From: ludo@gnu.org (Ludovic Courtès)
To: guile-devel@gnu.org
Subject: Re: RFC: (ice-9 sandbox)
Date: Fri, 31 Mar 2017 13:33:30 +0200 [thread overview]
Message-ID: <871std65px.fsf@gnu.org> (raw)
In-Reply-To: 87r31daj8n.fsf@pobox.com
Hello!
Andy Wingo <wingo@pobox.com> skribis:
> Any thoughts? I would like something like this for a web service that
> has to evaluate untrusted code.
Would be nice!
> (define (call-with-allocation-limit limit thunk limit-reached)
> "Call @var{thunk}, but cancel it if @var{limit} bytes have been
> allocated. If the computation is cancelled, call @var{limit-reached} in
> tail position. @var{thunk} must not disable interrupts or prevent an
> abort via a @code{dynamic-wind} unwind handler.
>
> This limit applies to both stack and heap allocation. The computation
> will not be aborted before @var{limit} bytes have been allocated, but
> for the heap allocation limit, the check may be postponed until the next garbage collection."
> (define (bytes-allocated) (assq-ref (gc-stats) 'heap-total-allocated))
> (let ((zero (bytes-allocated))
> (tag (make-prompt-tag)))
> (define (check-allocation)
> (when (< limit (- (bytes-allocated) zero))
> (abort-to-prompt tag)))
> (call-with-prompt tag
> (lambda ()
> (dynamic-wind
> (lambda ()
> (add-hook! after-gc-hook check-allocation))
> (lambda ()
> (call-with-stack-overflow-handler
> ;; The limit is in "words", which used to be 4 or 8 but now
> ;; is always 8 bytes.
> (floor/ limit 8)
> thunk
> (lambda () (abort-to-prompt tag))))
> (lambda ()
> (remove-hook! after-gc-hook check-allocation))))
> (lambda (k)
> (limit-reached)))))
The allocations that trigger ‘after-gc-hook’ could be caused by a
separate thread, right? That’s probably an acceptable limitation, but
one to be aware of.
Also, if the code does:
(make-bytevector (expt 2 32))
then ‘after-gc-hook’ run too late, as the comment notes.
> (define (make-sandbox-module bindings)
> "Return a fresh module that only contains @var{bindings}.
>
> The @var{bindings} should be given as a list of import sets. One import
> set is a list whose car names an interface, like @code{(ice-9 q)}, and
> whose cdr is a list of imports. An import is either a bare symbol or a
> pair of @code{(@var{out} . @var{in})}, where @var{out} and @var{in} are
> both symbols and denote the name under which a binding is exported from
> the module, and the name under which to make the binding available,
> respectively."
> (let ((m (make-fresh-user-module)))
> (purify-module! m)
> ;; FIXME: We want to have a module that will be collectable by GC.
> ;; Currently in Guile all modules are part of a single tree, and
> ;; once a module is part of that tree it will never be collected.
> ;; So we want to sever the module off from that tree. However the
> ;; psyntax syntax expander currently needs to be able to look up
> ;; modules by name; being severed from the name tree prevents that
> ;; from happening. So for now, each evaluation leaks memory :/
> ;;
> ;; (sever-module! m)
> (module-use-interfaces! m
> (map (match-lambda
> ((mod-name . bindings)
> (resolve-interface mod-name
> #:select bindings)))
> bindings))
> m))
IIUC ‘@@’ in unavailable in the returned module, right?
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (eval '(@@ (guile) resolve-interface)
(let ((m (make-fresh-user-module)))
(purify-module! m)
m))
ERROR: In procedure %resolve-variable:
ERROR: Unbound variable: @@
--8<---------------cut here---------------end--------------->8---
Isn’t make-fresh-user-module + purify-module! equivalent to just
(make-module)?
> ;; These can only form part of a safe binding set if no mutable
> ;; pair is exposed to the sandbox.
> (define *mutating-pair-bindings*
> '(((guile)
> set-car!
> set-cdr!)))
When used on a literal pair (mapped read-only), these can cause a
segfault. Now since the code is ‘eval’d, the only literal pairs it can
see are those passed by the caller I suppose, so this may be safe?
> (define *all-pure-and-impure-bindings*
> (append *all-pure-bindings*
Last but not least: why all the stars? :-)
I’m used to ‘%something’.
Thank you!
Ludo’.
next prev parent reply other threads:[~2017-03-31 11:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-31 9:27 RFC: (ice-9 sandbox) Andy Wingo
2017-03-31 11:33 ` Ludovic Courtès [this message]
2017-03-31 16:26 ` Andy Wingo
2017-03-31 21:41 ` Ludovic Courtès
2017-04-02 10:18 ` Andy Wingo
2017-04-03 15:35 ` Ludovic Courtès
2017-04-14 10:52 ` Andy Wingo
2017-04-14 12:17 ` tomas
2017-04-14 12:32 ` Ludovic Courtès
2017-03-31 14:41 ` Mike Gran
2017-04-01 14:33 ` Christopher Allan Webber
2017-04-06 21:41 ` Freja Nordsiek
2017-04-14 10:58 ` Andy Wingo
2017-04-15 17:23 ` Nala Ginrut
2017-04-17 8:07 ` Andy Wingo
2017-04-17 9:12 ` Nala Ginrut
2017-04-18 19:48 ` Andy Wingo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871std65px.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guile-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).