Re: sandboxing Guile extensions

[tantalum]

i think it is possible to restrict the bindings available for code that 
is evaluated with eval-in-sandbox. eval-in-sandbox accepts a keyword 
argument named #:module for supplying a module object which gives all 
bindings that will be available to the evaluated code. a module with the 
allowed bindings can be created with make-sandbox-module.

here is an example:

```
(import (ice-9 sandbox))

(define env (make-sandbox-module (list (quote ((guile) display 
string-append)))))

(define result
  (eval-in-sandbox (quote (display string-append)) #:time-limit 2 
#:module env))
```

when i remove string-append from the list, the code evaluation fails 
with an unbound variable exception. the argument to make-sandbox-module 
is a list of lists, where for each the first element is a module name 
and the rest are binding names to include from that module. there are a 
few default sets, for example the variables string-bindings, 
list-bindings, number-bindings, etc.

the preset sets are also just lists and can be appended
```
(make-sandbox-module
  (append
    core-bindings string-bindings symbol-bindings list-bindings 
number-bindings
    (quote (
      ((my example module) link-files include-files)))))
```

if eval-in-sandbox would not exist, one would perhaps use eval from 
(rnrs eval), which can also take a module that restricts available 
features.