From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ryan Raymond Newsgroups: gmane.lisp.guile.user Subject: Re: Evaluation with function whitelist Date: Sat, 15 Jul 2023 15:05:20 -0500 Message-ID: References: <314930819.342984.1689399952041@mail.yahoo.com> <877cr178o2.fsf@web.de> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="4025"; mail-complaints-to="usenet@ciao.gmane.io" Cc: "Dr. Arne Babenhauserheide" , Mike Gran , Guile User To: "Thompson, David" Original-X-From: guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org Sat Jul 15 22:06:06 2023 Return-path: Envelope-to: guile-user@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qKlWl-0000oS-PG for guile-user@m.gmane-mx.org; Sat, 15 Jul 2023 22:06:03 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qKlWK-0003zH-V4; Sat, 15 Jul 2023 16:05:36 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qKlWJ-0003z9-Q6 for guile-user@gnu.org; Sat, 15 Jul 2023 16:05:35 -0400 Original-Received: from mail-pg1-x531.google.com ([2607:f8b0:4864:20::531]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qKlWH-0004KA-L2 for guile-user@gnu.org; Sat, 15 Jul 2023 16:05:35 -0400 Original-Received: by mail-pg1-x531.google.com with SMTP id 41be03b00d2f7-53fa455cd94so1799929a12.2 for ; Sat, 15 Jul 2023 13:05:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oakland.edu; s=google; t=1689451532; x=1692043532; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HZRLg1BDkuh2WOfzKpTMWimD7/xkxc+D69TEQt5jKO4=; b=OBUW5LIj047qYz1clD4EoMHAMlb8YWjpziPzvQSgI3DaVzjZMMhpi+yCe8ZAXmahMG RV7Ef+0FVRCVdjs+MG/dF7sYwgX6gVTAcUnUe5Yit51NG2YaIzhLj30hxXPbQ5ZkAnux U8lZar3PrHsjRzKFqyYerWuxrgYMCAidd+sRwFFqOdrDVQrktW8IxB275dbZvKdKszdZ kCQtlFixm/fXH1NkrQxr9/216EL1a60Wh+aF4M+Z2fYMgKH1urW98wqfN4GzAxDjd/Ew m90HWEp4UmP+HBJ0Q4Fefnyj/YhzbrBJsRVBYqO7kKlpdusDNaKrSq9mD9NvU5jiArBb MhCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689451532; x=1692043532; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HZRLg1BDkuh2WOfzKpTMWimD7/xkxc+D69TEQt5jKO4=; b=EXMzw83YT6mT7OJowrprDhwMWTkSRjUZdXhzQrG92DWfqx4OJ5PO3j3LQIfu+g59hg YmMkqgPrpobwtWjiPCg5hpjV4VSSR6/kNe8fgC9vu2DVn/sivihhlkuP3SfBhJBeVvub JVGv8UwVZeG+NwkYIQtJPCrCbj5U51OdvV1+Tr/summpjld52ziFoVgn8BFTvGvkipZ2 J3H0Gv357CUh01CX1YdwFJsdBXyeTGaH9rB5DVpQqXB+SQIG/YjaXu1/q30g4tuYVylf ZFFjPSibspjGJjvAl5QCYWy7bsrZo7CmTqLTak6hcx/j/YjjhdophemGpwIgpy4Flha4 Ntpw== X-Gm-Message-State: ABy/qLZgF8tnNxHYBsY5SDIHgGwqK5a8WD9QFDA6zBXbRkyvleFJxU6Q z196HIUCizyH5SYxhzxh3nCz6mH9u7K6LNZa9agcig== X-Google-Smtp-Source: APBJJlFI9RLVjuWsm+HzGdY7VyVPGWVIdGYIUHHWEX7csn0zj5XVEFNfiAgVQVJHTaKHeNJrHgMCt5vsHIM9IqGhIyg= X-Received: by 2002:a17:90a:4109:b0:262:cb1c:a782 with SMTP id u9-20020a17090a410900b00262cb1ca782mr6877224pjf.37.1689451531826; Sat, 15 Jul 2023 13:05:31 -0700 (PDT) In-Reply-To: Received-SPF: pass client-ip=2607:f8b0:4864:20::531; envelope-from=rjraymond@oakland.edu; helo=mail-pg1-x531.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org Original-Sender: guile-user-bounces+guile-user=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.lisp.guile.user:19095 Archived-At: Mike, you are truly a lifesaver. My work uses an in-house programming language that really is not too great, but now I finally have a chance to change their minds. Thank you so much! This appears to do exactly what I need. Dr. Arne, I will certainly use sandboxed evaluation as you have suggested. I wasn't able to use it to enter a new lexical scope, but it will be good to protect things beyond that (like infinite loops). David, Goblins looks interesting. The code you wrote is so elegant. It looks nothing like corporate code. The premise of the project is interesting. I'll have to look into it. It's sort of bending my mind (a lot like lisp at first). Thank you, all. I think it's safe to consider this matter concluded! Ryan On Sat, Jul 15, 2023 at 9:09=E2=80=AFAM Thompson, David wrote: > Hey Ryan, Mike, Arne, > > On Sat, Jul 15, 2023 at 6:48=E2=80=AFAM Dr. Arne Babenhauserheide > wrote: > > > > Mike Gran writes: > > > > >>good choice. Basically, I want the user to be able to open a repl > shell, > > >>but by default it should have *no* bindings except the ones I > whitelisted. > > > Define a module in a file with the "#:pure" option so that it starts > off empty. > > =E2=80=A6 > > > Using the real repl is probably a no-go, since it has meta-commands > > > like ",m" that would let the user ignore your whitelist. > > > > > > I didn't really test this, but it should be mostly correct. > > > > Sandboxed Evaluation may also be interesting for this: > > > https://www.gnu.org/software/guile/manual/html_node/Sandboxed-Evaluation.= html > > (to prevent users from blocking the process) > > Yeah, I agree that (ice-9 sandbox) is the best option available right > now. Not bulletproof but covers a lot of important details that just > using a pure module would not. > > This might be a difficult exercise for someone new to Guile, but the > 'eval-in-sandbox' procedure looks like it provides the essential piece > for a sandboxed REPL. You could define a custom language (see (system > base language)) that uses that procedure as its evaluator. You'd then > write a script that runs a REPL via (system repl repl) using that > custom language. > > Guix's bournish shell (and monad REPL) does this trick: > > https://git.savannah.gnu.org/cgit/guix.git/tree/guix/build/bournish.scm#n= 267 > So does Spritely Goblins (I wrote this code): > https://gitlab.com/spritely/guile-goblins/-/blob/main/goblins/repl.scm#L2= 06 > > Neither use sandboxing, but they should serve as good examples of the > basic "custom language that is just Scheme with a different evaluator" > + REPL pattern. > > I'd be curious to what extent sandboxing would break metacommands, and > which metacommands could circumvent the sandbox. One easy, but hacky, > option would be to just punt on figuring that out and clear the > command table: > > (set! (@@ (system repl command) *command-table*) '()) > > > If you want a long term view for the most powerful approach that > > preserves allow-listing, see Spritely Goblins: > > > https://spritely.institute/files/docs/guile-goblins/latest/A-simple-greet= er.html > > It is not currently safe to evaluate untrusted code with Goblins, and > it doesn't sound like Ryan is trying to build a distributed network > application so probably Goblins isn't a good fit. However, it is on > the Spritely roadmap to write a secure Scheme subset (codename Oaken, > see https://spritelyproject.org) built on object capability security > principles. Oaken would be hosted on the Guile VM. When that's ready > I will happily encourage its use. For now, (ice-9 sandbox) is the way > to go if Ryan wants to proceed with using Guile. > > tl;dr: I think Ryan could make this work. > > Good luck with your project, Ryan! > > - Dave >