From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 62832 invoked by alias); 22 Nov 2017 19:58:29 -0000 Mailing-List: contact kawa-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: kawa-owner@sourceware.org Received: (qmail 62822 invoked by uid 89); 22 Nov 2017 19:58:28 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.4 required=5.0 tests=BAYES_00,KB_WAM_FROM_NAME_SINGLEWORD,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=colon, HTo:U*kawa, xxx X-HELO: aibo.runbox.com Received: from aibo.runbox.com (HELO aibo.runbox.com) (91.220.196.211) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 22 Nov 2017 19:58:26 +0000 Received: from [10.9.9.211] (helo=mailfront11.runbox.com) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1eHbA7-0005J6-Hj; Wed, 22 Nov 2017 20:58:23 +0100 Received: from 41.81.9.46.customer.cdi.no ([46.9.81.41] helo=localhost.localdomain) by mailfront11.runbox.com with esmtpsa (uid:757155 ) (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) id 1eHb9H-000055-HK; Wed, 22 Nov 2017 20:57:31 +0100 Subject: Re: Sandboxing Kawa To: Mark Raynsford , kawa@sourceware.org References: <20171122111055.21383f32@copperhead.int.arc7.info> From: Per Bothner Message-ID: Date: Wed, 22 Nov 2017 19:58:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171122111055.21383f32@copperhead.int.arc7.info> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2017-q4/txt/msg00036.txt.bz2 On 11/22/2017 12:10 PM, Mark Raynsford wrote: > I have the following questions after playing with the Kawa API a bit: > > 1. Is it possible to restrict the initially available symbols in a > kawa.standard.Scheme instance to a tiny core subset (such as lambda, > if, define, begin, etc)? A default Scheme instance in Kawa has 807 > symbols in the environment. The default Kawa environment is defined by the (two) calls to loadClass("kawa.lib.kawa.base", xxx) in kawa/standard/Scheme.java. So all of the initially visible names are defined by kawa.lib.kawa.base (defined in kawa/lib/kawa/base.scm). So you can replace kawa.lib.kawa.base to a "smaller" initial library. I suggested creating sub-classes of kawa.standard,Scheme and kawa.standard.SchemeCompilation. In addition you need to override checkDefaultBinding from SchemeCompilation. The easiest and most reliable is just have it return null. > 2. Is it possible to restrict the interpreter to only working with a > single java.nio.file.FileSystem? I'd like it if any attempt to do I/O > went through a given filesystem instance. I don't mind if I have to > implement my own I/O library to do this. > > 3. Is it possible to restrict the classes that the interpreter is > allowed to access or import? For example, right now nothing stops the > someone from writing (java.lang.System:exit 0). Both of these require disabling "backdoors" to Java classes, methods, fields. Overriding ,checkDefaultBidning and maybe the colon operator should do that. -- --Per Bothner per@bothner.com http://per.bothner.com/