comp.lang.ada
 help / color / mirror / Atom feed
From: Shark8 <onewingedshark@gmail.com>
Subject: Re: The Ravenscar profile and capabilities paradigm
Date: Thu, 14 Oct 2021 08:16:30 -0700 (PDT)	[thread overview]
Message-ID: <2c73d584-81a4-47ce-b86a-0ff8bdd776b9n@googlegroups.com> (raw)
In-Reply-To: <ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com>

On Wednesday, October 13, 2021 at 9:46:34 PM UTC-6, Doctor Who wrote:
> On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8 
> >On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote: 
> >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote: 
> >> >Doctor Who writes: 
> >> > 
> >> >> someone knows how to introduce the capabilities paradigm in Ada, 
> >> >> specifically for programs written using the Ravenscar profile ? 
> >> > 
> >> >Google hasn't helped me to understand what you're getting at. Perhaps 
> >> >you could expand? 
> >> wikipedia has a good explanation: 
> >> https://en.wikipedia.org/wiki/Capability-based_security 
> >Ah. 
> >Limited Private, unknown-discriminant types. 
> > 
> >Package Capabilities is 
> > -- Enumeration of the particular capabilities. 
> > Type Capability is ( Read, Copy, Whatever ); 
> > -- A Boolean set for delineating a set of Capabilities. 
> > Type Capability_List is Array(Capability) of Boolean; 
> > -- An instance of a set of capabilities; note that: 
> > -- (1) LIMITED means there is no predefined assignment/copy. 
> > -- (2) PRIVATE means there is no public view to the components. 
> > -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. 
> > Type Instance(<>) is limited private; 
> > -- Create an instance; add any other needed parameters. 
> > Function Create( Capabilities : Capability_List ) return Instance; 
> > -- No permissions. 
> > Function No_Permissions return Instance; 
> >Private 
> > Type Instance is record 
> > Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized."); 
> > -- (others => False); -- Or maybe default to no permissions. 
> > -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID. 
> > End record; 
> > 
> > Function Create( Capabilities : Capability_List ) return Instance is 
> > ( Permissions => Capabilities ); 
> > Function No_Permissions return Instance is 
> > ( Create( Capability_List'(others => False) ) ); 
> >End Capabilities; 
> > 
> >You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.
> a Process Capability looks like this: 
> 
> Operations: 
> a. "Read", address; > data; 
> b. "Write", address, data; > ; 
> c. "Take", index; > ; capability 
> d. "Give", index; capability > ; 
> e. "Find", index, count; capability > result, index; 
> f. "Start"; > ; 
> g. "Stop"; > ; 
Does it?
Why?
Or is this just one possible implementation of 'capabilities' operations?
Operations on a type correspond to subprograms in Ada; nothing you present seems (at first glance) incompatible with the structure/types I gave you.
> 
> Semantics: The "Read" and "Write" operations allow access to the 
> process's memory. For example, in the "Read" operation, the literal 
> string "Read" (or a recognizable OP code) is passed along with an 
> address. The data word at the address is returned. 
I think you're jumping the gun.
You need to have a good model, and why are you jumping straight into implementation?
(Literal string? Recognizable OP code? -- All implementation details; forget them right now, concentrate on the modeling of the problem, not the details of how to implement, and AFTER getting the model down, THEN consider code.)
> The "Give" and "Take" operations allow access to the process's C-list. 
> For example, the "Give" operation passes the string "Give", an index 
> into the C-list, and a capability to be stored at the passed index. 
> Such a stored capability could be invoked by the process if it were 
> "Start"ed. 
This part of your explanation makes it sound like you do not understand the code I presented, or the reasoning behind it; forgive me for poorly communicating it.
The reason you want a "limited private type with unknown discriminants" is because:
1)  It hides the implementation, meaning clients cannot alter it indiscriminately.
2)  It prohibits automatic initialization, forcing the usage of an initialization subprogram.
3)  It forces usage of the public interface for clients, private details can manipulate it though.
4)  Any public operations, again, have to go through the public interface.
5)  Copying is strictly prohibited, hence "limited".

In the model I had envisioned the Capabilities-list (Capabilities.Instance) would be an integral part of the TASK, and there would likely be a Get_Capabilities function which would return the proper value, some set-operations, and a new creation-function:
  Function Create( Object : OS_Task_Interface; Capabilities : Capability_List ) return Instance is
     Parent : Instance renames Get_Capabilities( Object );
     Caps : Capability_List renames Parent.Permissions;
  Begin
     Return Intersect( Caps, Capabilities ); -- The granted capabilities cannot be ones the parent does not have, nor may it be ones not requested.
  End Create;
The above, I think, does the work you are putting into TAKE and GIVE.
> The "Find" operation allows a slightly optimized sort of compare 
> operation for capabilities. The process's C-list is searched, starting 
> at the passed index, for the passed capability until either: 
> 
> 1. The passed capability is found in the C-list. In this case, the 
> operation returns "Yes" and the first index where the capability was 
> found, or 
> 
> 2. The count is exhausted. In this case the operation returns "No" and 
> the passed index plus count.
Why are you bothering with a list?
Why are you even bothering with an index?
The implementation I gave you has the capabilities enumerated; you would add an operation to the capabilities package:
Function Has( Object : Instance; Permission : Capability) return Boolean is
Begin
   Return Object.Permissions( Permission ); -- Just use the enumeration-index of the permissions field.
End Has;
Done.
> 
> 
> in addition there is a Nil Capability: 
> Nil Capability: When a process is initially created its C-list 
> contains only Nils. These are empty place holders. Nil always returns 
> "Empty".
This... sounds like you are not understanding, at all, the Ada code I presented you.
Look at the creation function No_Permissions.

  reply	other threads:[~2021-10-14 15:16 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-11 13:33 Doctor Who
2021-10-11 14:48 ` Luke A. Guest
2021-10-11 19:25   ` Doctor Who
2021-10-11 19:36     ` Luke A. Guest
2021-10-11 19:50       ` Doctor Who
2021-10-12  0:45         ` Luke A. Guest
2021-10-12  0:47           ` Luke A. Guest
2021-10-12  2:31             ` Doctor Who
2021-10-12  2:29           ` Doctor Who
2021-10-12  2:35             ` Doctor Who
2021-10-12  3:19             ` Doctor Who
2021-10-12  5:17         ` Richard Iswara
2021-10-12  6:42           ` Doctor Who
2021-10-12 11:51             ` Richard Iswara
2021-10-12 11:58               ` Luke A. Guest
2021-10-12 15:04                 ` Doctor Who
2021-10-11 15:32 ` Simon Wright
2021-10-11 19:24   ` Doctor Who
2021-10-12 15:01     ` Shark8
2021-10-12 15:02       ` Luke A. Guest
2021-10-12 15:33         ` Shark8
2021-10-12 15:43           ` Luke A. Guest
2021-10-12 18:21             ` Doctor Who
2021-10-12 18:24               ` Doctor Who
2021-10-14  3:46       ` Doctor Who
2021-10-14 15:16         ` Shark8 [this message]
2021-10-14 16:38           ` Doctor Who
2021-10-14 21:20             ` Simon Wright
2021-10-15 11:21               ` Doctor Who
2021-10-11 15:48 ` Shark8
2021-10-11 19:25   ` Doctor Who
replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox