alice
library
manual.

Alice Project

the POLICY signature


________ Synopsis ____________________________________________________

    signature POLICY
    functor MkPolicy () : POLICY
    functor MkReadOnlyPolicy () : POLICY
    functor MkNetworkPolicy () : POLICY
    functor MkUnrestrictedPolicy () : POLICY

A policy represents a set of rules governing capabilities granted to components in a sandbox environment. These rules are defined for capabilities, strings representing individual or groups of critical operations in the library. The rules are defined in terms of user-defined functions that check the validity of individual arguments passed to an operation, and may choose to rewrite these arguments as they see fit.

A particularly important capability is "componentLoad", which controls what URLs are accepted for loading. By setting up rules for this capability, the creator of a sandbox can control what components are accessible for import inside a sandbox (either through the functions of the component manager, or through the use of the Alice ML import declaration, which maps to these functions).

Policy structures can be created via one of the predefined functors listed above, which differ in the capabilities initially granted. They all set the "componentLoad" capability to replace system components (those in the x-alice:/lib/system/ space) with safe substitutes that actually check the other capabilities for each call to a critical operation. The MkPolicy functor provides a clean ruleset with no capabilities at all besides loading the safe components, while the other functors already provide certain capabilities for typical scenarios: MkReadOnlyPolicy allows passive, read-only access to file system and network, MkNetworkPolicy also allows sends to the network, and MkUnrestrictedPolicy does enable all capabilities. In either case, the policy rules can be further customised by means of the operations provided by the delivered structure.

See below for a complete list of capabilities defined in the system.

See also: Sandbox


________ Import ______________________________________________________

    import signature POLICY               from "x-alice:/lib/system/POLICY-sig"
    import functor   MkPolicy             from "x-alice:/lib/system/MkPolicy"
    import functor   MkReadOnlyPolicy     from "x-alice:/lib/system/MkPolicy"
    import functor   MkNetworkPolicy      from "x-alice:/lib/system/MkPolicy"
    import functor   MkUnrestrictedPolicy from "x-alice:/lib/system/MkPolicy"

________ Interface ___________________________________________________

signature POLICY =
sig
    datatype 'a action = ACCEPT of 'a | REJECT | PASS

    signature ARG_TYPE =
    sig
        type t
        val rule : string * (t -> t action) -> unit
        val check : string * string * t -> t
    end

    functor MkArgType (type t) : ARG_TYPE where type t = t

    structure Unit : ARG_TYPE where type t = unit
    structure Int  : ARG_TYPE where type t = Int.t
    structure Url  : ARG_TYPE where type t = Url.t
    structure String : ARG_TYPE where type t = String.t
    structure File   : ARG_TYPE where type t = String.t
end

________ Description _________________________________________________

datatype 'a action = ACCEPT of 'a | REJECT | PASS

Describes the action to be taken for a specific argument. A rule may either accept a call with the given argument value reject the call, or indicate that it does not apply, such that responsibility is passed on to the next rule. In the case of acceptance the action decides which argument value shall be used in the actual call - typically, this will be the original value the rule was applied to, but a rule may choose to replace the argument by a safe substitute.

signature ARG_TYPE

A structure instantiating ARG_TYPE provides functions for creating and checking rules for capabilities with a specific argument type. It defines the following entities:

type t

The actual argument type.

rule (cap, f)

Adds a rule to the ruleset of the capability named cap, which applies to an argument of type t. When a rule was already set for cap, then the new rule will override it, except for cases where f returns PASS.

check (cap, caller, arg)

Checks whether arg is an acceptable argument for capability cap, and returns the rewritten value to be used for the actual call. The function sequentially checks the rules set for cap, the most recent first, until one returns a ACCEPT x or REJECT action. In the former case, x is returned, in the latter the exception Sandbox.Security caller is raised. This exception is also raised if no rule applies, i.e. all rules return PASS.

functor MkArgType (type t) : ARG_TYPE where type t = unit

Functor to create rule operations for type t.

structure Unit : ARG_TYPE where type t = unit
structure Int : ARG_TYPE where type t = Int.t
structure Url : ARG_TYPE where type t = Url.t
structure String : ARG_TYPE where type t = String.t
structure File : ARG_TYPE where type t = String.t

Predefined argument structures for common argument types.


________ Capabilities ________________________________________________

This is a list of all capabilities provided by the standard library with their respective contexts, and the functions from which they are checked.

CapabilityFunctionsContext
readFile OS.FileSys.openDir
OS.FileSys.isDir
OS.FileSys.fileSize
OS.FileSys.modTime
TextIO.openIn
File
writeFile BinIO.openOut
BinIO.openAppend
BinIO.openOverwrite
Component.save
OS.FileSys.mkDir
OS.FileSys.rmDir
OS.FileSys.remove
OS.FileSys.tmpName
TextIO.openOut
TextIO.openAppend
File
commandLineName CommandLine.name Unit
commandLineArgs CommandLine.arguments Unit
componentLoad Component.load Url
readUrl Component.load
HttpClient.request
HttpClient.get
HttpClient.post
Url
componentSave Component.save File
MkManager Component.MkManager Unit
getHomeDir Config.homeDir
OS.FileSys.getHomeDir
Unit
readSocket Http.readRequest
Http.readResponse
Unit
writeSocket Http.writeRequest
Http.writeResponse
Unit
readPort Socket.server Int
writePort HttpClient.request
HttpClient.get
HttpClient.post
HttpServer.start
HttpServer.start
Socket.server
Int
getDir OS.FileSys.getDir Unit
getApplicationConfigDir OS.FileSys.getApplicationConfigDir File
sysCall OS.Process.system
Unix.execute
String
terminate OS.Process.exit
OS.Process.terminate
Int
getEnv OS.Process.getEnv String
pickleLoad Pickle.load
Pickle.Load
Pickle.LoadVal
File
pickleSave Pickle.save
Pickle.Save
Pickle.SaveVal
File
deepWait Store.deepWait Unit
stdIn TextIO.stdIn Unit
stdOut TextIO.stdOut Unit
stdErr TextIO.stdErr Unit
processWait Unix.wait Unit
processReap Unix.reap Unit


last modified 2007/Mar/30 17:10