This is the mail archive of the guile@cygnus.com mailing list for the guile project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Hello,
ttn> i'm going to now guess that a "safe" eval must necessarily be
ttn> implemented as a primitive. still, i don't really believe it
ttn> and continue to wonder if there is any way one could create
ttn> `safe-eval' from just Scheme?
Here's a wild idea for making GUILE safe.
I looked at attaching a permission word to guile primitives. The idea
was to hide an extra word in the primitive smob that would let
permission bits be defined (see note [1]). If this were implemented,
it would mean changing the definition of scm_iproc, and all of the
places it's called, or you could have scm_iproc set the permissions to
a default value, and then override it in the init routines. Either
way, I ran in to the problem that there doesn't seem to be anyplace to
hide the extra bits. The part of the smob I was thinking of using is
taken up by the debugger (it saves info so that the debugger can find
the name of the routine, quite worthwhile).
Cheers,
Clark
[1] I was thinking of a protection scheme similar to the VMS security
system. This works by having routines have a privilege mask with a
bit set for each privilege the routine requires. Then there is a
privilege word that has a bit set for each privilege that the process
does not have. If the "(and priv-mask priv-word)" is not zero then
the routine cannot be executed. This would need to be implemented in
scm_eval. I haven't thought about the overhead, but it's probably
minimal.