* sandboxing Guile extensions
@ 2019-02-10 21:06 Noneayour Business
0 siblings, 0 replies; 3+ messages in thread
From: Noneayour Business @ 2019-02-10 21:06 UTC (permalink / raw)
To: guile-user
I have a GUI app
http://www.lightandmatter.com/ogr/ogr.html
in which I've just implemented a very rudimentary extension mechanism
using Guile. I'm not an experienced lisp programmer at all. This has
been
my first use of lisp beyond "hello, world."
The purpose of my extension is to let users run their own arbitrary
code
in certain situations. However, this means that someone could in
principle
create a Trojan horse attack in which they embed some malicious Guile
code in a document and send it to someone else and try to get them to
open the document.
I see that Guile 2.2.1 has a sandboxing mechanism:
https://www.gnu.org/software/guile/manual/html_node/Sandboxed-Evaluatio
n.html
However, this seems entirely focused on preventing excessive use of
resources. Is there any way to have Guile run in a sandbox similar to
the javascript or java applet sandbox, where it doesn't have access to
the file system and so on? E.g., could I delete certain parts of the
libraries
before handing control over to the user-supplied code, or can the
interpreter
be started up without some of the standard libraries?
I'm currently running Guile by starting up an interpreter through a
shell
for each evaluation of the user's function:
https://github.com/bcrowell/opengrade/blob/master/Extension.pm
Thanks in advance for any suggestions!
Ben Crowell
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: sandboxing Guile extensions
@ 2019-02-15 20:31 tantalum
0 siblings, 0 replies; 3+ messages in thread
From: tantalum @ 2019-02-15 20:31 UTC (permalink / raw)
To: Guile user
i think it is possible to restrict the bindings available for code that
is evaluated with eval-in-sandbox. eval-in-sandbox accepts a keyword
argument named #:module for supplying a module object which gives all
bindings that will be available to the evaluated code. a module with the
allowed bindings can be created with make-sandbox-module.
here is an example:
```
(import (ice-9 sandbox))
(define env (make-sandbox-module (list (quote ((guile) display
string-append)))))
(define result
(eval-in-sandbox (quote (display string-append)) #:time-limit 2
#:module env))
```
when i remove string-append from the list, the code evaluation fails
with an unbound variable exception. the argument to make-sandbox-module
is a list of lists, where for each the first element is a module name
and the rest are binding names to include from that module. there are a
few default sets, for example the variables string-bindings,
list-bindings, number-bindings, etc.
the preset sets are also just lists and can be appended
```
(make-sandbox-module
(append
core-bindings string-bindings symbol-bindings list-bindings
number-bindings
(quote (
((my example module) link-files include-files)))))
```
if eval-in-sandbox would not exist, one would perhaps use eval from
(rnrs eval), which can also take a module that restricts available
features.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: sandboxing Guile extensions
@ 2019-02-22 21:46 Noneayour Business
0 siblings, 0 replies; 3+ messages in thread
From: Noneayour Business @ 2019-02-22 21:46 UTC (permalink / raw)
To: guile-user
Thanks for the help with this! I hadn't understood the docs well enough
to understand that the
sandbox module did allow restrictions on what library functions were
available.
Unfortunately the sandbox module is only available with guile 2.2+,
which makes it impractical
for my application, since I can't expect users to compile the latest
version from source.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-02-22 21:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-22 21:46 sandboxing Guile extensions Noneayour Business
-- strict thread matches above, loose matches on Subject: below --
2019-02-15 20:31 tantalum
2019-02-10 21:06 Noneayour Business
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).