Timestamp, current_time);
diff --git a/repos/os/include/spec/imx53/platform_session/platform_session.h b/repos/os/include/spec/imx53/platform_session/platform_session.h
index 56de1847f7..b8216872cb 100644
--- a/repos/os/include/spec/imx53/platform_session/platform_session.h
+++ b/repos/os/include/spec/imx53/platform_session/platform_session.h
@@ -38,6 +38,8 @@ struct Platform::Session : Genode::Session
 
 	static const char *service_name() { return "Platform"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual ~Session() { }
 
 	virtual void enable(Device dev)   = 0;
diff --git a/repos/os/include/spec/rpi/platform_session/platform_session.h b/repos/os/include/spec/rpi/platform_session/platform_session.h
index 4e799116fe..7335c7436b 100644
--- a/repos/os/include/spec/rpi/platform_session/platform_session.h
+++ b/repos/os/include/spec/rpi/platform_session/platform_session.h
@@ -29,6 +29,8 @@ struct Platform::Session : Genode::Session
 {
 	static const char *service_name() { return "Platform"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	/**
 	 * Setup framebuffer
 	 *
diff --git a/repos/os/include/spec/x86/platform_session/connection.h b/repos/os/include/spec/x86/platform_session/connection.h
index 5c2a994192..4eb9eb450f 100644
--- a/repos/os/include/spec/x86/platform_session/connection.h
+++ b/repos/os/include/spec/x86/platform_session/connection.h
@@ -26,7 +26,8 @@ struct Platform::Connection : Genode::Connection<Session>, Client
 	 */
 	Connection(Genode::Env &env)
 	:
-		Genode::Connection<Session>(env, session("ram_quota=16K")),
+		Genode::Connection<Session>(env, session("ram_quota=16K, cap_quota=%u",
+		                                         CAP_QUOTA)),
 		Client(cap())
 	{ }
 
@@ -39,7 +40,8 @@ struct Platform::Connection : Genode::Connection<Session>, Client
 	 */
 	Connection() __attribute__((deprecated))
 	:
-		Genode::Connection<Session>(session("ram_quota=16K")),
+		Genode::Connection<Session>(session("ram_quota=16K, cap_quota=%u",
+		                                    CAP_QUOTA)),
 		Client(cap())
 	{ }
 };
diff --git a/repos/os/include/spec/x86/platform_session/platform_session.h b/repos/os/include/spec/x86/platform_session/platform_session.h
index a5f4ff4523..210a467fac 100644
--- a/repos/os/include/spec/x86/platform_session/platform_session.h
+++ b/repos/os/include/spec/x86/platform_session/platform_session.h
@@ -36,6 +36,8 @@ struct Platform::Session : Genode::Session
 
 	static const char *service_name() { return "Platform"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/terminal_session/connection.h b/repos/os/include/terminal_session/connection.h
index b47216fcd2..c575be375f 100644
--- a/repos/os/include/terminal_session/connection.h
+++ b/repos/os/include/terminal_session/connection.h
@@ -50,8 +50,8 @@ struct Terminal::Connection : Genode::Connection<Session>, Session_client
 	Connection(Genode::Env &env, char const *label = "")
 	:
 		Genode::Connection<Session>(env, session(env.parent(),
-		                                         "ram_quota=%ld, label=\"%s\"",
-		                                         10*1024, label)),
+		                                         "ram_quota=%ld, cap_quota=%ld, label=\"%s\"",
+		                                         10*1024, CAP_QUOTA, label)),
 		Session_client(env.rm(), cap())
 	{
 		wait_for_connection(cap());
diff --git a/repos/os/include/terminal_session/terminal_session.h b/repos/os/include/terminal_session/terminal_session.h
index 6176cee62e..854a10ee9f 100644
--- a/repos/os/include/terminal_session/terminal_session.h
+++ b/repos/os/include/terminal_session/terminal_session.h
@@ -26,6 +26,13 @@ struct Terminal::Session : Genode::Session
 {
 	static const char *service_name() { return "Terminal"; }
 
+	/*
+	 * A terminal session consumes a dataspace capability for the server's
+	 * session-object allocation, its session capability, and a dataspace
+	 * capability for the communication buffer.
+	 */
+	enum { CAP_QUOTA = 3 };
+
 	class Size
 	{
 		private:
diff --git a/repos/os/include/timer_session/connection.h b/repos/os/include/timer_session/connection.h
index f65005b42f..b0839f4e37 100644
--- a/repos/os/include/timer_session/connection.h
+++ b/repos/os/include/timer_session/connection.h
@@ -40,7 +40,9 @@ class Timer::Connection : public Genode::Connection<Session>, public Session_cli
 		 */
 		Connection(Genode::Env &env, char const *label = "")
 		:
-			Genode::Connection<Session>(env, session(env.parent(), "ram_quota=10K, label=\"%s\"", label)),
+			Genode::Connection<Session>(env, session(env.parent(),
+			                            "ram_quota=10K, cap_quota=%u, label=\"%s\"",
+			                            CAP_QUOTA, label)),
 			Session_client(cap())
 		{
 			/* register default signal handler */
diff --git a/repos/os/include/timer_session/timer_session.h b/repos/os/include/timer_session/timer_session.h
index d39ad21fd7..58a7e40cc5 100644
--- a/repos/os/include/timer_session/timer_session.h
+++ b/repos/os/include/timer_session/timer_session.h
@@ -28,6 +28,8 @@ struct Timer::Session : Genode::Session
 
 	static const char *service_name() { return "Timer"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	virtual ~Session() { }
 
 	/**
diff --git a/repos/os/include/usb_session/connection.h b/repos/os/include/usb_session/connection.h
index d7fb17072c..8d06535f97 100644
--- a/repos/os/include/usb_session/connection.h
+++ b/repos/os/include/usb_session/connection.h
@@ -31,8 +31,8 @@ struct Usb::Connection : Genode::Connection<Session>, Session_client
 	                                  char const *label,
 	                                  Genode::size_t tx_buf_size)
 	{
-		return session(parent, "ram_quota=%ld, tx_buf_size=%ld, label=\"%s\"",
-		               3 * 4096 + tx_buf_size, tx_buf_size, label);
+		return session(parent, "ram_quota=%ld, cap_quota=%ld, tx_buf_size=%ld, label=\"%s\"",
+		               3 * 4096 + tx_buf_size, CAP_QUOTA, tx_buf_size, label);
 	}
 
 	/**
diff --git a/repos/os/include/usb_session/usb_session.h b/repos/os/include/usb_session/usb_session.h
index b7926c76f7..d5bfbf2a5f 100644
--- a/repos/os/include/usb_session/usb_session.h
+++ b/repos/os/include/usb_session/usb_session.h
@@ -155,6 +155,8 @@ struct Usb::Session : public Genode::Session
 
 	static const char *service_name() { return "Usb"; }
 
+	enum { CAP_QUOTA = 5 };
+
 	/**
 	 * Send from the server to the client upon device state change
 	 */
diff --git a/repos/os/src/drivers/platform/spec/x86/pci_device_pd_ipc.h b/repos/os/src/drivers/platform/spec/x86/pci_device_pd_ipc.h
index 8bfa8c8645..003df7d7df 100644
--- a/repos/os/src/drivers/platform/spec/x86/pci_device_pd_ipc.h
+++ b/repos/os/src/drivers/platform/spec/x86/pci_device_pd_ipc.h
@@ -30,6 +30,8 @@ struct Platform::Device_pd : Genode::Session
 {
 	static const char *service_name() { return "DEVICE_PD"; }
 
+	enum { CAP_QUOTA = 2 };
+
 	typedef Device_pd_client Client;
 
 	GENODE_RPC_THROW(Rpc_attach_dma_mem, void, attach_dma_mem,
diff --git a/repos/ports/include/noux_session/noux_session.h b/repos/ports/include/noux_session/noux_session.h
index 76bfa69924..2911333de3 100644
--- a/repos/ports/include/noux_session/noux_session.h
+++ b/repos/ports/include/noux_session/noux_session.h
@@ -30,6 +30,8 @@ namespace Noux {
 	{
 		static const char *service_name() { return "Noux"; }
 
+		enum { CAP_QUOTA = 3 };
+
 		virtual ~Session() { }
 
 		virtual Dataspace_capability sysio_dataspace() = 0;