Concerning FFI sandboxing.. why not just add -noffi option at startup time (and similar flag to Interpreter) then simply fail all prims which trying to use FFI callouts. Then regardless of what you doing (loaded ffi code or not) you can't escape sandbox.
2009/2/24 Stéphane Ducasse <[email protected]>: > > On Feb 24, 2009, at 9:23 PM, Michael Rueger wrote: > >> Schwab,Wilhelm K wrote: >>> FFI has (it seems to me) long been viewed as an evil in the Squeak >>> community. I have no idea whether that is justified, but I have to >>> say that the analogous features in Dolphin have been essential. >> >> The motiviation behind not including FFI in the "standard" image was >> security. FFI allows you to circumvent the Squeak sandbox. > > by sandboxing you mean protected from squeak. > You cannot access the file system if you do not have FFI > Because one day we will have also to think about sandboxing pharo from > its own > downloaded code. > >> Which is only >> really interesting for Squeak applications that download untrusted >> code >> from somewhere (e.g. etoys projects). >> >>> >>> Unless there is a very good reason to exclude it, I would ask for FFI >>> in 1.0. For myself, the next big hurdle is underscores, largely >>> because so many of the external entities to which I would be mapping >>> contain them. >> >> I would support that, if it wasn't for Alien, which should be >> replacing >> FFI any time now :-) >> >> Michael >> >> _______________________________________________ >> Pharo-project mailing list >> [email protected] >> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project >> > > > _______________________________________________ > Pharo-project mailing list > [email protected] > http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project > -- Best regards, Igor Stasenko AKA sig. _______________________________________________ Pharo-project mailing list [email protected] http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
