[e-lang] simple question
Marc Stiegler
marcs at skyhunter.com
Wed Aug 16 13:04:58 EDT 2006
Just a point of clarification. Whether a "program" can be run in
safemode without a powerbox like the one in CapDesk depends on one's
definition of "program". There must be some object running in privileged
scope that then confers POLA-privileges upon an object instantiated in
safe scope. In Kevin's example, the rune interpreter itself is the
object running in privileged scope.
Running object-cap "programs" on a legacy OS has a 2-step launch
process, which is why it is confusing (and incidentally, this why it
took markm and myself a long time to figure it out, so don't feel bad if
it seems confusing, we were confused for years...or at least, I was
confused for years :-). From the application programmer's point of
view, he writes an object that he thinks of as a "main", which is an
object born in a safe scope. This "main" meets an interface
specification that has a defined way of accessing authorities that have
been granted by whomsoever launched the program (with the Emily sash
powerbox, this "main" is suggestively required to be called the CapMain
module).
However, this object written by the programmer as his "main" is not the
"main" seen by the legacy OS. The legacy OS sees a privileged object,
CapDesk/CapLauncher/rune/sash/other-.e-file, as the "main". This
OS-perspective "main" then computes appropriate authorities and sets
them up for the application-perspective "main" before instantiating the
application-perspective "main".
The main difference between a random .e file and a powerbox is that a
random .e file may itself instantiate a bunch of different app-specific
modules, confer to them their POLA authorities, and hook them together
on its own. Such a .e file is inevitably hardwired to the single
application for which it was created, and so for each such application,
another security reviewed of the .e file is required. Echat, the
ebrowser, and capdesk itself have this design (the powerbox concept was
invented as part of creating capdesk, capdesk itself does not
incorporate all the benefits :-).
By contrast, a powerbox-architected version of the same app will have
the .e file call one safe-scope module, confer all the authorities that
the application needs to that one module. Then that one module
instantiates all the other app modules, confers their POLA authorities,
and hooks them together. Such a design can be made reusable, you can
write a single powerbox that can drive many applications, dramatically
reducing the number of things that need to be security reviewed if you
are running many applications.
--marcs
Kevin Reid wrote:
>> E programs cannot be run in safeMode without CapDesk? For example:
>> running a E program and giving it (at startup) capability to some
>> object...which, for example, enables it to write 10 lines to some
>> file.
>> Or something similar. (just a proposal)
>
> Of course they can.
>
> ? def makeEParser := <import:org.erights.e.elang.syntax.makeEParser>
>
> ? def program := makeEParser.run(<file:///home/kosik/program.e>)
> # value: e`...`
>
> ? def object := program.eval(safeScope)
> # value: <programWithoutAuthority>
>
> ? var alive := true
> ? def writer(text) {
> > require(alive)
> > alive := false
> > def lines := text.split("\n")
> > <file:///home/kosik/output.txt>.appendText(
> > "\n".join(lines(0, 10.min(lines.size())))
> > )
> > }
>
> ? object.run(writer)
>
More information about the e-lang
mailing list