Re: The Ravenscar profile and capabilities paradigm

[Doctor Who <doc@tardis.org>]

On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8
<onewingedshark@gmail.com> wrote:

>On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>> >Doctor Who writes: 
>> > 
>> >> someone knows how to introduce the capabilities paradigm in Ada, 
>> >> specifically for programs written using the Ravenscar profile ? 
>> > 
>> >Google hasn't helped me to understand what you're getting at. Perhaps 
>> >you could expand?
>> wikipedia has a good explanation: 
>> https://en.wikipedia.org/wiki/Capability-based_security
>Ah.
>Limited Private, unknown-discriminant types.
>
>Package Capabilities is
>   -- Enumeration of the particular capabilities.
>   Type Capability is ( Read, Copy, Whatever ); 
>   -- A Boolean set for delineating a set of Capabilities.
>   Type Capability_List is Array(Capability) of Boolean;
>   -- An instance of a set of capabilities; note that:
>   -- (1) LIMITED means there is no predefined assignment/copy.
>   -- (2) PRIVATE means there is no public view to the components.
>   -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. 
>   Type Instance(<>) is limited private;
>   -- Create an instance; add any other needed parameters.
>   Function Create( Capabilities : Capability_List ) return Instance;
>   -- No permissions.
>   Function No_Permissions return Instance;
>Private
>   Type Instance is record
>      Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized.");
>      -- (others => False); -- Or maybe default to no permissions.
>      -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID.
>   End record;
>   
>   Function Create( Capabilities : Capability_List ) return Instance is
>      ( Permissions => Capabilities );
>   Function No_Permissions return Instance is
>      ( Create( Capability_List'(others => False) ) );
>End Capabilities;
>
>You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.


a Process Capability looks like this:

Operations:
a. "Read", address; > data;
b. "Write", address, data; > ;
c. "Take", index; > ; capability
d. "Give", index; capability > ;
e. "Find", index, count; capability > result, index;
f. "Start"; > ;
g. "Stop"; > ;

Semantics: The "Read" and "Write" operations allow access to the
process's memory. For example, in the "Read" operation, the literal
string "Read" (or a recognizable OP code) is passed along with an
address. The data word at the address is returned.

The "Give" and "Take" operations allow access to the process's C-list.
For example, the "Give" operation passes the string "Give", an index
into the C-list, and a capability to be stored at the passed index.
Such a stored capability could be invoked by the process if it were
"Start"ed.

The "Find" operation allows a slightly optimized sort of compare
operation for capabilities. The process's C-list is searched, starting
at the passed index, for the passed capability until either:

1. The passed capability is found in the C-list. In this case, the
operation returns "Yes" and the first index where the capability was
found, or

2. The count is exhausted. In this case the operation returns "No" and
the passed index plus count. 


in addition there is a Nil Capability:
Nil Capability: When a process is initially created its C-list
contains only Nils. These are empty place holders. Nil always returns
"Empty".