Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

You can't have everything... where would you put it? -- Steven Wright


devel / comp.lang.ada / Re: The Ravenscar profile and capabilities paradigm

SubjectAuthor
* The Ravenscar profile and capabilities paradigmDoctor Who
+* Re: The Ravenscar profile and capabilities paradigmLuke A. Guest
|`* Re: The Ravenscar profile and capabilities paradigmDoctor Who
| `* Re: The Ravenscar profile and capabilities paradigmLuke A. Guest
|  `* Re: The Ravenscar profile and capabilities paradigmDoctor Who
|   +* Re: The Ravenscar profile and capabilities paradigmLuke A. Guest
|   |+* Re: The Ravenscar profile and capabilities paradigmLuke A. Guest
|   ||`- Re: The Ravenscar profile and capabilities paradigmDoctor Who
|   |`* Re: The Ravenscar profile and capabilities paradigmDoctor Who
|   | +- Re: The Ravenscar profile and capabilities paradigmDoctor Who
|   | `- Re: The Ravenscar profile and capabilities paradigmDoctor Who
|   `* Re: The Ravenscar profile and capabilities paradigmRichard Iswara
|    `* Re: The Ravenscar profile and capabilities paradigmDoctor Who
|     `* Re: The Ravenscar profile and capabilities paradigmRichard Iswara
|      `* Re: The Ravenscar profile and capabilities paradigmLuke A. Guest
|       `- Re: The Ravenscar profile and capabilities paradigmDoctor Who
+* Re: The Ravenscar profile and capabilities paradigmSimon Wright
|`* Re: The Ravenscar profile and capabilities paradigmDoctor Who
| `* Re: The Ravenscar profile and capabilities paradigmShark8
|  +* Re: The Ravenscar profile and capabilities paradigmLuke A. Guest
|  |`* Re: The Ravenscar profile and capabilities paradigmShark8
|  | `* Re: The Ravenscar profile and capabilities paradigmLuke A. Guest
|  |  `* Re: The Ravenscar profile and capabilities paradigmDoctor Who
|  |   `- Re: The Ravenscar profile and capabilities paradigmDoctor Who
|  `* Re: The Ravenscar profile and capabilities paradigmDoctor Who
|   `* Re: The Ravenscar profile and capabilities paradigmShark8
|    `* Re: The Ravenscar profile and capabilities paradigmDoctor Who
|     `* Re: The Ravenscar profile and capabilities paradigmSimon Wright
|      `- Re: The Ravenscar profile and capabilities paradigmDoctor Who
`* Re: The Ravenscar profile and capabilities paradigmShark8
 `- Re: The Ravenscar profile and capabilities paradigmDoctor Who

Pages:12
Re: The Ravenscar profile and capabilities paradigm

<4lkbmgd7dabitibimkab7hodsfqpv422cr@4ax.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=6157&group=comp.lang.ada#6157

 copy link   Newsgroups: comp.lang.ada
Path: rocksolid2!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: doc...@tardis.org (Doctor Who)
Newsgroups: comp.lang.ada
Subject: Re: The Ravenscar profile and capabilities paradigm
Date: Tue, 12 Oct 2021 20:24:20 +0200
Organization: A noiseless patient Spider
Lines: 39
Message-ID: <4lkbmgd7dabitibimkab7hodsfqpv422cr@4ax.com>
References: <07f8mgdot9tmh8mqen2ogd5dds2gojoleh@4ax.com> <lymtnffugy.fsf@pushface.org> <en39mglcsdhjj47ada5hsvv1vubcukq1vu@4ax.com> <f7127422-322c-4b21-9dd9-f1b02be9a3e9n@googlegroups.com> <sk4857$1290$1@gioia.aioe.org> <cd33ab9b-7d33-4ec1-93ff-880bd5eb72ecn@googlegroups.com> <sk4agl$8vt$1@gioia.aioe.org> <abkbmgduvlrjee1bm1v74oks4kv8kqqen6@4ax.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="029ba4d39744cc2f920d1f90b5831eec";
logging-data="19461"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/ck5lmH/4vQrrTp5ep7mZA"
User-Agent: ForteAgent/8.00.32.1272
Cancel-Lock: sha1:lwFm32nqgGR7EpKpIIILMLkPz1Q=
 by: Doctor Who - Tue, 12 Oct 2021 18:24 UTC

On Tue, 12 Oct 2021 20:21:28 +0200, Doctor Who <doc@tardis.org> wrote:

>On Tue, 12 Oct 2021 16:43:07 +0100, "Luke A. Guest"
><laguest@archeia.com> wrote:
>
>>On 12/10/2021 16:33, Shark8 wrote:
>>> On Tuesday, October 12, 2021 at 9:04:09 AM UTC-6, Luke A. Guest wrote:
>>>> On 12/10/2021 16:01, Shark8 wrote:
>>>>> On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>>>>>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>>>>>>> Doctor Who writes:
>>>>>>>
>>>>>>>> someone knows how to introduce the capabilities paradigm in Ada,
>>>>>>>> specifically for programs written using the Ravenscar profile ?
>>>>>>>
>>>>> Type Capability is ( Read, Copy, Whatever );
>>>> There can be a capabiity for literally anything, even ownership and can
>>>> be different depending on object/os service.
>>>>
>>>> I'd say a tagged type is better than an enum.
>>> Possibly.
>>> But there's no reason to complicate the general idea in example-form: even if it's a tagged type you're going to want the capability-instance to be limited-private; the implementation of the "permissions" component being a Boolean-array or a vector of Capability'Class [most obviously having Capability be an abstract tagged null record] is mostly irrelevant for that demonstration. (And using a vector of tagged-type instead of the array would have bogged the example down with importing and instantiating the Vector container and setting up multiple non-abstract Capability-descendants, cluttering the point of the example.)
>>>
>>
>>Capabilities allow granting and revoking of access, iirc, the kernel has
>>access to all, the kernel then grants access to certain processes, i.e.
>>memory server, filesystem server, etc. each of those processes can
>>further grant and revoke caps.
>>
>
>thank you all for the help, I hope this discussion goes far.
>the most useful approach is the microkernel, where access to, and
>operation of, each service is mediated by capabilities.
>
>I would go so far to define and implement a capability-based
>microkernel written in Ada using the Ravenscar profile.

I like SweetAda, and I would like to implement something similar but
using the approach I described so far.

Re: The Ravenscar profile and capabilities paradigm

<ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=6168&group=comp.lang.ada#6168

 copy link   Newsgroups: comp.lang.ada
Path: rocksolid2!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: doc...@tardis.org (Doctor Who)
Newsgroups: comp.lang.ada
Subject: Re: The Ravenscar profile and capabilities paradigm
Date: Thu, 14 Oct 2021 05:46:30 +0200
Organization: A noiseless patient Spider
Lines: 85
Message-ID: <ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com>
References: <07f8mgdot9tmh8mqen2ogd5dds2gojoleh@4ax.com> <lymtnffugy.fsf@pushface.org> <en39mglcsdhjj47ada5hsvv1vubcukq1vu@4ax.com> <f7127422-322c-4b21-9dd9-f1b02be9a3e9n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="9d6f07ceea5260769296cea618469afe";
logging-data="11657"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/xtGou+zNRsVntXZMI5c2O"
User-Agent: ForteAgent/8.00.32.1272
Cancel-Lock: sha1:nwYwd2fZ/n404Y6lvqTxCNNs/Tw=
 by: Doctor Who - Thu, 14 Oct 2021 03:46 UTC

On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8
<onewingedshark@gmail.com> wrote:

>On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>> >Doctor Who writes:
>> >
>> >> someone knows how to introduce the capabilities paradigm in Ada,
>> >> specifically for programs written using the Ravenscar profile ?
>> >
>> >Google hasn't helped me to understand what you're getting at. Perhaps
>> >you could expand?
>> wikipedia has a good explanation:
>> https://en.wikipedia.org/wiki/Capability-based_security
>Ah.
>Limited Private, unknown-discriminant types.
>
>Package Capabilities is
> -- Enumeration of the particular capabilities.
> Type Capability is ( Read, Copy, Whatever );
> -- A Boolean set for delineating a set of Capabilities.
> Type Capability_List is Array(Capability) of Boolean;
> -- An instance of a set of capabilities; note that:
> -- (1) LIMITED means there is no predefined assignment/copy.
> -- (2) PRIVATE means there is no public view to the components.
> -- (3) Unknown discriminants mean there is no object-creation w/o a function-call.
> Type Instance(<>) is limited private;
> -- Create an instance; add any other needed parameters.
> Function Create( Capabilities : Capability_List ) return Instance;
> -- No permissions.
> Function No_Permissions return Instance;
>Private
> Type Instance is record
> Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized.");
> -- (others => False); -- Or maybe default to no permissions.
> -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID.
> End record;
>
> Function Create( Capabilities : Capability_List ) return Instance is
> ( Permissions => Capabilities );
> Function No_Permissions return Instance is
> ( Create( Capability_List'(others => False) ) );
>End Capabilities;
>
>You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.

a Process Capability looks like this:

Operations:
a. "Read", address; > data;
b. "Write", address, data; > ;
c. "Take", index; > ; capability
d. "Give", index; capability > ;
e. "Find", index, count; capability > result, index;
f. "Start"; > ;
g. "Stop"; > ;

Semantics: The "Read" and "Write" operations allow access to the
process's memory. For example, in the "Read" operation, the literal
string "Read" (or a recognizable OP code) is passed along with an
address. The data word at the address is returned.

The "Give" and "Take" operations allow access to the process's C-list.
For example, the "Give" operation passes the string "Give", an index
into the C-list, and a capability to be stored at the passed index.
Such a stored capability could be invoked by the process if it were
"Start"ed.

The "Find" operation allows a slightly optimized sort of compare
operation for capabilities. The process's C-list is searched, starting
at the passed index, for the passed capability until either:

1. The passed capability is found in the C-list. In this case, the
operation returns "Yes" and the first index where the capability was
found, or

2. The count is exhausted. In this case the operation returns "No" and
the passed index plus count.

in addition there is a Nil Capability:
Nil Capability: When a process is initially created its C-list
contains only Nils. These are empty place holders. Nil always returns
"Empty".

Re: The Ravenscar profile and capabilities paradigm

<2c73d584-81a4-47ce-b86a-0ff8bdd776b9n@googlegroups.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=6174&group=comp.lang.ada#6174

 copy link   Newsgroups: comp.lang.ada
X-Received: by 2002:a05:6214:627:: with SMTP id a7mr5976492qvx.13.1634224591033;
Thu, 14 Oct 2021 08:16:31 -0700 (PDT)
X-Received: by 2002:a25:1dd7:: with SMTP id d206mr6991654ybd.486.1634224590769;
Thu, 14 Oct 2021 08:16:30 -0700 (PDT)
Path: rocksolid2!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.lang.ada
Date: Thu, 14 Oct 2021 08:16:30 -0700 (PDT)
In-Reply-To: <ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com>
Injection-Info: google-groups.googlegroups.com; posting-host=146.5.2.231; posting-account=lJ3JNwoAAAAQfH3VV9vttJLkThaxtTfC
NNTP-Posting-Host: 146.5.2.231
References: <07f8mgdot9tmh8mqen2ogd5dds2gojoleh@4ax.com> <lymtnffugy.fsf@pushface.org>
<en39mglcsdhjj47ada5hsvv1vubcukq1vu@4ax.com> <f7127422-322c-4b21-9dd9-f1b02be9a3e9n@googlegroups.com>
<ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <2c73d584-81a4-47ce-b86a-0ff8bdd776b9n@googlegroups.com>
Subject: Re: The Ravenscar profile and capabilities paradigm
From: onewinge...@gmail.com (Shark8)
Injection-Date: Thu, 14 Oct 2021 15:16:31 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 141
 by: Shark8 - Thu, 14 Oct 2021 15:16 UTC

On Wednesday, October 13, 2021 at 9:46:34 PM UTC-6, Doctor Who wrote:
> On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8
> >On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
> >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
> >> >Doctor Who writes:
> >> >
> >> >> someone knows how to introduce the capabilities paradigm in Ada,
> >> >> specifically for programs written using the Ravenscar profile ?
> >> >
> >> >Google hasn't helped me to understand what you're getting at. Perhaps
> >> >you could expand?
> >> wikipedia has a good explanation:
> >> https://en.wikipedia.org/wiki/Capability-based_security
> >Ah.
> >Limited Private, unknown-discriminant types.
> >
> >Package Capabilities is
> > -- Enumeration of the particular capabilities.
> > Type Capability is ( Read, Copy, Whatever );
> > -- A Boolean set for delineating a set of Capabilities.
> > Type Capability_List is Array(Capability) of Boolean;
> > -- An instance of a set of capabilities; note that:
> > -- (1) LIMITED means there is no predefined assignment/copy.
> > -- (2) PRIVATE means there is no public view to the components.
> > -- (3) Unknown discriminants mean there is no object-creation w/o a function-call.
> > Type Instance(<>) is limited private;
> > -- Create an instance; add any other needed parameters.
> > Function Create( Capabilities : Capability_List ) return Instance;
> > -- No permissions.
> > Function No_Permissions return Instance;
> >Private
> > Type Instance is record
> > Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized.");
> > -- (others => False); -- Or maybe default to no permissions.
> > -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID.
> > End record;
> >
> > Function Create( Capabilities : Capability_List ) return Instance is
> > ( Permissions => Capabilities );
> > Function No_Permissions return Instance is
> > ( Create( Capability_List'(others => False) ) );
> >End Capabilities;
> >
> >You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.
> a Process Capability looks like this:
>
> Operations:
> a. "Read", address; > data;
> b. "Write", address, data; > ;
> c. "Take", index; > ; capability
> d. "Give", index; capability > ;
> e. "Find", index, count; capability > result, index;
> f. "Start"; > ;
> g. "Stop"; > ;
Does it?
Why?
Or is this just one possible implementation of 'capabilities' operations?
Operations on a type correspond to subprograms in Ada; nothing you present seems (at first glance) incompatible with the structure/types I gave you.
>
> Semantics: The "Read" and "Write" operations allow access to the
> process's memory. For example, in the "Read" operation, the literal
> string "Read" (or a recognizable OP code) is passed along with an
> address. The data word at the address is returned.
I think you're jumping the gun.
You need to have a good model, and why are you jumping straight into implementation?
(Literal string? Recognizable OP code? -- All implementation details; forget them right now, concentrate on the modeling of the problem, not the details of how to implement, and AFTER getting the model down, THEN consider code.)
> The "Give" and "Take" operations allow access to the process's C-list.
> For example, the "Give" operation passes the string "Give", an index
> into the C-list, and a capability to be stored at the passed index.
> Such a stored capability could be invoked by the process if it were
> "Start"ed.
This part of your explanation makes it sound like you do not understand the code I presented, or the reasoning behind it; forgive me for poorly communicating it.
The reason you want a "limited private type with unknown discriminants" is because:
1) It hides the implementation, meaning clients cannot alter it indiscriminately.
2) It prohibits automatic initialization, forcing the usage of an initialization subprogram.
3) It forces usage of the public interface for clients, private details can manipulate it though.
4) Any public operations, again, have to go through the public interface.
5) Copying is strictly prohibited, hence "limited".

In the model I had envisioned the Capabilities-list (Capabilities.Instance) would be an integral part of the TASK, and there would likely be a Get_Capabilities function which would return the proper value, some set-operations, and a new creation-function:
Function Create( Object : OS_Task_Interface; Capabilities : Capability_List ) return Instance is
Parent : Instance renames Get_Capabilities( Object );
Caps : Capability_List renames Parent.Permissions;
Begin
Return Intersect( Caps, Capabilities ); -- The granted capabilities cannot be ones the parent does not have, nor may it be ones not requested.
End Create;
The above, I think, does the work you are putting into TAKE and GIVE.
> The "Find" operation allows a slightly optimized sort of compare
> operation for capabilities. The process's C-list is searched, starting
> at the passed index, for the passed capability until either:
>
> 1. The passed capability is found in the C-list. In this case, the
> operation returns "Yes" and the first index where the capability was
> found, or
>
> 2. The count is exhausted. In this case the operation returns "No" and
> the passed index plus count.
Why are you bothering with a list?
Why are you even bothering with an index?
The implementation I gave you has the capabilities enumerated; you would add an operation to the capabilities package:
Function Has( Object : Instance; Permission : Capability) return Boolean is
Begin
Return Object.Permissions( Permission ); -- Just use the enumeration-index of the permissions field.
End Has;
Done.
>
>
> in addition there is a Nil Capability:
> Nil Capability: When a process is initially created its C-list
> contains only Nils. These are empty place holders. Nil always returns
> "Empty".
This... sounds like you are not understanding, at all, the Ada code I presented you.
Look at the creation function No_Permissions.

Re: The Ravenscar profile and capabilities paradigm

<d0ngmg5s8uevb19pjcakqt55utg4jirmio@4ax.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=6175&group=comp.lang.ada#6175

 copy link   Newsgroups: comp.lang.ada
Path: rocksolid2!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: doc...@tardis.org (Doctor Who)
Newsgroups: comp.lang.ada
Subject: Re: The Ravenscar profile and capabilities paradigm
Date: Thu, 14 Oct 2021 18:38:16 +0200
Organization: A noiseless patient Spider
Lines: 128
Message-ID: <d0ngmg5s8uevb19pjcakqt55utg4jirmio@4ax.com>
References: <07f8mgdot9tmh8mqen2ogd5dds2gojoleh@4ax.com> <lymtnffugy.fsf@pushface.org> <en39mglcsdhjj47ada5hsvv1vubcukq1vu@4ax.com> <f7127422-322c-4b21-9dd9-f1b02be9a3e9n@googlegroups.com> <ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com> <2c73d584-81a4-47ce-b86a-0ff8bdd776b9n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="9d6f07ceea5260769296cea618469afe";
logging-data="5089"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18VN3EcrBGVPVkgKcgesaXO"
User-Agent: ForteAgent/8.00.32.1272
Cancel-Lock: sha1:nVinteYEauL2jt47MySE7F9eUeE=
 by: Doctor Who - Thu, 14 Oct 2021 16:38 UTC

On Thu, 14 Oct 2021 08:16:30 -0700 (PDT), Shark8
<onewingedshark@gmail.com> wrote:

>On Wednesday, October 13, 2021 at 9:46:34 PM UTC-6, Doctor Who wrote:
>> On Tue, 12 Oct 2021 08:01:26 -0700 (PDT), Shark8
>> >On Monday, October 11, 2021 at 1:24:48 PM UTC-6, Doctor Who wrote:
>> >> On Mon, 11 Oct 2021 16:32:13 +0100, Simon Wright wrote:
>> >> >Doctor Who writes:
>> >> >
>> >> >> someone knows how to introduce the capabilities paradigm in Ada,
>> >> >> specifically for programs written using the Ravenscar profile ?
>> >> >
>> >> >Google hasn't helped me to understand what you're getting at. Perhaps
>> >> >you could expand?
>> >> wikipedia has a good explanation:
>> >> https://en.wikipedia.org/wiki/Capability-based_security
>> >Ah.
>> >Limited Private, unknown-discriminant types.
>> >
>> >Package Capabilities is
>> > -- Enumeration of the particular capabilities.
>> > Type Capability is ( Read, Copy, Whatever );
>> > -- A Boolean set for delineating a set of Capabilities.
>> > Type Capability_List is Array(Capability) of Boolean;
>> > -- An instance of a set of capabilities; note that:
>> > -- (1) LIMITED means there is no predefined assignment/copy.
>> > -- (2) PRIVATE means there is no public view to the components.
>> > -- (3) Unknown discriminants mean there is no object-creation w/o a function-call.
>> > Type Instance(<>) is limited private;
>> > -- Create an instance; add any other needed parameters.
>> > Function Create( Capabilities : Capability_List ) return Instance;
>> > -- No permissions.
>> > Function No_Permissions return Instance;
>> >Private
>> > Type Instance is record
>> > Permissions : Capability_List:= (raise Program_Error with "Capabilities-Instance must be initialized.");
>> > -- (others => False); -- Or maybe default to no permissions.
>> > -- OTHER DATA, IF NEEDED; PERHAPS TASK-/PROCESS-ID.
>> > End record;
>> >
>> > Function Create( Capabilities : Capability_List ) return Instance is
>> > ( Permissions => Capabilities );
>> > Function No_Permissions return Instance is
>> > ( Create( Capability_List'(others => False) ) );
>> >End Capabilities;
>> >
>> >You could also extend things with a Task-ID, assuming you want this prevalent/pervasive across the OS, you could make a TASK INTERFACE with an accessor (Function Get_Capabilities(Task : OS_Task_Interface) return Capabilities.Instance is (Capabilities.No_Permissions); -- Override to give permissions.) and/or possibly a registry to manage permissions (on a finer-grained level) if you need it. A lot depends on how you architect/model it, but the "limited private unknown-discriminant type" perfectly fits what you need at the fundamental levels.
>> a Process Capability looks like this:
>>
>> Operations:
>> a. "Read", address; > data;
>> b. "Write", address, data; > ;
>> c. "Take", index; > ; capability
>> d. "Give", index; capability > ;
>> e. "Find", index, count; capability > result, index;
>> f. "Start"; > ;
>> g. "Stop"; > ;
>Does it?
>Why?
>Or is this just one possible implementation of 'capabilities' operations?

it is the one I would like to implement.

>Operations on a type correspond to subprograms in Ada; nothing you present seems (at first glance) incompatible with the structure/types I gave you.

exactly

>>
>> Semantics: The "Read" and "Write" operations allow access to the
>> process's memory. For example, in the "Read" operation, the literal
>> string "Read" (or a recognizable OP code) is passed along with an
>> address. The data word at the address is returned.
>I think you're jumping the gun.
>You need to have a good model, and why are you jumping straight into implementation?

http://www.webstart.com/jed/papers/DCCS/

>(Literal string? Recognizable OP code? -- All implementation details; forget them right now, concentrate on the modeling of the problem, not the details of how to implement, and AFTER getting the model down, THEN consider code.)
>> The "Give" and "Take" operations allow access to the process's C-list.
>> For example, the "Give" operation passes the string "Give", an index
>> into the C-list, and a capability to be stored at the passed index.
>> Such a stored capability could be invoked by the process if it were
>> "Start"ed.
>This part of your explanation makes it sound like you do not understand the code I presented, or the reasoning behind it; forgive me for poorly communicating it.
>The reason you want a "limited private type with unknown discriminants" is because:
>1) It hides the implementation, meaning clients cannot alter it indiscriminately.
>2) It prohibits automatic initialization, forcing the usage of an initialization subprogram.
>3) It forces usage of the public interface for clients, private details can manipulate it though.
>4) Any public operations, again, have to go through the public interface.
>5) Copying is strictly prohibited, hence "limited".
>
>In the model I had envisioned the Capabilities-list (Capabilities.Instance) would be an integral part of the TASK, and there would likely be a Get_Capabilities function which would return the proper value, some set-operations, and a new creation-function:
> Function Create( Object : OS_Task_Interface; Capabilities : Capability_List ) return Instance is
> Parent : Instance renames Get_Capabilities( Object );
> Caps : Capability_List renames Parent.Permissions;
> Begin
> Return Intersect( Caps, Capabilities ); -- The granted capabilities cannot be ones the parent does not have, nor may it be ones not requested.
> End Create;
>The above, I think, does the work you are putting into TAKE and GIVE.
>> The "Find" operation allows a slightly optimized sort of compare
>> operation for capabilities. The process's C-list is searched, starting
>> at the passed index, for the passed capability until either:
>>
>> 1. The passed capability is found in the C-list. In this case, the
>> operation returns "Yes" and the first index where the capability was
>> found, or
>>
>> 2. The count is exhausted. In this case the operation returns "No" and
>> the passed index plus count.
>Why are you bothering with a list?
>Why are you even bothering with an index?
>The implementation I gave you has the capabilities enumerated; you would add an operation to the capabilities package:
>Function Has( Object : Instance; Permission : Capability) return Boolean is
>Begin
> Return Object.Permissions( Permission ); -- Just use the enumeration-index of the permissions field.
>End Has;
>Done.
>>
>>
>> in addition there is a Nil Capability:
>> Nil Capability: When a process is initially created its C-list
>> contains only Nils. These are empty place holders. Nil always returns
>> "Empty".
>This... sounds like you are not understanding, at all, the Ada code I presented you.
>Look at the creation function No_Permissions.

Re: The Ravenscar profile and capabilities paradigm

<lyk0ifi9qh.fsf@pushface.org>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=6176&group=comp.lang.ada#6176

 copy link   Newsgroups: comp.lang.ada
Path: rocksolid2!news.neodome.net!news.mixmin.net!aioe.org!8nKyDL3nVTTIdBB8axZhRA.user.46.165.242.75.POSTED!not-for-mail
From: sim...@pushface.org (Simon Wright)
Newsgroups: comp.lang.ada
Subject: Re: The Ravenscar profile and capabilities paradigm
Date: Thu, 14 Oct 2021 22:20:54 +0100
Organization: Aioe.org NNTP Server
Message-ID: <lyk0ifi9qh.fsf@pushface.org>
References: <07f8mgdot9tmh8mqen2ogd5dds2gojoleh@4ax.com>
<lymtnffugy.fsf@pushface.org>
<en39mglcsdhjj47ada5hsvv1vubcukq1vu@4ax.com>
<f7127422-322c-4b21-9dd9-f1b02be9a3e9n@googlegroups.com>
<ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com>
<2c73d584-81a4-47ce-b86a-0ff8bdd776b9n@googlegroups.com>
<d0ngmg5s8uevb19pjcakqt55utg4jirmio@4ax.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: gioia.aioe.org; logging-data="64998"; posting-host="8nKyDL3nVTTIdBB8axZhRA.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (darwin)
Cancel-Lock: sha1:3krvcVVSF7/pFm+4IljJsGeA4yI=
X-Notice: Filtered by postfilter v. 0.9.2
 by: Simon Wright - Thu, 14 Oct 2021 21:20 UTC

Doctor Who <doc@tardis.org> writes:

> http://www.webstart.com/jed/papers/DCCS/

Not the most understandable of papers. Haven't things improved since 1976?

Re: The Ravenscar profile and capabilities paradigm

<s0pimgl907jdp4175cok4kbcggbv2bf49i@4ax.com>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=6181&group=comp.lang.ada#6181

 copy link   Newsgroups: comp.lang.ada
Path: rocksolid2!news.neodome.net!news.mixmin.net!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: doc...@tardis.org (Doctor Who)
Newsgroups: comp.lang.ada
Subject: Re: The Ravenscar profile and capabilities paradigm
Date: Fri, 15 Oct 2021 13:21:52 +0200
Organization: A noiseless patient Spider
Lines: 13
Message-ID: <s0pimgl907jdp4175cok4kbcggbv2bf49i@4ax.com>
References: <07f8mgdot9tmh8mqen2ogd5dds2gojoleh@4ax.com> <lymtnffugy.fsf@pushface.org> <en39mglcsdhjj47ada5hsvv1vubcukq1vu@4ax.com> <f7127422-322c-4b21-9dd9-f1b02be9a3e9n@googlegroups.com> <ai9fmgdrmjs36udfa2rrg2b6r6vto9l2lm@4ax.com> <2c73d584-81a4-47ce-b86a-0ff8bdd776b9n@googlegroups.com> <d0ngmg5s8uevb19pjcakqt55utg4jirmio@4ax.com> <lyk0ifi9qh.fsf@pushface.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="b65bda5433dbed1660743002587e7876";
logging-data="32654"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19L+wR4t217Ab18qge7FdBd"
User-Agent: ForteAgent/8.00.32.1272
Cancel-Lock: sha1:XeP5DuTlsLksZJnvtDXeQOacTYs=
 by: Doctor Who - Fri, 15 Oct 2021 11:21 UTC

On Thu, 14 Oct 2021 22:20:54 +0100, Simon Wright <simon@pushface.org>
wrote:

>Doctor Who <doc@tardis.org> writes:
>
>> http://www.webstart.com/jed/papers/DCCS/
>
>Not the most understandable of papers. Haven't things improved since 1976?

Yes!
but this is a basic concept that has been carried on in the years.

Pages:12
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor