[racket] Handin Server + PLAI problem [and 1 more messages] [and 2 more messages]

From: Robby Findler (robby at eecs.northwestern.edu)
Date: Thu Jan 19 14:56:34 EST 2012

After going back and remembering the context, this seems like just the
right thing to me.

Robby

On Sun, Jan 15, 2012 at 8:46 PM, Matthew Flatt <mflatt at cs.utah.edu> wrote:
> How about adding `racket/sandbox/keys':
>
>  #lang racket/base
>
>  (provide (protect-out suspend-file-security-key))
>
>  (define suspend-file-security-key (gensym))
>
>  ;; maybe more keys for other sandbox controls
>
> and then have "main-collects.rkt" wrap its use of
> `find-executable-path' to install a mark with this key, which the
> sandbox security guard will recognize as permission to inspect files.
>
> Since the key is protected, it will be inaccessible to untrusted code
> in the the same way as unsafe operations.
>
>
> At Sun, 15 Jan 2012 20:05:31 -0500, Eli Barzilay wrote:
>> Yesterday, Robby Findler wrote:
>> > Perhaps the right thing is to have the setup code export a small
>> > library that contains a "is my mark bound in the context" function
>> > and then the sandbox can call that function when deciding whether or
>> > not to grant permission.
>> >
>> > (That has the dependencies going the right way, right?)
>>
>> Yes.  But I'd like to hear Matthew's opinion before hacking something
>> like that in.
>>
>> The thing that bothers me about this solution is that there might some
>> other code that needs to be treated as priviliged too, and in that
>> case the sandbox will need to invoke each file's predicate (they won't
>> be able to share this functionality since the actual values must be
>> hidden).  For this reason, and assuming that this is a proper
>> solution, the parameter is better put at the "highest" entry point to
>> the priviliged code.  I suspect that this means that it should be part
>> of the resolver, but only in the built-in unconfigurable core
>> (otherwise you can circumvent protection by a configured malicious
>> resolver), so perhaps this has to be done in the C core.
>>
>> It's also not clear to me if a whole parameter is needed, or just a
>> continuation mark.
>>
>> --
>>           ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
>>                     http://barzilay.org/                   Maze is Life!
>> ____________________
>>   Racket Users list:
>>   http://lists.racket-lang.org/users


Posted on the users mailing list.