lio-0.11.6.0: Labeled IO Information Flow Control Library

LIO.TCB

Description

This module exports symbols that must be accessible only to trusted code. By convention, the names of such symbols always end "...TCB" (short for "trusted computing base"). In many cases, a type is safe to export while its constructor is not. Hence, only the constructor ends "TCB", while the type is re-exported to safe code (without constructors) from LIO.Core.

Security rests on the fact that untrusted code must be compiled with -XSafe. Because this module is flagged unsafe, it cannot be imported from safe modules.

Synopsis

data LIOState l Source #

Internal state of an LIO computation.

Constructors

 LIOState FieldslioLabel :: !lCurrent label.lioClearance :: !lCurrent clearance.

Instances

 Eq l => Eq (LIOState l) Source # Methods(==) :: LIOState l -> LIOState l -> Bool #(/=) :: LIOState l -> LIOState l -> Bool # Read l => Read (LIOState l) Source # MethodsreadsPrec :: Int -> ReadS (LIOState l) # Show l => Show (LIOState l) Source # MethodsshowsPrec :: Int -> LIOState l -> ShowS #show :: LIOState l -> String #showList :: [LIOState l] -> ShowS #

newtype LIO l a Source #

The LIO monad is a wrapper around IO that keeps track of a current label and current clearance. Safe code cannot execute arbitrary IO actions from the LIO monad. However, trusted runtime functions can use ioTCB to perform IO actions (which they should only do after appropriately checking labels).

Constructors

 LIOTCB (IORef (LIOState l) -> IO a)

Instances

 Label l => MonadLIO l (LIO l) Source # MethodsliftLIO :: LIO l a -> LIO l a Source # GuardIO l (IO r) (LIO l r) Source # MethodsguardIOTCB :: LIO l () -> IO r -> LIO l r Source # LabelIO l (IO r) (LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> IO r -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> a4 -> a5 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> a4 -> a5 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> a4 -> IO r) (a1 -> a2 -> a3 -> a4 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> a4 -> IO r) -> a1 -> a2 -> a3 -> a4 -> LIO l r Source # GuardIO l (a1 -> a2 -> a3 -> IO r) (a1 -> a2 -> a3 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> a3 -> IO r) -> a1 -> a2 -> a3 -> LIO l r Source # GuardIO l (a1 -> a2 -> IO r) (a1 -> a2 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> a2 -> IO r) -> a1 -> a2 -> LIO l r Source # GuardIO l (a1 -> IO r) (a1 -> LIO l r) Source # MethodsguardIOTCB :: LIO l () -> (a1 -> IO r) -> a1 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> a10 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> a9 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> a8 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> a7 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> a6 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> a4 -> a5 -> IO r) (a1 -> a2 -> a3 -> a4 -> a5 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> a4 -> a5 -> IO r) -> a1 -> a2 -> a3 -> a4 -> a5 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> a4 -> IO r) (a1 -> a2 -> a3 -> a4 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> a4 -> IO r) -> a1 -> a2 -> a3 -> a4 -> LIO l r Source # LabelIO l (a1 -> a2 -> a3 -> IO r) (a1 -> a2 -> a3 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> a3 -> IO r) -> a1 -> a2 -> a3 -> LIO l r Source # LabelIO l (a1 -> a2 -> IO r) (a1 -> a2 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> a2 -> IO r) -> a1 -> a2 -> LIO l r Source # LabelIO l (a1 -> IO r) (a1 -> LIO l r) Source # MethodslabelIO :: (forall a. IO a -> LIO l a) -> (a1 -> IO r) -> a1 -> LIO l r Source # Monad (LIO l) Source # Methods(>>=) :: LIO l a -> (a -> LIO l b) -> LIO l b #(>>) :: LIO l a -> LIO l b -> LIO l b #return :: a -> LIO l a #fail :: String -> LIO l a # Functor (LIO l) Source # Methodsfmap :: (a -> b) -> LIO l a -> LIO l b #(<\$) :: a -> LIO l b -> LIO l a # Source # Methodspure :: a -> LIO l a #(<*>) :: LIO l (a -> b) -> LIO l a -> LIO l b #(*>) :: LIO l a -> LIO l b -> LIO l b #(<*) :: LIO l a -> LIO l b -> LIO l a #

## Accessing internal state

Get internal state. This function is not actually unsafe, but to avoid future security bugs we leave all direct access to the internal state to trusted code.

putLIOStateTCB :: LIOState l -> LIO l () Source #

Set internal state.

modifyLIOStateTCB :: (LIOState l -> LIOState l) -> LIO l () Source #

Update the internal state given some function.

# Executing IO actions

ioTCB :: IO a -> LIO l a Source #

Lifts an IO computation into the LIO monad. This function is dangerous and should only be called after appropriate checks ensure the IO computation will not violate IFC policy.

# Privileged constructors

newtype Priv a Source #

A newtype wrapper that can be used by trusted code to transform a powerless description of privileges into actual privileges. The constructor, PrivTCB, is dangerous as it allows creation of arbitrary privileges. Hence it is only exported by the unsafe module LIO.TCB. A safe way to create arbitrary privileges is to call privInit (see LIO.Run) from the IO monad before running your LIO computation.

Constructors

 PrivTCB a

Instances

 PrivDesc l p => PrivDesc l (Priv p) Source # MethodsdowngradeP :: Priv p -> l -> l Source #canFlowToP :: Priv p -> l -> l -> Bool Source # Eq a => Eq (Priv a) Source # Methods(==) :: Priv a -> Priv a -> Bool #(/=) :: Priv a -> Priv a -> Bool # Show a => Show (Priv a) Source # MethodsshowsPrec :: Int -> Priv a -> ShowS #show :: Priv a -> String #showList :: [Priv a] -> ShowS # Monoid p => Monoid (Priv p) Source # Methodsmempty :: Priv p #mappend :: Priv p -> Priv p -> Priv p #mconcat :: [Priv p] -> Priv p # SpeaksFor p => SpeaksFor (Priv p) Source # MethodsspeaksFor :: Priv p -> Priv p -> Bool Source # Source # Methods

data Labeled l t Source #

Labeled l a is a value that associates a label of type l with a pure value of type a. Labeled values allow users to label data with a label other than the current label. Note that Labeled is an instance of LabelOf, which means that only the contents of a labeled value (the type t) is kept secret, not the label. Of course, if you have a Labeled within a Labeled, then the label on the inner value will be protected by the outer label.

Constructors

 LabeledTCB !l t

Instances

 Source # MethodslabelOf :: Labeled l a -> l Source # (Show l, Show a) => ShowTCB (Labeled l a) Source # Trusted Show instance. MethodsshowTCB :: Labeled l a -> String Source #

class LabelOf t where Source #

Generic class used to get the type of labeled objects. For, instance, if you wish to associate a label with a pure value (as in LIO.Labeled), you may create a data type:

data LVal l a = LValTCB l a

Then, you may wish to allow untrusted code to read the label of any LVals but not necessarily the actual value. To do so, simply provide an instance for LabelOf:

instance LabelOf LVal where
labelOf (LValTCB l a) = l

Minimal complete definition

labelOf

Methods

labelOf :: t l a -> l Source #

Get the label of a labeled value or object. Note the label must be the second to last type constructor argument.

Instances

 Source # MethodslabelOf :: LabeledResult l a -> l Source # Source # MethodslabelOf :: Labeled l a -> l Source # Source # MethodslabelOf :: LObj l a -> l Source #

# Uncatchable exception type

An uncatchable exception hierarchy is used to terminate an untrusted thread. Wrap the uncatchable exception in UncatchableTCB before throwing it to the thread. runLIO will subsequently unwrap the UncatchableTCB constructor.

Note this can be circumvented by mapException, which should be made unsafe. In the interim, auditing untrusted code for this is necessary.

Constructors

 Exception e => UncatchableTCB e

Instances

 Source # MethodsshowList :: [UncatchableTCB] -> ShowS # Source # Methods

Simple utility function that strips UncatchableTCB from around an exception.

# Trusted Show

class ShowTCB a where Source #

It would be a security issue to make certain objects members of the Show class. Nonetheless it is useful to be able to examine such objects when debugging. The showTCB method can be used to examine such objects.

Minimal complete definition

showTCB

Methods

showTCB :: a -> String Source #

Instances

 (Show l, Show a) => ShowTCB (Labeled l a) Source # Trusted Show instance. MethodsshowTCB :: Labeled l a -> String Source # (Label l, Show t) => ShowTCB (LObj l t) Source # MethodsshowTCB :: LObj l t -> String Source #

# LabeledResults

data LabeledResult l a Source #

A LabeledResult encapsulates a future result from a computation spawned by lFork or lForkP. See LIO.Concurrent for a description of the concurrency abstractions of LIO.

Constructors

 LabeledResultTCB FieldslresThreadIdTCB :: !ThreadIdThread executing the computationlresLabelTCB :: !lLabel of the tresultlresBlockTCB :: !(MVar ())This MVar is empty until such point as lresStatusTCB is no longer LResEmpty. Hence, calling readMVar on this field allows one to wait for the thread to terminate.lresStatusTCB :: !(IORef (LResStatus l a))Result (when it is ready), or the label at which the thread terminated, if that label could not flow to lresLabelTCB.

Instances

 Source # MethodslabelOf :: LabeledResult l a -> l Source #

data LResStatus l a Source #

Status of a LabeledResult.

Constructors

 LResEmpty LResLabelTooHigh !l LResResult a

Instances

 (Show a, Show l) => Show (LResStatus l a) Source # MethodsshowsPrec :: Int -> LResStatus l a -> ShowS #show :: LResStatus l a -> String #showList :: [LResStatus l a] -> ShowS #