[Move to Docs after implementation]
Cosmos will be divided into rings. In some senses they are similar to traditional operating system rings however they are not enforced by hardware and thus do not have the runtime overhead. Instead they are enforced by the compiler and later by the installation system which will verify assemblies are part of installation.
A new assembly level attribute will be created for processing by IL2CPU. If the attribute is not present User Ring will be assumed.
In the Kernel Ring, all things are permitted including unsafe code. Assemblies that can be marked as Kernel Ring are restricted. A protected list of assemblies is maintained and enforced my IL2CPU and the installation system.
Kernel Ring includes memory management, process and thread control, etc.
Permitted
Not Permitted
Restrictions
Hardware Ring contains drivers for hardware. Hardware Ring cannot contain unsafe code but can access the managed memory object (see separate annotation) to ensure proper alignment of structures etc. Kernel Ring can assign specific PCI, USB and other devices to drivers and communicate with such devices through the Kernel Ring and managed memory objects, but cannot access pointers directly.
The System Ring includes file systems, network stacks, etc. Unsafe code is not permitted.
User Ring includes applications and services.
Classes can be marked with additional attributes to specify which rings can consume the class. By default only lower rings can be accessed.
Kernel <-- Hardware <-- System <-- User
For example, by default System can consume classes in Hardware but not Kernel. Kernel however can mark specific classes with an attribute to expose them to System and even User. Exposing access to User would implicitly grant access to System as well as it is a lower ring.