* The sandbox now uses a new code-inspector to avoid using protected

bindings
* Added `sandbox-make-code-inspector' to control this
* Changed the function form of `sandbox-security-guard' to be a thunk,
  to make it uniform with other sandbox settings.

svn: r12831
This commit is contained in:
Eli Barzilay 2008-12-13 17:17:12 +00:00
parent 55f1df58e1
commit 46e16fc206
2 changed files with 52 additions and 17 deletions

View File

@ -21,6 +21,7 @@
sandbox-network-guard
sandbox-exit-handler
sandbox-make-inspector
sandbox-make-code-inspector
sandbox-make-logger
sandbox-memory-limit
sandbox-eval-limits
@ -144,7 +145,7 @@
(make-parameter make-default-sandbox-guard
(lambda (x)
(if (or (security-guard? x)
(and (procedure? x) (procedure-arity-includes? x 1)))
(and (procedure? x) (procedure-arity-includes? x 0)))
x
(raise-type-error
'sandbox-security-guard
@ -157,6 +158,8 @@
(define sandbox-make-inspector (make-parameter make-inspector))
(define sandbox-make-code-inspector (make-parameter make-inspector))
(define sandbox-make-logger (make-parameter current-logger))
(define (compute-permissions paths+require-perms)
@ -440,9 +443,20 @@
(lambda (x) (abort-current-continuation deftag x)))
(loop (car exprs) (cdr exprs))))))))))
;; We need a powerful enough code inspector to invoke the errortrace library
;; (indirectly through private/sandbox-coverage). But there is a small problem
;; here -- errortrace/stacktrace.ss will grab the global code inspector value
;; at the time it is invoked. So we grab it here too, and use it to wrap the
;; code that invokes errortrace. If errortrace/stacktrace.ss is changed to
;; grab the current inspector, then it would be better to avoid this here, and
;; pass `evaluate-program' the inspector that was in effect when the sandbox
;; was created.
(define orig-code-inspector (current-code-inspector))
(define (evaluate-program program limit-thunk uncovered!)
(when uncovered!
(eval `(,#'#%require scheme/private/sandbox-coverage)))
(parameterize ([current-code-inspector orig-code-inspector])
(when uncovered!
(eval `(,#'#%require scheme/private/sandbox-coverage))))
(let ([ns (syntax-case* program (module) literal-identifier=?
[(module mod . body)
(identifier? #'mod)
@ -502,6 +516,7 @@
(define-evaluator-messenger (call-in-sandbox-context thunk) 'thunk)
(define (make-evaluator* init-hook allow program-maker)
(define orig-code-inspector (current-code-inspector))
(define orig-cust (current-custodian))
(define memory-cust (make-custodian orig-cust))
(define memory-cust-box (make-custodian-box memory-cust #t))
@ -670,13 +685,21 @@
[current-command-line-arguments '#()]
;; restrict the sandbox context from this point
[current-security-guard
(let ([g (sandbox-security-guard)])
(if (security-guard? g) g (g (current-security-guard))))]
(let ([g (sandbox-security-guard)]) (if (security-guard? g) g (g)))]
[exit-handler (sandbox-exit-handler)]
[current-inspector ((sandbox-make-inspector))]
[current-logger ((sandbox-make-logger))]
;; This breaks because we need to load some libraries that are trusted
;; [current-code-inspector (make-inspector)]
[current-code-inspector (make-inspector)]
;; The code inspector serves two purposes -- making sure that only trusted
;; byte-code is loaded, and avoiding using protected moduel bindings, like
;; the foreign library's `unsafe!'. We don't need the first because we
;; control it indirectly through the security guard, so this handler makes
;; sure that byte-code is loaded using the original inspector.
[current-load/use-compiled
(let ([handler (current-load/use-compiled)])
(lambda (path modname)
(parameterize ([current-code-inspector orig-code-inspector])
(handler path modname))))]
;; Note the above definition of `current-eventspace': in MzScheme, it
;; is an unused parameter. Also note that creating an eventspace
;; starts a thread that will eventually run the callback code (which

View File

@ -415,15 +415,15 @@ actual interaction. The default is @scheme[null].}
@defparam[sandbox-security-guard guard
(or/c security-guard? (security-guard? . -> . security-guard?))]{
(or/c security-guard? (-> security-guard?))]{
A parameter that determines the initial
@scheme[(current-security-guard)] for sandboxed evaluations. It can
be either a security guard, or a function that constructs a security
guard from a given one. The default is a function that restricts the
access of the current security guard by forbidding all filesystem I/O
except for specifications in @scheme[sandbox-path-permissions], and it
uses @scheme[sandbox-network-guard] for network connections.}
be either a security guard, or a function to construct one. The
default is a function that restricts the access of the current
security guard by forbidding all filesystem I/O except for
specifications in @scheme[sandbox-path-permissions], and it uses
@scheme[sandbox-network-guard] for network connections.}
@defparam[sandbox-path-permissions perms
@ -548,14 +548,26 @@ then, assuming sufficiently small limits,
@defparam[sandbox-make-inspector make (-> inspector?)]{
A parameter that determines the procedure used to create the inspector
for sandboxed evaluation. The procedure is called when initializing an
evaluator, and the default parameter value is @scheme[make-inspector].}
for sandboxed evaluation. The procedure is called when initializing
an evaluator, and the default parameter value is
@scheme[make-inspector].}
@defparam[sandbox-make-code-inspector make (-> inspector?)]{
A parameter that determines the procedure used to create the code
inspector for sandboxed evaluation. The procedure is called when
initializing an evaluator, and the default parameter value is
@scheme[make-inspector].}
@defparam[sandbox-make-logger make (-> logger?)]{
A parameter that determines the procedure used to create the logger
for sandboxed evaluation. The procedure is called when initializing an
evaluator, and the default parameter value is @scheme[current-logger].}
for sandboxed evaluation. The procedure is called when initializing
an evaluator, and the default parameter value is
@scheme[current-logger]. This means that it is not creating a new
logger (this might change in the future).}
@; ----------------------------------------------------------------------