danfuzz at milk.com
Tue May 4 15:36:45 PDT 2010
Fred <phreed at gmail.com> writes:
> I presume someone has given some thought to object capability on the
> Android platform.
Hi there. I think about object capability stuff a reasonable amount,
and I'm one of the tech leads on Android. Android isn't a pure obj-cap
environment by any stretch of the imagination, but I think it comes
close enough such that doing "obj-cappy" stuff within an Android
application could both make sense and be beneficial.
The Android security model treats the process as the unit of trust and
isolation, and processes are given (what mostly amounts to) an initial
capability grant, based on an a priori list of permissions that can be
vetted by the end user (or their trusted proxy). These permissions are
enforced by the kernel and not by any code running in the app process
itself. To be clear, a "permission-free" application on Android can do
a fair bit more than pure computation, but it's a lot less than what a
typical Unix(-family) process could expect.
The existing Android library doesn't make any real attempt to add
further permission constraints within the process — for example, the
vm doesn't come with a SecurityManager installed, and there is even an
approved and encouraged way to introduce native code into a process,
so you can always use that to subvert anything the vm might try to do
— but as a prophylactic measure (e.g. to help guard against their own
bugs), individual applications certainly might want to do so.
> Could ELib be used in the android environment?
> Maybe Joe-E?
Either of these would make sense as a basis for obj-cap programming
within an Android application.
> 1) don't waste your time it is too broken (I hope not)
I don't think it's too broken.
> 2) sure, it's already been worked out, start by reading document X
> (probably a fantasy)
It's not yet worked out, as far as I know.
> 3) it could probably be done, start by reading paper Y and tutorial Z
> (a likely response)
> 4) you asked the question wrong, you should have asked W (ok, let's
> presume I had asked W)
More information about the cap-talk