comp.lang.ada
 help / color / mirror / Atom feed
From: Doctor Who <doc@tardis.org>
Subject: Re: The Ravenscar profile and capabilities paradigm
Date: Thu, 14 Oct 2021 18:38:16 +0200	[thread overview]
Message-ID: <d0ngmg5s8uevb19pjcakqt55utg4jirmio@4ax.com> (raw)
In-Reply-To: 2c73d584-81a4-47ce-b86a-0ff8bdd776b9n@googlegroups.com

On Thu, 14 Oct 2021 08:16:30 -0700 (PDT), Shark8
<onewingedshark@gmail.com> wrote:

>On Wednesday, October 13, 2021 at 9:46:34 PM UTC-6, Doctor Who wrote:
>> On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8 
>> >On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote: 
>> >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote: 
>> >> >Doctor Who writes: 
>> >> > 
>> >> >> someone knows how to introduce the capabilities paradigm in Ada, 
>> >> >> specifically for programs written using the Ravenscar profile ? 
>> >> > 
>> >> >Google hasn't helped me to understand what you're getting at. Perhaps 
>> >> >you could expand? 
>> >> wikipedia has a good explanation: 
>> >> https://en.wikipedia.org/wiki/Capability-based_security 
>> >Ah. 
>> >Limited Private, unknown-discriminant types. 
>> > 
>> >Package Capabilities is 
>> > -- Enumeration of the particular capabilities. 
>> > Type Capability is ( Read, Copy, Whatever ); 
>> > -- A Boolean set for delineating a set of Capabilities. 
>> > Type Capability_List is Array(Capability) of Boolean; 
>> > -- An instance of a set of capabilities; note that: 
>> > -- (1) LIMITED means there is no predefined assignment/copy. 
>> > -- (2) PRIVATE means there is no public view to the components. 
>> > -- (3) Unknown discriminants mean there is no object-creation w/o a function-call. 
>> > Type Instance(<>) is limited private; 
>> > -- Create an instance; add any other needed parameters. 
>> > Function Create( Capabilities : Capability_List ) return Instance; 
>> > -- No permissions. 
>> > Function No_Permissions return Instance; 
>> >Private 
>> > Type Instance is record 
>> > Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized."); 
>> > -- (others => False); -- Or maybe default to no permissions. 
>> > -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID. 
>> > End record; 
>> > 
>> > Function Create( Capabilities : Capability_List ) return Instance is 
>> > ( Permissions => Capabilities ); 
>> > Function No_Permissions return Instance is 
>> > ( Create( Capability_List'(others => False) ) ); 
>> >End Capabilities; 
>> > 
>> >You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.
>> a Process Capability looks like this: 
>> 
>> Operations: 
>> a. "Read", address; > data; 
>> b. "Write", address, data; > ; 
>> c. "Take", index; > ; capability 
>> d. "Give", index; capability > ; 
>> e. "Find", index, count; capability > result, index; 
>> f. "Start"; > ; 
>> g. "Stop"; > ; 
>Does it?
>Why?
>Or is this just one possible implementation of 'capabilities' operations?

it is the one I would like to implement.


>Operations on a type correspond to subprograms in Ada; nothing you present seems (at first glance) incompatible with the structure/types I gave you.

exactly


>> 
>> Semantics: The "Read" and "Write" operations allow access to the 
>> process's memory. For example, in the "Read" operation, the literal 
>> string "Read" (or a recognizable OP code) is passed along with an 
>> address. The data word at the address is returned. 
>I think you're jumping the gun.
>You need to have a good model, and why are you jumping straight into implementation?

http://www.webstart.com/jed/papers/DCCS/


>(Literal string? Recognizable OP code? -- All implementation details; forget them right now, concentrate on the modeling of the problem, not the details of how to implement, and AFTER getting the model down, THEN consider code.)
>> The "Give" and "Take" operations allow access to the process's C-list. 
>> For example, the "Give" operation passes the string "Give", an index 
>> into the C-list, and a capability to be stored at the passed index. 
>> Such a stored capability could be invoked by the process if it were 
>> "Start"ed. 
>This part of your explanation makes it sound like you do not understand the code I presented, or the reasoning behind it; forgive me for poorly communicating it.
>The reason you want a "limited private type with unknown discriminants" is because:
>1)  It hides the implementation, meaning clients cannot alter it indiscriminately.
>2)  It prohibits automatic initialization, forcing the usage of an initialization subprogram.
>3)  It forces usage of the public interface for clients, private details can manipulate it though.
>4)  Any public operations, again, have to go through the public interface.
>5)  Copying is strictly prohibited, hence "limited".
>
>In the model I had envisioned the Capabilities-list (Capabilities.Instance) would be an integral part of the TASK, and there would likely be a Get_Capabilities function which would return the proper value, some set-operations, and a new creation-function:
>  Function Create( Object : OS_Task_Interface; Capabilities : Capability_List ) return Instance is
>     Parent : Instance renames Get_Capabilities( Object );
>     Caps : Capability_List renames Parent.Permissions;
>  Begin
>     Return Intersect( Caps, Capabilities ); -- The granted capabilities cannot be ones the parent does not have, nor may it be ones not requested.
>  End Create;
>The above, I think, does the work you are putting into TAKE and GIVE.
>> The "Find" operation allows a slightly optimized sort of compare 
>> operation for capabilities. The process's C-list is searched, starting 
>> at the passed index, for the passed capability until either: 
>> 
>> 1. The passed capability is found in the C-list. In this case, the 
>> operation returns "Yes" and the first index where the capability was 
>> found, or 
>> 
>> 2. The count is exhausted. In this case the operation returns "No" and 
>> the passed index plus count.
>Why are you bothering with a list?
>Why are you even bothering with an index?
>The implementation I gave you has the capabilities enumerated; you would add an operation to the capabilities package:
>Function Has( Object : Instance; Permission : Capability) return Boolean is
>Begin
>   Return Object.Permissions( Permission ); -- Just use the enumeration-index of the permissions field.
>End Has;
>Done.
>> 
>> 
>> in addition there is a Nil Capability: 
>> Nil Capability: When a process is initially created its C-list 
>> contains only Nils. These are empty place holders. Nil always returns 
>> "Empty".
>This... sounds like you are not understanding, at all, the Ada code I presented you.
>Look at the creation function No_Permissions.

  reply	other threads:[~2021-10-14 16:38 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-11 13:33 The Ravenscar profile and capabilities paradigm Doctor Who
2021-10-11 14:48 ` Luke A. Guest
2021-10-11 19:25   ` Doctor Who
2021-10-11 19:36     ` Luke A. Guest
2021-10-11 19:50       ` Doctor Who
2021-10-12  0:45         ` Luke A. Guest
2021-10-12  0:47           ` Luke A. Guest
2021-10-12  2:31             ` Doctor Who
2021-10-12  2:29           ` Doctor Who
2021-10-12  2:35             ` Doctor Who
2021-10-12  3:19             ` Doctor Who
2021-10-12  5:17         ` Richard Iswara
2021-10-12  6:42           ` Doctor Who
2021-10-12 11:51             ` Richard Iswara
2021-10-12 11:58               ` Luke A. Guest
2021-10-12 15:04                 ` Doctor Who
2021-10-11 15:32 ` Simon Wright
2021-10-11 19:24   ` Doctor Who
2021-10-12 15:01     ` Shark8
2021-10-12 15:02       ` Luke A. Guest
2021-10-12 15:33         ` Shark8
2021-10-12 15:43           ` Luke A. Guest
2021-10-12 18:21             ` Doctor Who
2021-10-12 18:24               ` Doctor Who
2021-10-14  3:46       ` Doctor Who
2021-10-14 15:16         ` Shark8
2021-10-14 16:38           ` Doctor Who [this message]
2021-10-14 21:20             ` Simon Wright
2021-10-15 11:21               ` Doctor Who
2021-10-11 15:48 ` Shark8
2021-10-11 19:25   ` Doctor Who
replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox