signature POLICY functor MkPolicy () : POLICY functor MkReadOnlyPolicy () : POLICY functor MkNetworkPolicy () : POLICY functor MkUnrestrictedPolicy () : POLICY
A policy represents a set of rules governing capabilities granted to components in a sandbox environment. These rules are defined for capabilities, strings representing individual or groups of critical operations in the library. The rules are defined in terms of user-defined functions that check the validity of individual arguments passed to an operation, and may choose to rewrite these arguments as they see fit.
A particularly important capability is "componentLoad", which controls what URLs are accepted for loading. By setting up rules for this capability, the creator of a sandbox can control what components are accessible for import inside a sandbox (either through the functions of the component manager, or through the use of the Alice ML import declaration, which maps to these functions).
Policy structures can be created via one of the predefined functors listed above, which differ in the capabilities initially granted. They all set the "componentLoad" capability to replace system components (those in the x-alice:/lib/system/ space) with safe substitutes that actually check the other capabilities for each call to a critical operation. The MkPolicy functor provides a clean ruleset with no capabilities at all besides loading the safe components, while the other functors already provide certain capabilities for typical scenarios: MkReadOnlyPolicy allows passive, read-only access to file system and network, MkNetworkPolicy also allows sends to the network, and MkUnrestrictedPolicy does enable all capabilities. In either case, the policy rules can be further customised by means of the operations provided by the delivered structure.
See below for a complete list of capabilities defined in the system.
See also: Sandbox
import signature POLICY from "x-alice:/lib/system/POLICY-sig" import functor MkPolicy from "x-alice:/lib/system/MkPolicy" import functor MkReadOnlyPolicy from "x-alice:/lib/system/MkPolicy" import functor MkNetworkPolicy from "x-alice:/lib/system/MkPolicy" import functor MkUnrestrictedPolicy from "x-alice:/lib/system/MkPolicy"
signature POLICY = sig datatype 'a action = ACCEPT of 'a | REJECT | PASS signature ARG_TYPE = sig type t val rule : string * (t -> t action) -> unit val check : string * string * t -> t end functor MkArgType (type t) : ARG_TYPE where type t = t structure Unit : ARG_TYPE where type t = unit structure Int : ARG_TYPE where type t = Int.t structure Url : ARG_TYPE where type t = Url.t structure String : ARG_TYPE where type t = String.t structure File : ARG_TYPE where type t = String.t end
Describes the action to be taken for a specific argument. A rule may either accept a call with the given argument value reject the call, or indicate that it does not apply, such that responsibility is passed on to the next rule. In the case of acceptance the action decides which argument value shall be used in the actual call - typically, this will be the original value the rule was applied to, but a rule may choose to replace the argument by a safe substitute.
A structure instantiating ARG_TYPE provides functions for creating and checking rules for capabilities with a specific argument type. It defines the following entities:
The actual argument type.
Adds a rule to the ruleset of the capability named cap, which applies to an argument of type t. When a rule was already set for cap, then the new rule will override it, except for cases where f returns PASS.
Checks whether arg is an acceptable argument for capability cap, and returns the rewritten value to be used for the actual call. The function sequentially checks the rules set for cap, the most recent first, until one returns a ACCEPT x or REJECT action. In the former case, x is returned, in the latter the exception Sandbox.Security caller is raised. This exception is also raised if no rule applies, i.e. all rules return PASS.
Functor to create rule operations for type t.
Predefined argument structures for common argument types.
This is a list of all capabilities provided by the standard library with their respective contexts, and the functions from which they are checked.
Capability | Functions | Context |
---|---|---|
readFile | OS.FileSys.openDir OS.FileSys.isDir OS.FileSys.fileSize OS.FileSys.modTime TextIO.openIn |
File |
writeFile | BinIO.openOut BinIO.openAppend BinIO.openOverwrite Component.save OS.FileSys.mkDir OS.FileSys.rmDir OS.FileSys.remove OS.FileSys.tmpName TextIO.openOut TextIO.openAppend |
File |
commandLineName | CommandLine.name | Unit |
commandLineArgs | CommandLine.arguments | Unit |
componentLoad | Component.load | Url |
readUrl | Component.load HttpClient.request HttpClient.get HttpClient.post |
Url |
componentSave | Component.save | File |
MkManager | Component.MkManager | Unit |
getHomeDir | Config.homeDir OS.FileSys.getHomeDir |
Unit |
readSocket | Http.readRequest Http.readResponse |
Unit |
writeSocket | Http.writeRequest Http.writeResponse |
Unit |
readPort | Socket.server | Int |
writePort | HttpClient.request HttpClient.get HttpClient.post HttpServer.start HttpServer.start Socket.server |
Int |
getDir | OS.FileSys.getDir | Unit |
getApplicationConfigDir | OS.FileSys.getApplicationConfigDir | File |
sysCall | OS.Process.system Unix.execute |
String |
terminate | OS.Process.exit OS.Process.terminate |
Int |
getEnv | OS.Process.getEnv | String |
pickleLoad | Pickle.load Pickle.Load Pickle.LoadVal |
File |
pickleSave | Pickle.save Pickle.Save Pickle.SaveVal |
File |
deepWait | Store.deepWait | Unit |
stdIn | TextIO.stdIn | Unit |
stdOut | TextIO.stdOut | Unit |
stdErr | TextIO.stdErr | Unit |
processWait | Unix.wait | Unit |
processReap | Unix.reap | Unit |