From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: "Noneayour Business" Newsgroups: gmane.lisp.guile.user Subject: sandboxing Guile extensions Date: Sun, 10 Feb 2019 22:06:12 +0100 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="89216"; mail-complaints-to="usenet@blaine.gmane.org" To: guile-user@gnu.org Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Sun Feb 10 23:11:27 2019 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1gsxJt-000N6C-0N for guile-user@m.gmane.org; Sun, 10 Feb 2019 23:11:25 +0100 Original-Received: from localhost ([127.0.0.1]:37288 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gsxJr-00050X-VC for guile-user@m.gmane.org; Sun, 10 Feb 2019 17:11:23 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:50907) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gswTy-0000sQ-73 for guile-user@gnu.org; Sun, 10 Feb 2019 16:17:47 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gswIu-0007eN-TT for guile-user@gnu.org; Sun, 10 Feb 2019 16:06:23 -0500 Original-Received: from mout.gmx.net ([212.227.15.19]:55781) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gswIu-0007bn-KH for guile-user@gnu.org; Sun, 10 Feb 2019 16:06:20 -0500 Original-Received: from [76.169.116.244] ([76.169.116.244]) by web-mail.gmx.net (3c-app-mailcom-bs07.server.lan [172.19.170.175]) (via HTTP); Sun, 10 Feb 2019 22:06:12 +0100 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K1:m0hvHyKh4Lzw3nl7Av5APAudaiGL5+dJWTNj3sK6sqejIQsxz+T+91xDC9ipC6/a2afmv bnx1xvN+Ha8Yh6v4ZbhAYS6XAWT85PhP2hy1ES5N1is9YDYAld174q83KI0du5jmFjLsV/LQ2exv GxRKLFWqWUNVSkzN2v1AZL2djF04J95iVTxXnZlgMqpC+nP838Mdyg0S9CGi547jeKbT4n0F5LmX c9MQXj2jrI0iJrDMbpKgkMJU2Qz5YFXktd6syF5i7fA8ubyaa5XVTZM38Se1EzyZHcpFAf/5B+yX qw= X-UI-Out-Filterresults: notjunk:1;V03:K0:WQvJaJdDSxY=:nmpPUal9IM9PJW0LD7AHKz jdCW1qbRxdi8gAN+dS29jt6/LyrehMy1KZtriKjR+a0m9O6C3OaZ7d7mT/kdoo4Njb/IlrvNL ZlN+IiHRmbVYiKbhokyaAxkDTC2T5fgZ3SsoRFS3LwSmZC/i9onHRa9FRvFB4xsp/YmZ/2rZM r+4k31NWOxwlZA9K6lzg5u631Xe8mvAUfwiTNPSA32gGjGoQgSAaa/FleiqlPsJ3DGyd4TlpS V8T9Z1vOm2EuAZAn7T/V5kRYaWBklpATSdVynh5ucBCCtdY0QAHTxQdg/Pw0f35oYl1qWucQ8 RnnjwOBGuuRvCxhz9WQQkAFZda3iEDl7UA+9bIdX7Zo7dJdVFvedabOshgViNKfwGLhO9rWSF QEzhPSZBpJZKYslGRqU0fcqDOKG138GBYLNoMVhEydcjmhxkD25yQ4TE341XtthutOruWNuzZ c8zGu2QDpMadGKWFIYlv/TK7qIUageUjlSl/s3GM6HZ8vyUyEdcQAWHf3m4XU58U+vQv+X+XF /DKLxACNwcPmTcdWykbt/3Qs87CRz2f3Gfta3MSVZpVyIPxxgboPUSZdX6XQ9yyZjitpatihK mLHUxJ+32Prj0= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.15.19 X-Mailman-Approved-At: Sun, 10 Feb 2019 17:10:58 -0500 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:15306 Archived-At: I have a GUI app http://www.lightandmatter.com/ogr/ogr.html in which I've just implemented a very rudimentary extension mechanism using Guile. I'm not an experienced lisp programmer at all. This has been my first use of lisp beyond "hello, world." The purpose of my extension is to let users run their own arbitrary code in certain situations. However, this means that someone could in principle create a Trojan horse attack in which they embed some malicious Guile code in a document and send it to someone else and try to get them to open the document. I see that Guile 2.2.1 has a sandboxing mechanism: https://www.gnu.org/software/guile/manual/html_node/Sandboxed-Evaluatio n.html However, this seems entirely focused on preventing excessive use of resources. Is there any way to have Guile run in a sandbox similar to the javascript or java applet sandbox, where it doesn't have access to the file system and so on? E.g., could I delete certain parts of the libraries before handing control over to the user-supplied code, or can the interpreter be started up without some of the standard libraries? I'm currently running Guile by starting up an interpreter through a shell for each evaluation of the user's function: https://github.com/bcrowell/opengrade/blob/master/Extension.pm Thanks in advance for any suggestions! Ben Crowell