http://50.77.162.165/mediawiki/index.php?action=history&feed=atom&title=Virtualized_privileged_environment 2026-04-20T00:44:24Z Revision history for this page on the wiki MediaWiki 1.15.5-7 http://50.77.162.165/mediawiki/index.php?title=Virtualized_privileged_environment&diff=2126&oldid=prev 2011-02-09T01:38:30Z

<p></p> <p><b>New page</b></p><div>==Problem==<br /> <br /> * The [[Category:E specification|E specification]] shall include [[Updoc]] tests.<br /> * The chosen location for our E platform specification [[Category:E specification|is this wiki]].<br /> * Wikis are editable by many people.<br /> Therefore,<br /> * There is a risk of malicious code inserted into our specification tests.<br /> <br /> We wish to be able to run Updoc tests, testing every aspect of an [[E implementation]], such that they can do no harm (beyond stopping the test suite from finishing, or making its output invalid).<br /> <br /> The [[E-on-Java]] [[cmdLoop]] has a confinement option, but it takes away all [[privilegedEnv]] elements, so the tests could not test streams, files and so on. [[E-on-CL]] provides a slightly larger set, but still does not provide file access.<br /> <br /> In general, we want to provide an environment that looks as close to the standard privileged environment as practical, but is actually completely confined — ''and yet still allows the tests to exercise as much of the implementation as practical.''<br /> <br /> ==Proposal==<br /> <br /> Given these constraints, the obvious solution is to make every [[privilegedEnv]] authority virtualizable. Here is a review of the privileged environment as implemented in [[E-on-Java]] (as of r802, 2011-02-08).<br /> <br /> ===Completely obvious virtualization strategies===<br /> <br /> * [[stdout]], [[stderr]], [[print]], [[println]], [[interp]] — these are already virtualized/implemented by [[updoc]]/[[cmdLoop]]<br /> * [[currentVat]] — might want to review Vat's authority grants<br /> * [[privilegedScope]] — refers to itself<br /> <br /> These are defined in terms of other privileges in ScopeSetup, so they will be automatically virtual:<br /> * [[makeSturdyRef]]<br /> * [[timeMachine]]<br /> * [[rune]] — Defined in terms of {{uriGetter|unsafe}}<br /> * [[swtWatch]]<br /> <br /> ===Reasonable virtualization strategies===<br /> <br /> * {{uriGetter|file}}, {{uriGetter|fileURL}} — [[Opaque file objects]]<br /> <br /> ===Messier virtualization strategies===<br /> * {{uriGetter|jar}} — {{XXX}}<br /> * {{uriGetter|http}}, {{uriGetter|ftp}}, {{uriGetter|gopher}}, {{uriGetter|news}}, {{uriGetter|captp}}/[[introducer]]/[[identityMgr]]<br /> ** Option 1: Allow access to network, but restricted hosts.<br /> ** Option 2: Allow full access — we're not trying to bit-confine the tests, after all. Maybe prohibit LAN access — this would be generally useful as a security policy. &quot;The Internet in general, but nothing local&quot;<br /> ** Option 3: Allow test code to talk among itself only.<br /> * stdin — This will be determined by how the test suite goes about testing stdin.<br /> <br /> ===Impossible by definition===<br /> However, these cannot be tested by untrusted test files anyway:<br /> <br /> * {{uriGetter|unsafe}}<br /> <br /> === Tricky cases===<br /> <br /> * [[makeCommand]] (shell command/subprocess invocation)<br /> <br /> ===GUI authorities===<br /> * {{uriGetter|awt}}<br /> * {{uriGetter|swing}}<br /> * {{uriGetter|JPanel}}<br /> * {{uriGetter|swt}}<br /> * [[currentDisplay]]<br /> * [[swtGrid__quasiParser]]<br /> <br /> [[Category:Unresolved design issues]]</div>

Kevin Reid