Sandboxing (Was: Behaviors vs Modules)
David Simmons
David.Simmons at smallscript.com
Sat Feb 23 20:39:38 UTC 2002
> -----Original Message-----
> From: squeak-dev-admin at lists.squeakfoundation.org [mailto:squeak-dev-
> admin at lists.squeakfoundation.org] On Behalf Of Daniel Joyce
> Sent: Friday, February 22, 2002 9:06 PM
> To: squeak-dev at lists.squeakfoundation.org
> Subject: Re: Behaviors vs Modules
>
> On Friday 22 February 2002 08:11 pm, you wrote:
> > Anthony Hannan <ajh18 at cornell.edu> writes:
> > > What do you guys think? I'm thinking of making this my next
project.
> >
> > "Oh Yes Please" :)
> >
> > Anthony and David in one thread, this is great. I think I may be
> starting
> > to see what is meant by "selector namespaces".
> >
> > Regards
> > --Simon
>
> Someone posted a reference to a paper on "layers" which was very
> interesting too. It's somewhere in the list within the last 1-2 weeks.
The
> notion of layers also solves modules, and namespaces, and could be
used
> for
> sandboxing too.
SmallScript includes virtual sandboxes. They are a next step beyond
selector namespaces. They require introduction of the notion of
"tainted" and "untainted" namespace scopes. Where a "trusted" method is
required for a "tainted" scope to access "untainted" scope behavior.
Thus, a "trusted" method is thunk for crossing between the worlds.
Here is an example from SmallScript:
""""""""""""""""""""""""""""
"" Sandbox.sts source file
""""""""""""""""""""""""""""
Compiler cmds: '-target:dll'.
Module name: Sandbox version: 1.0.0.0.
"" Uncomment out the following one at a time,
"" rebuilding the sandbox.dll after each time,
"" and re-trying/re-running the tainted.sts
"" script sample.
<!--
Method behavior: PoolVariable [<$trusted>
value
^value()
]
Method behavior: StdOutStream [<$trusted>
cr
^cr()
]
Method behavior: StdOutStream [<$trusted>
<< v
^self << v
]
-->
""""""""""""""""
"" Tainted.sts
""""""""""""""""
Compiler cmds: '-safe:no'.
Requires module: Sandbox.
Module name: UnsafeCode.
Eval [stdout cr << 'Tainted code']
============
In practice, you would not have the "Compiler cmds: '-safe:no'." in the
script file itself (I just did that for convenience).
You would more typically invoke an "untrusted" script as:
AMLCompiler cmds: '-safe:no ' + scriptPathName.
===
-- Dave S. [SmallScript Corp]
SmallScript for the AOS & .NET Platforms
David.Simmons at SmallScript.com | http://www.smallscript.org
>
> Daniel
More information about the Squeak-dev
mailing list
|