I'll cut to the chase...I don't think there's any way to efficiently
support SAFE and tainting.
I was working on JRUBY-26, trying to make a few of the special globals
we implement thread-local. That part wasn't hard, but then I reached $SAFE.
Holy moly.
I knew we needed to check SAFE a lot (via runtime.getSafeLevel(), which
returns an int) but I had no idea how pervasive it was. Basically every
operation in JRuby checks safe levels, from object creation to instance
variable and method manipulation to numerous node evals. It's checked
everywhere, and presents alternative branches in almost every case.
Problem is...it doesn't work, and implementing it right would be
horribly inefficient.
I started fixing the uses of safeLevel by removing it from the runtime
and moving it to RubyThread. So the typical way to access safe level
becamse:
runtime.getCurrentContext().getThread().getSafeLevel()
In places where already have ThreadContext available, no worries. In
places where we don't, however, we're talking about a massive additional
hit to repeatedly go to thread local to look up the ThreadContext for a
safe level check.
Barring any special way to support this that I've missed, I'd suggest we
consider doing the following (not before 1.0):
- Remove safe levels and tainting and all checks for either. taint? will
always return false.
- Map safe-level modification to appropriate java security context
alterations to provide similar security, like for launching external
processes, accessing external files, and so on. Potentially use security
context for additional $SAFE-related checks as appropriate without
affecting performance.
- Charlie
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
