[plt-scheme] Sandboxing and modules

From: Markku Rontu (mrontu at cc.hut.fi)
Date: Sat Feb 7 05:24:46 EST 2004


I'm trying to make a sandbox for running some untrusted user code. I
tried by declaring a module that provides a subset of the mzscheme module,
then namespace-requiring it. This worked fine. Like this:


(module safe-scheme mzscheme
	(provide do if #%app ...) ; a long list

(let ((ns (make-namespace 'empty))
      (ins (current-namespace)))
   (parameterize ((current-namespace ns))
     (namespace-attach-module ins 'mzscheme)
     (namespace-require 'safe-scheme)
     ; eval something safely


But then I wanted to also define a bit more relaxed sandbox. I didn't want to
have another long list of provides so I tried to extend the safe-scheme
module. What I tried was this:


(module less-safe-scheme mzscheme
	; provide all in safe-scheme
	(require safe-scheme)
	(provide (all-from safe-scheme))
	; provide some more
	(provide read-eval-print-loop ...)


The problem is, that does not compute. I cannot (require safe-scheme) because
of duplicate names between it and mzscheme. I cannot use safe-scheme as the
initial required module as it does not include provide, #%module-begin et al.
I cannot use (require (prefix safe: safe-scheme)) because (provide (all-from
safe-scheme)) then uses the local prefixed name, which is not what I want.

Is this a good way of sandboxing in PLT-Scheme? Any ideas how to solve this

--- Markku Rontu --------------------------------- 12:21. Sat Feb  7, 2004 ---
   E-mail markku.rontu at hut.fi - WWW www.hut.fi/~mrontu/ - GSM +358503822310
                            "Anger is a blue sea."
-------------------- Ambassador Kosh of the Vorlon Empire --------------------

Posted on the users mailing list.