The author mentions Capsicum, but it’s worth noting that this kind of language model was precisely the shape of program that Capsicum was designed for. Most languages have things in their standard library that wrap file handles, sockets, and so on. The biggest problem is paths, which a lot of languages express as strings (there was a Capsicum version of Qt that let you create a QString from a file descriptor and used openat when you then used this to open a new file).
Even without this support in the OS, if you structure your code like this then it’s easier to port to new platforms. For example, if you want to run in a browser or a FaaS platform (or on embedded devices) then users of your library will often want to replace file I/O with in-memory data or with network requests. If you litter accesses to a global namespace throughout your code then this is very hard.
Yes, it would be great to make use of FreeBSD’s extended features in Eio. At the moment, it just uses the generic POSIX support (but the Linux io_uring backend does use RESOLVE_BENEATH). The process management (pdfork, etc) looks like it will be a lot simpler than the SIGCHLD handling we have to do for other systems too.
“Ideally, our programming language would provide a secure implementation of capabilities that we could depend on. That would allow running untrusted code safely and protect us from compromised packages. However, converting a non-capability language to a capability-secure one isn’t easy, and isn’t likely to happen any time soon for OCaml”
This is exactly the use case we had in mind when we designed the container-based XVM runtime, with all capabilities available only via explicit injection. Basically, you can safely create a container to run code in, and that container can safely create container to run code in, and so on (recursively). The only awareness that code inside a container has of “the outside world” is provided by capabilities injected into the container. Need an HTTP client? It needs to be injected. Want to listen on a socket? It needs to be injected. Want to print an error to the console? It needs to be injected. Want to know what time it is? You need to have a clock injected.
Security first. You can’t add security to a system.
The author mentions Capsicum, but it’s worth noting that this kind of language model was precisely the shape of program that Capsicum was designed for. Most languages have things in their standard library that wrap file handles, sockets, and so on. The biggest problem is paths, which a lot of languages express as strings (there was a Capsicum version of Qt that let you create a QString from a file descriptor and used openat when you then used this to open a new file).
Even without this support in the OS, if you structure your code like this then it’s easier to port to new platforms. For example, if you want to run in a browser or a FaaS platform (or on embedded devices) then users of your library will often want to replace file I/O with in-memory data or with network requests. If you litter accesses to a global namespace throughout your code then this is very hard.
Yes, it would be great to make use of FreeBSD’s extended features in Eio. At the moment, it just uses the generic POSIX support (but the Linux io_uring backend does use RESOLVE_BENEATH). The process management (pdfork, etc) looks like it will be a lot simpler than the SIGCHLD handling we have to do for other systems too.
This is exactly the use case we had in mind when we designed the container-based XVM runtime, with all capabilities available only via explicit injection. Basically, you can safely create a container to run code in, and that container can safely create container to run code in, and so on (recursively). The only awareness that code inside a container has of “the outside world” is provided by capabilities injected into the container. Need an HTTP client? It needs to be injected. Want to listen on a socket? It needs to be injected. Want to print an error to the console? It needs to be injected. Want to know what time it is? You need to have a clock injected.
Security first. You can’t add security to a system.