From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: ludovic.courtes@laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Newsgroups: gmane.lisp.guile.user Subject: Re: modify environments to make sandboxes Date: Mon, 12 Jun 2006 18:47:33 +0200 Organization: LAAS-CNRS Message-ID: <87ver6z5ga.fsf@laas.fr> References: <20060612182036.2c989469@localhost.localdomain> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1150130929 13918 80.91.229.2 (12 Jun 2006 16:48:49 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Mon, 12 Jun 2006 16:48:49 +0000 (UTC) Cc: guile-user@gnu.org Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Mon Jun 12 18:48:41 2006 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by ciao.gmane.org with esmtp (Exim 4.43) id 1Fppag-00035z-TF for guile-user@m.gmane.org; Mon, 12 Jun 2006 18:48:39 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Fppag-0006oi-GS for guile-user@m.gmane.org; Mon, 12 Jun 2006 12:48:38 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1FppZs-0006VQ-1l for guile-user@gnu.org; Mon, 12 Jun 2006 12:47:48 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1FppZm-0006Pa-JT for guile-user@gnu.org; Mon, 12 Jun 2006 12:47:47 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1FppZm-0006PP-93 for guile-user@gnu.org; Mon, 12 Jun 2006 12:47:42 -0400 Original-Received: from [140.93.0.15] (helo=laas.laas.fr) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1FppiX-0007Fg-1l for guile-user@gnu.org; Mon, 12 Jun 2006 12:56:45 -0400 Original-Received: by laas.laas.fr (8.13.6/8.13.4) with SMTP id k5CGlb5j007599; Mon, 12 Jun 2006 18:47:39 +0200 (CEST) Original-To: Mildred X-URL: http://www.laas.fr/~lcourtes/ X-Revolutionary-Date: 24 Prairial an 214 de la =?iso-8859-1?Q?R=E9volution?= X-PGP-Key-ID: 0xEB1F5364 X-PGP-Key: http://www.laas.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 821D 815D 902A 7EAB 5CEE D120 7FBA 3D4F EB1F 5364 X-OS: powerpc-unknown-linux-gnu Mail-Followup-To: Mildred , guile-user@gnu.org In-Reply-To: <20060612182036.2c989469@localhost.localdomain> (ml.mildred593@online.fr's message of "Mon, 12 Jun 2006 18:20:36 +0200") User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.4 (gnu/linux) X-Spam-Score: 0 () X-Scanned-By: MIMEDefang at CNRS-LAAS X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: guile-user-bounces+guile-user=m.gmane.org@gnu.org Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Xref: news.gmane.org gmane.lisp.guile.user:5347 Archived-At: Hi, Mildred writes: > I do not know how to do that in scheme. Apparetly the function > null-environment can return an environment and eval can evaluate some > code in an environment. But the question is how to define a variable in > an environment and also how to undefine a variable that you don't want > to appear. Code confinement is indeed an interesting feature. Fortunately, Guile offers various ways to do it (AFAIK, there's no standard way to do this in R5RS Scheme). :-) Basically, in Guile, one can manipulate "modules". Modules are first-class representations of name spaces (i.e., environments with bindings). The second argument of `eval' is a module, so you can ask Guile to evaluate a piece of code within the context of a particular module. The basic way to create a module is `make-module'. However, this returns a module with absolutely no defined binding (i.e., no variable is bound within it, not even `define', `let', etc.). If you were to create a confined module to evaluate mathematical expressions, you could start from there: (define (make-pure-math-module) (let ((m (make-module))) (module-define! m '+ +) (module-define! m '- -) (module-define! m '* *) (module-define! m '/ /) (module-define! m 'let let) m)) Now, thanks to this, you will be able to catch the following: (eval '(system "rm -rf /") (make-pure-math-module)) IOW, you can safely evaluate any expression, and you know that it will fail if it's not a pure mathematical expression. Now, in the general case, you want to create a module that contains enough bindings to allow "friendly" code to evaluate, but you don't want to list all those bindings one by one. In this case, you can use `make-root-module' which returns a new module that contains all the default Guile bindings. Then, you can selectively undefine or modify various bindings within that module (using `module-remove!' and `module-set!'). In particular, you'll want to make sure that no POSIX syscall is available, and that `load' and `resolve-module' (which allows one to load a Scheme file) are either undefined or restricted (e.g., such that only specific modules can be loaded from within the confined module). Finally, another approach is to start from an empty module (returned by `make-module') and then use a set of `module-use!' calls to have it import bindings from a few specific modules. You can get more information about modules in `ice-9/boot-9.scm'. Happy hacking! Ludovic. _______________________________________________ Guile-user mailing list Guile-user@gnu.org http://lists.gnu.org/mailman/listinfo/guile-user