This is the mail archive of the guile@cygnus.com mailing list for the guile project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Hello, ttn> i'm going to now guess that a "safe" eval must necessarily be ttn> implemented as a primitive. still, i don't really believe it ttn> and continue to wonder if there is any way one could create ttn> `safe-eval' from just Scheme? Here's a wild idea for making GUILE safe. I looked at attaching a permission word to guile primitives. The idea was to hide an extra word in the primitive smob that would let permission bits be defined (see note [1]). If this were implemented, it would mean changing the definition of scm_iproc, and all of the places it's called, or you could have scm_iproc set the permissions to a default value, and then override it in the init routines. Either way, I ran in to the problem that there doesn't seem to be anyplace to hide the extra bits. The part of the smob I was thinking of using is taken up by the debugger (it saves info so that the debugger can find the name of the routine, quite worthwhile). Cheers, Clark [1] I was thinking of a protection scheme similar to the VMS security system. This works by having routines have a privilege mask with a bit set for each privilege the routine requires. Then there is a privilege word that has a bit set for each privilege that the process does not have. If the "(and priv-mask priv-word)" is not zero then the routine cannot be executed. This would need to be implemented in scm_eval. I haven't thought about the overhead, but it's probably minimal.