diff --git a/collects/scheme/sandbox.ss b/collects/scheme/sandbox.ss index a1e2ab7191..5b2424e81f 100644 --- a/collects/scheme/sandbox.ss +++ b/collects/scheme/sandbox.ss @@ -25,6 +25,7 @@ sandbox-make-logger sandbox-memory-limit sandbox-eval-limits + call-with-trusted-sandbox-configuration evaluator-alive? kill-evaluator break-evaluator @@ -63,6 +64,18 @@ (define sandbox-propagate-breaks (make-parameter #t)) (define sandbox-coverage-enabled (make-parameter #f)) +(define (call-with-trusted-sandbox-configuration thunk) + (parameterize ([sandbox-propagate-breaks #t] + [sandbox-override-collection-paths '()] + [sandbox-security-guard current-security-guard] + [sandbox-exit-handler (current-exit-handler)] + [sandbox-make-inspector current-inspector] + [sandbox-make-code-inspector current-code-inspector] + [sandbox-make-logger current-logger] + [sandbox-memory-limit #f] + [sandbox-eval-limits #f]) + (thunk))) + (define sandbox-namespace-specs (make-parameter `(,(mz/mr make-base-namespace make-gui-namespace) #| no modules here by default |#))) diff --git a/collects/scribble/eval.ss b/collects/scribble/eval.ss index 5c2b193c2d..bfac65d473 100644 --- a/collects/scribble/eval.ss +++ b/collects/scribble/eval.ss @@ -239,19 +239,16 @@ [else stx])) (define (make-base-eval) - (parameterize ([sandbox-security-guard (current-security-guard)] - [sandbox-output 'string] - [sandbox-error-output 'string] - [sandbox-eval-limits #f] - [sandbox-memory-limit #f] - [sandbox-make-inspector current-inspector] - [sandbox-make-code-inspector current-code-inspector]) - (make-evaluator '(begin (require scheme/base))))) + (call-with-trusted-sandbox-configuration + (lambda () + (parameterize ([sandbox-output 'string] + [sandbox-error-output 'string]) + (make-evaluator '(begin (require scheme/base))))))) (define (close-eval e) (kill-evaluator e) "") - + (define (do-plain-eval ev s catching-exns?) (call-with-values (lambda () ((scribble-eval-handler) diff --git a/collects/scribblings/reference/sandbox.scrbl b/collects/scribblings/reference/sandbox.scrbl index ef33f7ffd4..a9ef74c6a3 100644 --- a/collects/scribblings/reference/sandbox.scrbl +++ b/collects/scribblings/reference/sandbox.scrbl @@ -16,12 +16,11 @@ The @schememodname[scheme/sandbox] module provides utilities for creating ``sandboxed'' evaluators, which are configured in a particular way and can have restricted resources (memory and time), -filesystem access, and network access. The common use case for this -module is for a restricted sandboxed environment, so the defaults are -set up to make it safe. For other uses you will likely need to change -mane of these settings. +filesystem and network access, and much. Sandboxed evaluators can be +configured through numerous parameters --- and the defaults are set +for the common use case where sandboxes are very limited. -@defproc*[([(make-evaluator [language (or/c module-path? +@defproc*[([(make-evaluator [language (or/c module-path? (list/c 'special symbol?) (cons/c 'begin list?))] [input-program any/c] ... @@ -260,9 +259,29 @@ either @scheme['time] or @scheme['memory].} @section{Customizing Evaluators} -The evaluators that @scheme[make-evaluator] creates can be customized -via several parameters. These parameters affect newly created -evaluators; changing them has no effect on already-running evaluators. +The sandboxed evaluators that @scheme[make-evaluator] creates can be +customized via many parameters. Most of the configuration parameters +affect newly created evaluators; changing them has no effect on +already-running evaluators. + +The default configuration options are set for a very restricted +sandboxed environment --- one that is safe to make publicly available. +Further customizations might be needed in case more privileges are +needed, or if you want tighter restrictions. Another useful approach +for customizing an evaluator is to begin with a relatively +unrestricted configuration and add the desired restrictions. This is +possible by the @scheme[call-with-trusted-sandbox-configuration] +function. + +@defproc[(call-with-trusted-sandbox-configuration [thunk (-> any)]) + any]{ + +Invokes the @scheme[thunk] in a context where sandbox configuration +parameters are set for minimal restrictions. More specifically, there +are no memory or time limits, and the existing existing inspectors, +security guard, exit handler, and logger are used. (Note that the I/O +ports settings are not included.)} + @defparam[sandbox-init-hook thunk (-> any)]{ diff --git a/collects/tests/mzscheme/testing.ss b/collects/tests/mzscheme/testing.ss index 9ba18ea5c5..cb60a31e5a 100644 --- a/collects/tests/mzscheme/testing.ss +++ b/collects/tests/mzscheme/testing.ss @@ -78,15 +78,12 @@ transcript. (define (load-in-sandbox file) (define-syntax-rule (S id) (dynamic-require 'scheme/sandbox 'id)) - (let ([e (parameterize ([(S sandbox-security-guard) (current-security-guard)] - [(S sandbox-input) current-input-port] - [(S sandbox-output) current-output-port] - [(S sandbox-error-output) current-error-port] - [(S sandbox-make-inspector) current-inspector] - [(S sandbox-make-code-inspector) current-code-inspector] - [(S sandbox-memory-limit) 100] ; 100mb per box - [(S sandbox-eval-limits) #f]) - ((S make-evaluator) '(begin) #:requires (list 'scheme)))]) + (let ([e ((S call-with-trusted-sandbox-configuration) + (parameterize ([(S sandbox-input) current-input-port] + [(S sandbox-output) current-output-port] + [(S sandbox-error-output) current-error-port] + [(S sandbox-memory-limit) 100]) ; 100mb per box + ((S make-evaluator) '(begin) #:requires (list 'scheme))))]) (e `(load-relative "testing.ss")) (e `(define real-error-port (quote ,real-error-port))) (e `(define Section-prefix ,Section-prefix))