Added `call-with-trusted-sandbox-configuration', and used in scribble

and in tests.

svn: r12871

collects/scheme/sandbox.ss

@@ -25,6 +25,7 @@
          sandbox-make-logger
          sandbox-memory-limit
          sandbox-eval-limits
+         call-with-trusted-sandbox-configuration
          evaluator-alive?
          kill-evaluator
          break-evaluator
@@ -63,6 +64,18 @@
 (define sandbox-propagate-breaks (make-parameter #t))
 (define sandbox-coverage-enabled (make-parameter #f))
 
+(define (call-with-trusted-sandbox-configuration thunk)
+  (parameterize ([sandbox-propagate-breaks    #t]
+                 [sandbox-override-collection-paths '()]
+                 [sandbox-security-guard      current-security-guard]
+                 [sandbox-exit-handler        (current-exit-handler)]
+                 [sandbox-make-inspector      current-inspector]
+                 [sandbox-make-code-inspector current-code-inspector]
+                 [sandbox-make-logger         current-logger]
+                 [sandbox-memory-limit        #f]
+                 [sandbox-eval-limits         #f])
+    (thunk)))
+
 (define sandbox-namespace-specs
   (make-parameter `(,(mz/mr make-base-namespace make-gui-namespace)
                     #| no modules here by default |#)))

collects/scribble/eval.ss

@@ -239,14 +239,11 @@
       [else stx]))
 
   (define (make-base-eval)
-    (parameterize ([sandbox-security-guard (current-security-guard)]
+    (call-with-trusted-sandbox-configuration
-                   [sandbox-output 'string]
+     (lambda ()
-                   [sandbox-error-output 'string]
+       (parameterize ([sandbox-output 'string]
-                   [sandbox-eval-limits #f]
+                      [sandbox-error-output 'string])
-                   [sandbox-memory-limit #f]
+         (make-evaluator '(begin (require scheme/base)))))))
-                   [sandbox-make-inspector current-inspector]
-                   [sandbox-make-code-inspector current-code-inspector])
-      (make-evaluator '(begin (require scheme/base)))))
 
   (define (close-eval e)
     (kill-evaluator e)

collects/scribblings/reference/sandbox.scrbl

@@ -16,10 +16,9 @@
 The @schememodname[scheme/sandbox] module provides utilities for
 creating ``sandboxed'' evaluators, which are configured in a
 particular way and can have restricted resources (memory and time),
-filesystem access, and network access.  The common use case for this
+filesystem and network access, and much.  Sandboxed evaluators can be
-module is for a restricted sandboxed environment, so the defaults are
+configured through numerous parameters --- and the defaults are set
-set up to make it safe.  For other uses you will likely need to change
+for the common use case where sandboxes are very limited.
-mane of these settings.
 
 @defproc*[([(make-evaluator [language (or/c module-path?
                                             (list/c 'special symbol?)
@@ -260,9 +259,29 @@ either @scheme['time] or @scheme['memory].}
 
 @section{Customizing Evaluators}
 
-The evaluators that @scheme[make-evaluator] creates can be customized
+The sandboxed evaluators that @scheme[make-evaluator] creates can be
-via several parameters.  These parameters affect newly created
+customized via many parameters.  Most of the configuration parameters
-evaluators; changing them has no effect on already-running evaluators.
+affect newly created evaluators; changing them has no effect on
+already-running evaluators.
+
+The default configuration options are set for a very restricted
+sandboxed environment --- one that is safe to make publicly available.
+Further customizations might be needed in case more privileges are
+needed, or if you want tighter restrictions.  Another useful approach
+for customizing an evaluator is to begin with a relatively
+unrestricted configuration and add the desired restrictions.  This is
+possible by the @scheme[call-with-trusted-sandbox-configuration]
+function.
+
+@defproc[(call-with-trusted-sandbox-configuration [thunk (-> any)])
+         any]{
+
+Invokes the @scheme[thunk] in a context where sandbox configuration
+parameters are set for minimal restrictions.  More specifically, there
+are no memory or time limits, and the existing existing inspectors,
+security guard, exit handler, and logger are used.  (Note that the I/O
+ports settings are not included.)}
+
 
 @defparam[sandbox-init-hook thunk (-> any)]{
 

collects/tests/mzscheme/testing.ss

@@ -78,15 +78,12 @@ transcript.
 
 (define (load-in-sandbox file)
   (define-syntax-rule (S id) (dynamic-require 'scheme/sandbox 'id))
-  (let ([e (parameterize ([(S sandbox-security-guard) (current-security-guard)]
+  (let ([e ((S call-with-trusted-sandbox-configuration)
-                          [(S sandbox-input) current-input-port]
+            (parameterize ([(S sandbox-input) current-input-port]
-                          [(S sandbox-output) current-output-port]
+                           [(S sandbox-output) current-output-port]
-                          [(S sandbox-error-output) current-error-port]
+                           [(S sandbox-error-output) current-error-port]
-                          [(S sandbox-make-inspector) current-inspector]
+                           [(S sandbox-memory-limit) 100]) ; 100mb per box
-                          [(S sandbox-make-code-inspector) current-code-inspector]
+              ((S make-evaluator) '(begin) #:requires (list 'scheme))))])
-                          [(S sandbox-memory-limit) 100] ; 100mb per box
-                          [(S sandbox-eval-limits) #f])
-             ((S make-evaluator) '(begin) #:requires (list 'scheme)))])
     (e `(load-relative "testing.ss"))
     (e `(define real-error-port (quote ,real-error-port)))
     (e `(define Section-prefix ,Section-prefix))