Dynamically linked libraries provide that facility.AndrewAPrice wrote:Every program will use the latest version of the dialog, even if the program is out dated.
Is that a good thing? If the program isn't allowed to view the contents of a directory should it be allowed to do so via an external service?The dialog can have permission that the end program doesn't. For example, the Open File dialog can view the contents of directories that the program can't.
Yes. In my OS, applications won't touch anything outside of their own directories or shared library assets without permission. Certainly not a user's potentially sensitive or otherwise valuable files! Rather than prompt "is X allowed to open this directory?" while the user is browsing what to open/save, they could have full access to their personal files in the Open/Save dialog, and the dialog could tell the VFS to grant this application access to this file just this once. The external service won't let the program see anything else in the directory - it just returns a path that the program is allowed to touch.iansjack wrote:Is that a good thing? If the program isn't allowed to view the contents of a directory should it be allowed to do so via an external service?The dialog can have permission that the end program doesn't. For example, the Open File dialog can view the contents of directories that the program can't.
I like it! That would definitely have to be a system service, that the OS and the user can trust, and is similar to how WIndows handles Ctrl-Alt-Delete to provide a trusted login service. Nothing but Windows can trap C-A-D, so the user knows the resulting security screen can be trusted.AndrewAPrice wrote:Yes. In my OS, applications won't touch anything outside of their own directories or shared library assets without permission. Certainly not a user's potentially sensitive or otherwise valuable files! Rather than prompt "is X allowed to open this directory?" while the user is browsing what to open/save, they could have full access to their personal files in the Open/Save dialog, and the dialog could tell the VFS to grant this application access to this file just this once. The external service won't let the program see anything else in the directory - it just returns a path that the program is allowed to touch.iansjack wrote:Is that a good thing? If the program isn't allowed to view the contents of a directory should it be allowed to do so via an external service?The dialog can have permission that the end program doesn't. For example, the Open File dialog can view the contents of directories that the program can't.
Thanks!thewrongchristian wrote:I like it!
Yes, each process (actually grouped by the applications/programs, e.g. all instances of GIMP) can just access their own directories (via /Application/ - I'm not following POSIX) and the libraries they depend on. For anything else, the program needs to be granted permission.How would that map to something like open(), though?
Would it be something like running each process in their own VFS jail, mapping the file selected by the user into the VFS visible to the process, and returning the name of the mapped file to the process?
I haven't thought too much about temp files. Maybe we can create a /Temp/ directory that is isolated to each program (e.g. all instances of GIMP will see the temp /Temp/ dir, but it might resolve /Memdisk/Temp files/<program>/. If needed, a program could grant another program's access to it's temp files.) I'll tackle this when I encounter a use case that needs itHow about temporary files?
How about patterns like writing a new content to a temporary file, then atomically renaming the new file over the old file to replace it? Perhaps some API to write a new version of a file, with commit and rollback semantics to either replace the existing file or abort replacing the file.
What is the advantage of this? Is there a benefit to obscuring the path of the file to the program opening it?Gigasoft wrote:but it returns a file handle directly.
Exactly. I'll provide a C++ API. The caller shouldn't care how it works as long as it just does.As for what OS functions are implemented in an user space library, or in the kernel, or by communicating with aliens on the moon, it's all the same to the program, it just calls into a set of jumps provided by the loader identified by a known system interface ID.
A very strong means of protection is to not even make it possible to construct a reference to an object that a process does not have permission to access: this is basically what you're doing at the hardware level with paging.AndrewAPrice wrote:What is the advantage of this? Is there a benefit to obscuring the path of the file to the program opening it?Gigasoft wrote:but it returns a file handle directly.
You could do this by having the application make a call "DisplayUserPath()" on mouseover that takes an application path or a file handle and tells the windowing system to display the path that the user would know the file by. This itself doesn't need to be an absolute path. If the user isn't an administrator, then you might want to have them see their home directory as /, and then any other directories they are given access to might appear as mounts somewhere under /.Sometimes in Sublime I work with multiple files of the same name and hover my mouse cursor over the tab to see the full filename. We'd loose this unless you opened the directory as a "workspace" and the program had a path handle and then could show you relative paths within the workspace. So, maybe not a big deal.
