Mercurial > hg > sv-dependency-builds

annotate win32-mingw/include/capnp/persistent.capnp @ 83:ae30d91d2ffe

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Replace these with versions built using an older toolset (so as to avoid ABI compatibilities when linking on Ubuntu 14.04 for packaging purposes)
author Chris Cannam
date Fri, 07 Feb 2020 11:51:13 +0000
parents 37d53a7e8262
children
rev   line source
Chris@50 1 # Copyright (c) 2014 Sandstorm Development Group, Inc. and contributors
Chris@50 2 # Licensed under the MIT License:
Chris@50 3 #
Chris@50 4 # Permission is hereby granted, free of charge, to any person obtaining a copy
Chris@50 5 # of this software and associated documentation files (the "Software"), to deal
Chris@50 6 # in the Software without restriction, including without limitation the rights
Chris@50 7 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
Chris@50 8 # copies of the Software, and to permit persons to whom the Software is
Chris@50 9 # furnished to do so, subject to the following conditions:
Chris@50 10 #
Chris@50 11 # The above copyright notice and this permission notice shall be included in
Chris@50 12 # all copies or substantial portions of the Software.
Chris@50 13 #
Chris@50 14 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
Chris@50 15 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
Chris@50 16 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
Chris@50 17 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
Chris@50 18 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
Chris@50 19 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
Chris@50 20 # THE SOFTWARE.
Chris@50 21
Chris@50 22 @0xb8630836983feed7;
Chris@50 23
Chris@50 24 $import "/capnp/c++.capnp".namespace("capnp");
Chris@50 25
Chris@50 26 interface Persistent@0xc8cb212fcd9f5691(SturdyRef, Owner) {
Chris@50 27 # Interface implemented by capabilities that outlive a single connection. A client may save()
Chris@50 28 # the capability, producing a SturdyRef. The SturdyRef can be stored to disk, then later used to
Chris@50 29 # obtain a new reference to the capability on a future connection.
Chris@50 30 #
Chris@50 31 # The exact format of SturdyRef depends on the "realm" in which the SturdyRef appears. A "realm"
Chris@50 32 # is an abstract space in which all SturdyRefs have the same format and refer to the same set of
Chris@50 33 # resources. Every vat is in exactly one realm. All capability clients within that vat must
Chris@50 34 # produce SturdyRefs of the format appropriate for the realm.
Chris@50 35 #
Chris@50 36 # Similarly, every VatNetwork also resides in a particular realm. Usually, a vat's "realm"
Chris@50 37 # corresponds to the realm of its main VatNetwork. However, a Vat can in fact communicate over
Chris@50 38 # a VatNetwork in a different realm -- in this case, all SturdyRefs need to be transformed when
Chris@50 39 # coming or going through said VatNetwork. The RPC system has hooks for registering
Chris@50 40 # transformation callbacks for this purpose.
Chris@50 41 #
Chris@50 42 # Since the format of SturdyRef is realm-dependent, it is not defined here. An application should
Chris@50 43 # choose an appropriate realm for itself as part of its design. Note that under Sandstorm, every
Chris@50 44 # application exists in its own realm and is therefore free to define its own SturdyRef format;
Chris@50 45 # the Sandstorm platform handles translating between realms.
Chris@50 46 #
Chris@50 47 # Note that whether a capability is persistent is often orthogonal to its type. In these cases,
Chris@50 48 # the capability's interface should NOT inherit `Persistent`; instead, just perform a cast at
Chris@50 49 # runtime. It's not type-safe, but trying to be type-safe in these cases will likely lead to
Chris@50 50 # tears. In cases where a particular interface only makes sense on persistent capabilities, it
Chris@50 51 # still should not explicitly inherit Persistent because the `SturdyRef` and `Owner` types will
Chris@50 52 # vary between realms (they may even be different at the call site than they are on the
Chris@50 53 # implementation). Instead, mark persistent interfaces with the $persistent annotation (defined
Chris@50 54 # below).
Chris@50 55 #
Chris@50 56 # Sealing
Chris@50 57 # -------
Chris@50 58 #
Chris@50 59 # As an added security measure, SturdyRefs may be "sealed" to a particular owner, such that
Chris@50 60 # if the SturdyRef itself leaks to a third party, that party cannot actually restore it because
Chris@50 61 # they are not the owner. To restore a sealed capability, you must first prove to its host that
Chris@50 62 # you are the rightful owner. The precise mechanism for this authentication is defined by the
Chris@50 63 # realm.
Chris@50 64 #
Chris@50 65 # Sealing is a defense-in-depth mechanism meant to mitigate damage in the case of catastrophic
Chris@50 66 # attacks. For example, say an attacker temporarily gains read access to a database full of
Chris@50 67 # SturdyRefs: it would be unfortunate if it were then necessary to revoke every single reference
Chris@50 68 # in the database to prevent the attacker from using them.
Chris@50 69 #
Chris@50 70 # In general, an "owner" is a course-grained identity. Because capability-based security is still
Chris@50 71 # the primary mechanism of security, it is not necessary nor desirable to have a separate "owner"
Chris@50 72 # identity for every single process or object; that is exactly what capabilities are supposed to
Chris@50 73 # avoid! Instead, it makes sense for an "owner" to literally identify the owner of the machines
Chris@50 74 # where the capability is stored. If untrusted third parties are able to run arbitrary code on
Chris@50 75 # said machines, then the sandbox for that code should be designed using Distributed Confinement
Chris@50 76 # such that the third-party code never sees the bits of the SturdyRefs and cannot directly
Chris@50 77 # exercise the owner's power to restore refs. See:
Chris@50 78 #
Chris@50 79 # http://www.erights.org/elib/capability/dist-confine.html
Chris@50 80 #
Chris@50 81 # Resist the urge to represent an Owner as a simple public key. The whole point of sealing is to
Chris@50 82 # defend against leaked-storage attacks. Such attacks can easily result in the owner's private
Chris@50 83 # key being stolen as well. A better solution is for `Owner` to contain a simple globally unique
Chris@50 84 # identifier for the owner, and for everyone to separately maintain a mapping of owner IDs to
Chris@50 85 # public keys. If an owner's private key is compromised, then humans will need to communicate
Chris@50 86 # and agree on a replacement public key, then update the mapping.
Chris@50 87 #
Chris@50 88 # As a concrete example, an `Owner` could simply contain a domain name, and restoring a SturdyRef
Chris@50 89 # would require signing a request using the domain's private key. Authenticating this key could
Chris@50 90 # be accomplished through certificate authorities or web-of-trust techniques.
Chris@50 91
Chris@50 92 save @0 SaveParams -> SaveResults;
Chris@50 93 # Save a capability persistently so that it can be restored by a future connection. Not all
Chris@50 94 # capabilities can be saved -- application interfaces should define which capabilities support
Chris@50 95 # this and which do not.
Chris@50 96
Chris@50 97 struct SaveParams {
Chris@50 98 sealFor @0 :Owner;
Chris@50 99 # Seal the SturdyRef so that it can only be restored by the specified Owner. This is meant
Chris@50 100 # to mitigate damage when a SturdyRef is leaked. See comments above.
Chris@50 101 #
Chris@50 102 # Leaving this value null may or may not be allowed; it is up to the realm to decide. If a
Chris@50 103 # realm does allow a null owner, this should indicate that anyone is allowed to restore the
Chris@50 104 # ref.
Chris@50 105 }
Chris@50 106 struct SaveResults {
Chris@50 107 sturdyRef @0 :SturdyRef;
Chris@50 108 }
Chris@50 109 }
Chris@50 110
Chris@50 111 interface RealmGateway(InternalRef, ExternalRef, InternalOwner, ExternalOwner) {
Chris@50 112 # Interface invoked when a SturdyRef is about to cross realms. The RPC system supports providing
Chris@50 113 # a RealmGateway as a callback hook when setting up RPC over some VatNetwork.
Chris@50 114
Chris@50 115 import @0 (cap :Persistent(ExternalRef, ExternalOwner),
Chris@50 116 params :Persistent(InternalRef, InternalOwner).SaveParams)
Chris@50 117 -> Persistent(InternalRef, InternalOwner).SaveResults;
Chris@50 118 # Given an external capability, save it and return an internal reference. Used when someone
Chris@50 119 # inside the realm tries to save a capability from outside the realm.
Chris@50 120
Chris@50 121 export @1 (cap :Persistent(InternalRef, InternalOwner),
Chris@50 122 params :Persistent(ExternalRef, ExternalOwner).SaveParams)
Chris@50 123 -> Persistent(ExternalRef, ExternalOwner).SaveResults;
Chris@50 124 # Given an internal capability, save it and return an external reference. Used when someone
Chris@50 125 # outside the realm tries to save a capability from inside the realm.
Chris@50 126 }
Chris@50 127
Chris@50 128 annotation persistent(interface, field) :Void;
Chris@50 129 # Apply this annotation to interfaces for objects that will always be persistent, instead of
Chris@50 130 # extending the Persistent capability, since the correct type parameters to Persistent depend on
Chris@50 131 # the realm, which is orthogonal to the interface type and therefore should not be defined
Chris@50 132 # along-side it.
Chris@50 133 #
Chris@50 134 # You may also apply this annotation to a capability-typed field which will always contain a
Chris@50 135 # persistent capability, but where the capability's interface itself is not already marked
Chris@50 136 # persistent.
Chris@50 137 #
Chris@50 138 # Note that absence of the $persistent annotation doesn't mean a capability of that type isn't
Chris@50 139 # persistent; it just means not *all* such capabilities are persistent.