> It is not even that. All you need is the program to present a “understandable” manifest of its requirements and you can choose to accept or deny.
Sure. And if these understandable manifests contain requests only from a predefined set that the system provides, we call these requests "permissions" in the iOS and Android sense. You don't get to request arbitrary things and ask the user to approve them.
> The problem with the post is that it assumes that the most important thing is making sure that all non-malicious programs run no matter how convoluted
Agreed.
> No, we can just reject unless you make it easy to analyze; halting problem averted
Yes, and it's this idea that makes minimalism essential in OS design. The narrower your contract, the more flexibility you have to change your implementation.
Agreed. It was unclear from your original post if you were talking about coarse-grained sandboxs or more fine-grained systems.
To clarify, a system that defines coarse classes of sandboxs could declare a class of sandbox for non-networked applications, a sandbox for games, a sandbox for applications with storage exclusively for configuration data, etc. Such a system is different in many respects from a system that defines relatively fine-grained composable requirements. Obviously, a fine-grained system could be composed to present a model at the coarse abstraction level, but the way you target a application differs based on what abstraction level you are targeting.
Sure. And if these understandable manifests contain requests only from a predefined set that the system provides, we call these requests "permissions" in the iOS and Android sense. You don't get to request arbitrary things and ask the user to approve them.
> The problem with the post is that it assumes that the most important thing is making sure that all non-malicious programs run no matter how convoluted
Agreed.
> No, we can just reject unless you make it easy to analyze; halting problem averted
Yes, and it's this idea that makes minimalism essential in OS design. The narrower your contract, the more flexibility you have to change your implementation.