Hi > *) Some opcodes will just not be available depending on the > characteristics you assign to the interpreter. File opens might be > forbidden, or code loading, or socket ops, or something. Settable as > needed by the interpreter creating the compartment. Yes but not every sensible op will be an opcode I presume ...
> *) I've been thinking about having some sort of privilege system, but I'm > not sure it's appropriate. Might, though, if you want restricted > compartments to be able to create other restricted compartments. In that direction I think Java security has something one can borrow from, and with that 3rd party library can define new priviliges when needed that the user can grant/configure ... the model has some limitations with very dynamic enviroments, like jython, offering eval-like functionality ... but that can be solved The basic model says that a portion of code has some privileges (determinated on loading or ...) and everything called from there will fail when trying something that need more privileges. In the (rare) case a library want to do something that requires higher privileges (that the library code has) on behalf of less privileged code, it can do so but should be very explicit about that. regards.
