about summary refs log tree commit diff stats
path: root/src/teliva.h
Commit message (Collapse)AuthorAgeFilesLines
* just always temp files to be createdKartik K. Agaram2022-03-071-0/+3
| | | | | Implication: os.rename now needs to be sandboxed. Hopefully it's tractable to treat it as conceptually identical to opening two files.
* purge all support for per-function permissionsKartik K. Agaram2022-03-071-1/+1
| | | | | | | | | We're now back to the problem of how to transparently allow Teliva to create temporary filenames without every app having to explicitly allow them. I think I may need to define start_writing in C, so that it can use a non-sandboxed version of io.open.
* call app's main() from within Lua pmainKartik K. Agaram2022-03-071-1/+1
|
* zet.tlv: switch file writes to new APIKartik K. Agaram2022-03-071-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The interface for apps looks much nicer now, see 'main' in zet.tlv. However there are some open issues: - It can still be confusing to the computer owner that an app tries to write to some temporary file that isn't mentioned anywhere. - File renames can fail if /tmp is on a different volume. - What happens if an app overrides start_writing()? The computer owner may think they've audited the caller of start_writing and give it blanket file permissions. Teliva tunnels through start_writing when computing the caller. If the app can control what start_writing does, the app could be performing arbitrary malicious file operations. Right now things actually seem perfectly secure. Overriding start_writing has no effect. Our approach for loading .tlv files (in reverse chronological order, preventing older versions from overriding newer ones) has the accidentally _great_ property that Teliva apps can never override system definitions. So we have a new reason to put standard libraries in a .lua file: if we need to prevent apps from overriding it. This feels like something that needs an automated test, both to make sure I'm running the right experiment and to ensure I don't accidentally cause a regression in the future. I can totally imagine a future rewrite that tried a different approach than reverse-chronological.
* extract a common function callKartik K. Agaram2022-03-071-1/+1
|
* fixup! no further confirmation once editing commencesKartik K. Agaram2022-03-051-0/+1
|
* include keys typed into audit logKartik K. Agaram2022-02-011-0/+2
| | | | | This will help people cross-correlate when the app performs specific calls.
* file permissions: decide based on calling functionKartik K. Agaram2022-02-011-1/+2
|
* save doc: buffers to .tlv imagesKartik K. Agaram2022-01-251-0/+1
|
* rename a functionKartik K. Agaram2022-01-251-1/+1
|
* when editing a function, show its callersKartik K. Agaram2022-01-031-1/+2
| | | | | | No way to select between them. That complicates the UI too much when we do so much with the cursor. But it's still useful to suggest things to type in after ctrl-g.
* start saving callers of functionsKartik K. Agaram2022-01-031-0/+1
| | | | | I think this is significantly slowing things down. Perhaps we should sample or something.
* extract a functionKartik K. Agaram2022-01-031-0/+1
|
* start on a view of audit eventsKartik K. Agaram2022-01-021-0/+2
|
* editable file permissionsKartik K. Agaram2022-01-021-1/+1
| | | | | | | | | | | | | | | | | | | | | Extremely cruddy implementation: - I'm still unclear on how to represent the advice function: - How to handle errors when loading user configuration? Currently I refuse to start. - Whole function? More errors to handle in header and so on. What if the function is renamed? - Just body? Needs more structured editing support. - Lots of duplication, particularly between the permissions in the menu and the permissions screen. I don't know how to show the hostname at the time of connect() or bind(), so networking is going to remain a boolean for now. It's also unclear what effective constraints we can impose on what gets discussed with a specific hostname. Everything outside the computer is out of one's control. One trick I learned is for consistently grabbing ASan logs on abort: It's always safe to redirect stderr with ncurses!
* renameKartik K. Agaram2022-01-021-2/+2
|
* sandbox: color tweaksKartik K. Agaram2022-01-021-4/+4
|
* undo accidental color scheme commitKartik K. Agaram2021-12-251-1/+1
|
* file open() is now sandboxedKartik K. Agaram2021-12-251-0/+1
| | | | | | | In the process we now also have a mechanism for Teliva to overlay errors while apps run. Might make sense to make that available to apps as well. But I'm starting to realize that any app access to the Teliva areas of the screen is fraught with risk.
* flesh out very preliminary UIKartik K. Agaram2021-12-251-11/+24
| | | | | | | Our sandboxing model is a blunt caricature, just two booleans. But let's see how far this gets us. Still doesn't persist, and definitely has no effect.
* fix a couple of colorsKartik K. Agaram2021-12-251-2/+2
|
* delete a couple more hacky function prototypesKartik K. Agaram2021-12-251-0/+2
|
* mock sandbox status and some initial colorsKartik K. Agaram2021-12-251-0/+12
| | | | | | | | Current plan: - two booleans to gate file and network access, respectively - false shows as green, true shows as orange - if _both_ booleans are true, then both show as red to indicate that there are no protections.
* a little more reorgKartik K. Agaram2021-12-251-79/+84
| | | | | | | | Put stuff people messing with Teliva apps are likely to need above the C interface. The state of documentation for Teliva app creators is still quite poor. All they really have to go on is the example apps.
* reorg: pull Teliva-specific stuff out of lua.cKartik K. Agaram2021-12-251-0/+29
| | | | It should now be easier to diff against the Lua 5.1 sources upstream.
* less confusing nameKartik K. Agaram2021-12-211-7/+7
|
* nail down trusted Teliva channels a little moreKartik K. Agaram2021-12-211-1/+2
| | | | | | | | | | | | | | | | | | | | | | In each session, Teliva has to bootstrap a trusted channel with the computer owner while running arbitrarily untrusted code. So let's get really, really precise about what the trusted channel consists of: - the bottom-most row of screen containing the menu - the keystrokes the owner types in - ncurses COLOR_PAIR slots 254 (menu) and 255 (error) One reason the menu colors are important: we don't want people to get used to apps that hide the menu colors by setting default foreground/background to invisible and then drawing their own menu one row up. The error COLOR_PAIR I don't see any reason to carve out right now, but it seems like a good idea for Teliva the framework to not get into the habit of apps doing some things for it. I'm not sure how realistic all this is (I feel quite ill-equipped to think about security), but it seems worthwhile to err on the side of paranoia. Teliva will be paranoid so people don't have to be.
* minor colorscheme tweakKartik K. Agaram2021-12-081-1/+1
|
* slightly more obvious menu copyKartik K. Agaram2021-12-061-4/+8
| | | | Still sucks, though..
* tweak solarized-esque schemeKartik K. Agaram2021-12-061-1/+1
|
* more configurable colorsKartik K. Agaram2021-12-061-0/+86
| | | | | Also start using 256 colors, under the assumption most people will have them.
* support the comment/uncomment hotkey on MacsKartik K. Agaram2021-12-031-0/+1
| | | | | | | ^/ works on Linux but not on Mac ^- emits the same character code on Mac ^_ seems to be the underlying character code, and works on both ctrl-7 also emits the same character code
* get rid of `Esc` hotkeyKartik K. Agaram2021-12-031-1/+0
| | | | | For a variety of historical reasons, terminals pause every time you press `Esc`. Let's get rid of that lag.
* improve support for backspaceKartik K. Agaram2021-12-031-11/+1
| | | | | | | I still don't understand the entire state space here, so I'm trying to err on the side of improving discoverability of the `ctrl-h` escape hatch. Without requiring too wide a window to show all hotkeys on the menu.
* better cross-platform backspace supportKartik K. Agaram2021-11-301-0/+6
| | | | | | | | I wish I could just hide KEY_BACKSPACE and prevent myself from using it by accident. Then again, I'm not making this smarts available in Teliva programs themselves. Just for the Teliva environment.
* ctrl-/ to comment/uncomment lineKartik K. Agaram2021-11-281-0/+1
|
* ctrl-u/ctrl-k to make editing a bit more ergonomicKartik K. Agaram2021-11-281-0/+1
|
* mac backspace attempt 3Kartik K. Agaram2021-11-281-1/+1
|
* fix half-assed mac os backspace commitKartik K. Agaram2021-11-281-2/+2
|
* fix backspace on MacKartik K. Agaram2021-11-281-0/+5
| | | | | I'm deliberately restricting this incompatibility to the editor environment for now.
* editor hotkeys: sol/eolKartik K. Agaram2021-11-281-0/+1
| | | | | I'm growing attached to ^e, so mildly breaking with convention there. Perhaps this is a bad idea.
* dedup an enumKartik K. Agaram2021-11-261-0/+24