Re: RFC: (ice-9 sandbox)

2017-04-18 Thread Andy Wingo
On Fri 31 Mar 2017 11:27, Andy Wingo writes: > Attached is a module that can evaluate an expression within a sandbox. Pushed to master. See NEWS here, where I include a couple more entries of note: * Notable changes ** New sandboxed evaluation facility Guile now has a way to exec

Re: RFC: (ice-9 sandbox)

2017-04-17 Thread Nala Ginrut
Hmm...I didn't think about this security issue. And even if we may do some verification in IR(say, CPS or lower level), it's insufficient to avoid security issue, since front-end implementation may use cross module function to mimic primitives for other languages. Now I think maybe front-end writer

Re: RFC: (ice-9 sandbox)

2017-04-17 Thread Andy Wingo
On Sat 15 Apr 2017 19:23, Nala Ginrut writes: > Could you please add #:from keyword to evil-in-sand box to indicate > the language front-end? Don't forget there's multi-lang plan. :-) In theory yes, but I don't know how to make safe sandboxes in other languages. ice-9 sandbox relies on the Sche

Re: RFC: (ice-9 sandbox)

2017-04-15 Thread Nala Ginrut
Hi Andy! It's pretty cool! Could you please add #:from keyword to evil-in-sand box to indicate the language front-end? Don't forget there's multi-lang plan. :-) Best regards. Andy Wingo 于2017年3月31日周五 17:28写道: > Hi, > > Attached is a module that can evaluate an expression within a sandbox. > If t

Re: RFC: (ice-9 sandbox)

2017-04-14 Thread Ludovic Courtès
Hi! Andy Wingo skribis: > On Mon 03 Apr 2017 17:35, l...@gnu.org (Ludovic Courtès) writes: > >> Riastradh’s document at >> has this: >> >> Affix asterisks to the beginning and end of a globally mutable >> variable. This allows the reader of the

Re: RFC: (ice-9 sandbox)

2017-04-14 Thread tomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 14, 2017 at 12:52:19PM +0200, Andy Wingo wrote: [...] > Concretely for this use case, assuming that we can solve the immutable > literal problem, I propose to remove sigils entirely. Thoughts welcome > here. There's still the "cultural

Re: RFC: (ice-9 sandbox)

2017-04-14 Thread Andy Wingo
On Thu 06 Apr 2017 23:41, Freja Nordsiek writes: > On the subject of ports and i/o, I have a few ideas. R6RS i/o in the > (rnrs io ports) module generally requires the port to be explicitly > given, rather than assuming current in or out if not given (though > rnrs io simple does make those assum

Re: RFC: (ice-9 sandbox)

2017-04-14 Thread Andy Wingo
On Mon 03 Apr 2017 17:35, l...@gnu.org (Ludovic Courtès) writes: > Riastradh’s document at > has this: > > Affix asterisks to the beginning and end of a globally mutable > variable. This allows the reader of the program to recognize very > easi

Re: RFC: (ice-9 sandbox)

2017-04-06 Thread Freja Nordsiek
I took a look at the specific binding the sandbox makes available and have a few thoughts. I didn't see any problems with any of the pure bindings made available, but I am only very familiar with basic R5RS, R6RS, and R7RS bindings, not Guile extensions (yet, at least), so I can't comment on many

Re: RFC: (ice-9 sandbox)

2017-04-03 Thread Ludovic Courtès
Andy Wingo skribis: > On Fri 31 Mar 2017 23:41, l...@gnu.org (Ludovic Courtès) writes: > >> Andy Wingo skribis: >> >>> On Fri 31 Mar 2017 13:33, l...@gnu.org (Ludovic Courtès) writes: >> >> [...] >> > ;; These can only form part of a safe binding set if no mutable > ;; pair is exposed to

Re: RFC: (ice-9 sandbox)

2017-04-02 Thread Andy Wingo
On Fri 31 Mar 2017 23:41, l...@gnu.org (Ludovic Courtès) writes: > Andy Wingo skribis: > >> On Fri 31 Mar 2017 13:33, l...@gnu.org (Ludovic Courtès) writes: > > [...] > ;; These can only form part of a safe binding set if no mutable ;; pair is exposed to the sandbox. (define *mutat

Re: RFC: (ice-9 sandbox)

2017-04-01 Thread Christopher Allan Webber
Wow! With this I suppose we could implement something like http://mumble.net/~jar/pubs/secureos/secureos.html ?

Re: RFC: (ice-9 sandbox)

2017-03-31 Thread Ludovic Courtès
Andy Wingo skribis: > On Fri 31 Mar 2017 13:33, l...@gnu.org (Ludovic Courtès) writes: [...] >>> ;; These can only form part of a safe binding set if no mutable >>> ;; pair is exposed to the sandbox. >>> (define *mutating-pair-bindings* >>> '(((guile) >>> set-car! >>> set-cdr!))) >>

Re: RFC: (ice-9 sandbox)

2017-03-31 Thread Andy Wingo
On Fri 31 Mar 2017 13:33, l...@gnu.org (Ludovic Courtès) writes: > Andy Wingo skribis: > > The allocations that trigger ‘after-gc-hook’ could be caused by a > separate thread, right? That’s probably an acceptable limitation, but > one to be aware of. Ah yes, we should document this. Sadly we j

Re: RFC: (ice-9 sandbox)

2017-03-31 Thread Ludovic Courtès
Hello! Andy Wingo skribis: > Any thoughts? I would like something like this for a web service that > has to evaluate untrusted code. Would be nice! > (define (call-with-allocation-limit limit thunk limit-reached) > "Call @var{thunk}, but cancel it if @var{limit} bytes have been > allocated.

RFC: (ice-9 sandbox)

2017-03-31 Thread Andy Wingo
Hi, Attached is a module that can evaluate an expression within a sandbox. If the evaluation takes too long or allocates too much, it will be cancelled. The evaluation will take place with respect to a module with a "safe" set of imports. Those imports include most of the bindings available in a