[e-lang] E research topics
zooko at zooko.com
zooko at zooko.com
Fri Apr 13 16:54:11 CDT 2007
I, Zooko, wrote the lines prepended with "> > ".
David Wagner wrote the lines prepended with "> ".
> >I mean that the library that I'm re-using does not get authority that I didn't
> >explicitly grant it, including authority to modify my persistent state
> >(filesystem), connect to the network, read or write the non-granted state of my
> >program (i.e. memory safety), etc..
> Good luck, brother! While this would be nice, I don't think you're likely
> to get it, if you also require the abiliity to re-use most existing native
> code and legacy libraries written in C, C++, etc. Even if you put the
> library in a separate process and use IPC, how would you restrict what
> files the legacy library can open? I think this is a near-impossible
> problem statement. You can't get there from here.
Really? I'm surprised that you think so. Jon Leonard has already suggested
ptrace (a la Systrace )) and selinux. To this list I add "separate user
account a la Polaris  and plash " and "various forms of virtualization
a la Jail , Xen , and Solaris Zones ".
This latter idea can be seen as similar in spirit to Polaris or plash, but
fully programmable, and with the change of confining the code into a virtual
machines/containers instead of into a separate user account.
Or if one isn't coming from the perspective of Polaris but instead coming from
the perspective of the current virtualization community, what I propose can be
seen as a principled method of programmably granting limited authority to
objects that are otherwise confined by virtualization.
There may be all sorts of practical problems with this approach, but it doesn't
appear to be a priori impossible to me. Can you tell us more about why you
think it is near-impossible? Is it just the preponderance of practical hurdles
or is there some theoretical hole in the very idea?
More information about the e-lang