6575856624
By splitting Session_policy into two classes, we make it more flexible. Originally, the constructor accepted solely an args string, which made it unusable for situations where we already have extracted the session label (e.g., stored in the session meta data of a server). Now, the extraction of the label from the args string is performed by the new Session_label class instead, which, in turn, can be passed to the constructor of Session_policy. This change causes a minor API change. The following code Session_policy policy(session_args); Must be turned into Session_label label(session_args); Session_policy policy(label); |
||
---|---|---|
.. | ||
chunk.h | ||
directory.h | ||
file.h | ||
main.cc | ||
node_handle_registry.h | ||
node.h | ||
README | ||
symlink.h | ||
target.mk | ||
util.h |
This directory contains an in-memory file-system implementation. Configuration ~~~~~~~~~~~~~ Access to the file system can be tailored for each session depending on the session's label. By default, no permissions are granted to any session. To selectively permit access to (a part of) the file system, at least one ram_fs policy must be defined. The following configuration illustates the way of how to express policy. ! <config> ! <!-- preload RAM file system with some ROM images --> ! <content> ! <dir name="tmp"> ! <rom name="init" as="blubb" /> ! </dir> ! <dir name="home"> ! <dir name="user"> ! <inline name=".vimrc"> ! set hidden ! </inline> ! </dir> ! </dir> ! </content> ! <!-- constrain sessions according to their labels --> ! <policy label="noux -> root" root="/" /> ! <policy label="noux -> home" root="/home/user" writeable="yes" /> ! <policy label="noux -> tmp" root="/tmp" writeable="yes" /> ! </config> The '<content>' sub node of the '<config>' node provides a way to pre-populate the file system with directories and files. Note that '<dir>' nodes can be arbitrarily nested. Files can be loaded from the ROM service. By adding the optional 'at' attribute to a rom node, the file name can be defined independently from the ROM module name. In addition to creating files from ROM modules, files can be created from data specified directly as part of the configuration using '<inline>' nodes. The content of such nodes is used as file content as is. Session-specific access-control policy is expressed via one or more '<policy>' nodes. At session-creation time, each policy node is matched against the label of the new session. If the label of a policy node matches, the defined policy is applied. If multiple policies match, the one with the longest 'label' attribute (the most specific one) is selected. A policy node may contain the following attributes. The mandatory 'root' attribute defines the viewport of the session onto the file system. The optional 'writeable' attribute grants the permission to modify the file system. Example ~~~~~~~ To illustrate the use of ram_fs, refer to the 'libports/run/libc_fs.run' script.