From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on ip-172-31-74-118.ec2.internal X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.6 Path: eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail From: Doctor Who Newsgroups: comp.lang.ada Subject: Re: The Ravenscar profile and capabilities paradigm Date: Thu, 14 Oct 2021 05:46:30 +0200 Organization: A noiseless patient Spider Message-ID: References: <07f8mgdot9tmh8mqen2ogd5dds2gojoleh@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Injection-Info: reader02.eternal-september.org; posting-host="9d6f07ceea5260769296cea618469afe"; logging-data="11657"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/xtGou+zNRsVntXZMI5c2O" User-Agent: ForteAgent/8.00.32.1272 Cancel-Lock: sha1:nwYwd2fZ/n404Y6lvqTxCNNs/Tw= Xref: reader02.eternal-september.org comp.lang.ada:62994 List-Id: On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8 wrote: >On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote: >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote: >> >Doctor Who writes: >> > >> >> someone knows how to introduce the capabilities paradigm in Ada, >> >> specifically for programs written using the Ravenscar profile ? >> > >> >Google hasn't helped me to understand what you're getting at. Perhaps >> >you could expand? >> wikipedia has a good explanation: >> https://en.wikipedia.org/wiki/Capability-based_security >Ah. >Limited Private, unknown-discriminant types. > >Package Capabilities is > -- Enumeration of the particular capabilities. > Type Capability is ( Read, Copy, Whatever ); > -- A Boolean set for delineating a set of Capabilities. > Type Capability_List is Array(Capability) of Boolean; > -- An instance of a set of capabilities; note that: > -- (1) LIMITED means there is no predefined assignment/copy. > -- (2) PRIVATE means there is no public view to the components. > -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. > Type Instance(<>) is limited private; > -- Create an instance; add any other needed parameters. > Function Create( Capabilities : Capability_List ) return Instance; > -- No permissions. > Function No_Permissions return Instance; >Private > Type Instance is record > Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized."); > -- (others => False); -- Or maybe default to no permissions. > -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID. > End record; > > Function Create( Capabilities : Capability_List ) return Instance is > ( Permissions => Capabilities ); > Function No_Permissions return Instance is > ( Create( Capability_List'(others => False) ) ); >End Capabilities; > >You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels. a Process Capability looks like this: Operations: a. "Read", address; > data; b. "Write", address, data; > ; c. "Take", index; > ; capability d. "Give", index; capability > ; e. "Find", index, count; capability > result, index; f. "Start"; > ; g. "Stop"; > ; Semantics: The "Read" and "Write" operations allow access to the process's memory. For example, in the "Read" operation, the literal string "Read" (or a recognizable OP code) is passed along with an address. The data word at the address is returned. The "Give" and "Take" operations allow access to the process's C-list. For example, the "Give" operation passes the string "Give", an index into the C-list, and a capability to be stored at the passed index. Such a stored capability could be invoked by the process if it were "Start"ed. The "Find" operation allows a slightly optimized sort of compare operation for capabilities. The process's C-list is searched, starting at the passed index, for the passed capability until either: 1. The passed capability is found in the C-list. In this case, the operation returns "Yes" and the first index where the capability was found, or 2. The count is exhausted. In this case the operation returns "No" and the passed index plus count. in addition there is a Nil Capability: Nil Capability: When a process is initially created its C-list contains only Nils. These are empty place holders. Nil always returns "Empty".