Safe Haskell | Unsafe |
---|
This module exports
- The definition of the
LIO
monad and relevant trusted state access/modifying functions. - Various other types whose constructors are privileged and must be hidden from untrusted code.
- Uncatchable exceptions used to pop threads out of the
LIO
monad unconditionally. - Combinators for executing
IO
actions within theLIO
monad.
The documentation and external, safe LIO
interface is provided in
LIO.Core.
- data LIOState l = LIOState {
- lioLabel :: !l
- lioClearance :: !l
- newtype LIO l a = LIOTCB {}
- getLIOStateTCB :: LIO l (LIOState l)
- putLIOStateTCB :: LIOState l -> LIO l ()
- modifyLIOStateTCB :: Label l => (LIOState l -> LIOState l) -> LIO l ()
- updateLIOStateTCB :: Label l => (LIOState l -> LIOState l) -> LIO l ()
- ioTCB :: IO a -> LIO l a
- newtype Priv a = PrivTCB a
- data Labeled l t = LabeledTCB !l t
- data UncatchableTCB = forall e . Exception e => UncatchableTCB e
- makeCatchable :: SomeException -> SomeException
- class ShowTCB a where
- class ReadTCB a where
- readsPrecTCB :: Int -> ReadS a
- readTCB :: String -> a
LIO monad
Internal state of an LIO
computation.
LIOState | |
|
The LIO
monad is a state monad, with IO
as the underlying monad,
that carries along a current label (lioLabel
) and current clearance
(lioClearance
). The current label imposes restrictions on
what the current computation may read and write (e.g., no writes to
public channels after reading sensitive data). Since the current
label can be raised to be permissive in what a computation observes,
we need a way to prevent certain computations from reading overly
sensitive data. This is the role of the current clearance: it imposes
an upper bound on the current label.
Typeable2 LIO | |
Label l => MonadLIO l (LIO l) | |
GuardIO l (IO r) (LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> a4 -> IO r) (a1 -> a2 -> a3 -> a4 -> LIO l r) | |
GuardIO l (a1 -> a2 -> a3 -> IO r) (a1 -> a2 -> a3 -> LIO l r) | |
GuardIO l (a1 -> a2 -> IO r) (a1 -> a2 -> LIO l r) | |
GuardIO l (a1 -> IO r) (a1 -> LIO l r) | |
Monad (LIO l) | |
Functor (LIO l) | |
Applicative (LIO l) |
Accessing internal state
getLIOStateTCB :: LIO l (LIOState l)Source
Get internal state. This function is not actually unsafe, but to avoid future security bugs we leave all direct access to the internal state to trusted code.
putLIOStateTCB :: LIOState l -> LIO l ()Source
Set internal state.
modifyLIOStateTCB :: Label l => (LIOState l -> LIOState l) -> LIO l ()Source
Update the internal state given some function.
updateLIOStateTCB :: Label l => (LIOState l -> LIOState l) -> LIO l ()Source
Deprecated: Use modifyLIOStateTCB instead
Executing IO actions
Privileged constructors
A newtype wrapper that can be used by trusted code to bless
privileges. Privilege-related functions are defined in
LIO.Privs, but the constructor, PrivTCB
, allows one to mint
arbitrary privileges and hence must be located in this file.
PrivTCB a |
Labeled l a
is a value that associates a label of type l
with
a value of type a
. Labeled values allow users to label data with
a label other than the current label. In an embedded setting this
is akin to having first class labeled values. Note that Labeled
is an instance of LabelOf
, which effectively means that the label
of a Labeled
value is usually just protected by the current
label. (Of course if you have a nested labeled value then the label
on the inner labeled value's label is the outer label.)
LabeledTCB !l t |
Uncatchable exception type
data UncatchableTCB Source
An uncatchable exception hierarchy use to terminate an untrusted
thread. Wrap the uncatchable exception in UncatchableTCB
before
throwing it to the thread. runLIO
will subsequently unwrap the
UncatchableTCB
constructor.
Note this can be circumvented by mapException
, which should be
made unsafe.
forall e . Exception e => UncatchableTCB e |
makeCatchable :: SomeException -> SomeExceptionSource
Simple utility function that strips UncatchableTCB
from around an
exception.