On 2/28/22 15:12, Sean Mullan wrote: > > On 2/27/22 1:47 PM, Andrew Haley wrote: > >> I'd like to explore the use of scope locals as a lightweight means to >> implement a system of permissions and capabilities for things such as >> this. > > Now you have piqued my curiosity, as I have explored a capability based > model for intercepting `System.exit`. Can you say any more about this yet?
I think all we'd need is a set of capabilities bound to a scope local at thread startup, and I guess it'd default to "all capabilities". Trusted code could then override any of those capabilities. We'd have to make sure that capabilities were inherited by threads, and we'd have to think very carefully about thread pools. The problem there is that while it would (I guess) make sense to prevent all code executing in thread pools from calling System.exit(), there's an obvious compatibility problem if it can't. -- Andrew Haley (he/him) Java Platform Lead Engineer Red Hat UK Ltd. <https://www.redhat.com> https://keybase.io/andrewhaley EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671
