elisp-sandbox icon indicating copy to clipboard operation
elisp-sandbox copied to clipboard

Published 20 hours ago verified publisher icon joelmccracken

evaling

Open nicferrier opened this issue 12 years ago • 2 comments

The point of this is to allow evaling lisp safely.

We currently do not have an eval. Erbot's is just:

(defun fsi-eval (expr)
  (eval
   (erblisp-sandbox expr)))

which makes total sense. We should be able to do the same. However, erbot has a whole bunch of predefined macros and functions that implement the rest of the jail. Most of the things you raised concerns about on the README could be handled here. For example, here's the while:

(defmacro fs-while (cond &rest body)
  `(let
       ((erbn-while-ctr 0))
     (while
     ,cond
       ;; this should enable the with-timeout checks..
       (sleep-for 0.01)
       (if (> erbn-while-ctr erbn-while-max)
       (error "Max while iterations exceeded: %S"
          erbn-while-ctr))
       (incf erbn-while-ctr)
       nil
       ,@body)))

Note how it adds the sleep-for?

Now personally, what I'd like to do is ensure that file and network stuff is handled but run the actual lisp in a child emacs with a timeout, so we don't have to worry about this stuff (whether a while loop is malicious or impractical).

The other thing I'd like is for this stuff to be per-jail. So I should be able to create one jail with one set of bindings and another jail with another. That could just be flet's I suppose.

But anyway, we somehow need to make a start on this. My actor system is coming along so that would be the way to jail the process... but jailing the lisp needs all those functions from erbot that deal with implementing the lisp jail pulled in to your sandbox code.

I'll try and send you patches but if you're going to work on it too that would be exciting!

nicferrier avatar Feb 10 '13 15:02 nicferrier

Sounds good. This, too, is how I figured this would be handled.

Ideally, I would like for there to be separate components that can be mixed into each sandbox. I'm sure there are users who would want to customize individual components, such as sandbox inclusion/exclusion of network functionality, any disk access, etc.

I have personally been on a bit of yak-shaving trip recently. When I'm done with that, I'd love to spend some time working on these. Sandboxed evaluation is a really fun topic to hack on =)

joelmccracken avatar Feb 10 '13 19:02 joelmccracken

"The other thing I'd like is for this stuff to be per-jail. So I should be able to create one jail with one set of bindings and another jail with another. That could just be flet's I suppose."

I think this part would need to happen far in the future.

joelmccracken avatar Aug 04 '13 00:08 joelmccracken