Hi Mark, Mark H Weaver <m...@netris.org> skribis:
> l...@gnu.org (Ludovic Courtès) writes: >> Mark H Weaver <m...@netris.org> skribis: >> >>> Every once in a while someone asks about secure sandboxing with Guile, >>> and generally the response is that it should be fairly easy, by creating >>> a module with carefully selected bindings, but there's nothing ready >>> "out of the box". >>> >>> I just realized that psyntax has a security hole that prevents secure >>> sandboxing, and wanted to post this fact before it was forgotten. >> >> There are many other holes, such as the fact that ‘@@’ is compiled to >> the ‘toplevel-ref’ instruction, which can search inside modules. > > '@@' can be rebound, so that its default binding is no longer available: Right. However, code compiled outside the sandbox, with the real ‘@@’, does have that ‘toplevel-ref’ in it. > Can you think of anything else that would need to be fixed, besides this > problem with forgeable syntax-objects? CPU/memory resource revocation, the ability to pass immutable references to existing objects (variables, vectors, etc.), and mediated access to OS resources such as file descriptors. Also, a simple way to create a new module hierarchy based on an existing one is needed. To goal would be to make it easy, for instance, to invoke code within a module hierarchy that lacks (system foreign), has no POSIX procedures in (guile), and where (set! + -) would not affect the outside world. All this is currently doable, but a high-level API to do it is lacking. Thanks, Ludo’.
