guile-user
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: sandboxing Guile extensions

From: Zelphir Kaltstahl
Subject: Re: Re: sandboxing Guile extensions
Date: Sat, 16 Feb 2019 23:30:59 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 15 Feb 2019 20:31:54 +0000
> From: tantalum <address@hidden>
> To: Guile user <address@hidden>
> Subject: Re: sandboxing Guile extensions
> Message-ID: <address@hidden>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> i think it is possible to restrict the bindings available for code that 
> is evaluated with eval-in-sandbox. eval-in-sandbox accepts a keyword 
> argument named #:module for supplying a module object which gives all 
> bindings that will be available to the evaluated code. a module with the 
> allowed bindings can be created with make-sandbox-module.
>
> here is an example:
>
> ```
> (import (ice-9 sandbox))
>
> (define env (make-sandbox-module (list (quote ((guile) display 
> string-append)))))
>
> (define result
>    (eval-in-sandbox (quote (display string-append)) #:time-limit 2 
> #:module env))
> ```
>
> when i remove string-append from the list, the code evaluation fails 
> with an unbound variable exception. the argument to make-sandbox-module 
> is a list of lists, where for each the first element is a module name 
> and the rest are binding names to include from that module. there are a 
> few default sets, for example the variables string-bindings, 
> list-bindings, number-bindings, etc.
>
> the preset sets are also just lists and can be appended
> ```
> (make-sandbox-module
>    (append
>      core-bindings string-bindings symbol-bindings list-bindings 
> number-bindings
>      (quote (
>        ((my example module) link-files include-files)))))
> ```
>
> if eval-in-sandbox would not exist, one would perhaps use eval from 
> (rnrs eval), which can also take a module that restricts available 
> features.
This is quite interesting, as I have a situation at work, where I would
like to evaluate foreign code on a server. Unfortunately, at work I will
not be allowed developing it using Guile and the incoming code would
also not be Guile or even Scheme in general. Still, it is great to know
such utilities exist in Guile, without some resorting to some
"might-work-but-might-not-be-secure" hacks.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]