Re: [Texmacs-dev] Safe modules for TeXmacs

[Giovanni Piredda]

Since I emailed about the problem, let me email about the solution too.

The creation of safe modules through the (make-module) function works 
well in Guile 1.8 as far as I have been able to see - I have been able 
to run a Scheme script for TeXmacs where a part of it depends on that 
function and the (eval expression module) function for "safe execution"; 
I did not need to put either define or set! in the list of the allowed 
symbols. Of course I am not able to evaluate how safe the "safe modules" 
are :-)

For Guile 2 (I tried with 2.2.3) there are other functions 
(make-sandbox-module and eval-in-sandbox). I tried them with the 
"TeXmacs for Guile 3.0" that Max posted in March and I got stuck (from 
the error messages I gathered that Guile needs as an allowed symbol the 
name of the main function TeXmacs is calling); at any rate any 
investigation of this is probably best postponed to when TeXmacs 2.2 
(with Guile 2/3) will be there.

I do not have a clear picture of how these things work but it may be 
that the infrastructure for safe execution in Guile 2 is "safer" 
(between quotes: again, I do not know what safer means in this context 
;-) ) than in Guile 1.8.

Ciao,

Giovanni


On 09.05.20 20:55, Giovanni Piredda wrote:
> This is a bit long, please be patient :-), I hope it is useful.
>
> A few weeks ago Massimiliano suggested me to look into how to limit 
> which commands can be executed in a piece of otherwise arbitrary Guile 
> code 
> (http://lists.texmacs.org/wws/arc/texmacs-users/2020-03/msg00146.html 
> and following). This would help make safer some Scheme programs for 
> TeXmacs.
>
> In that discussion we were referring to a code which serves to send to 
> TeXmacs a graphics expression. Since I want that the graphics 
> expression be arbitrary, then the code calls "load" onto a 
> user-specified file which "should" contain graphics commands.
>
> I have looked into the filtering of commands and found a way to do it, 
> starting from 
> https://www.mail-archive.com/address@hidden/msg00963.html (found 
> with a Google search). I write here about it to get if possible some 
> suggestions; not everything works and I have to think about it quite a 
> while longer to make something sensible. The questions are after the 
> description.
>
> There is another way based on (make-root-module) (I found the code for 
> it in a past version of Guile) but one thing at a time. I am using 
> Guile 2.2.3.
>
>
> --- Description
>
> make-module defines a module without bindings, one has to add them.
>
> I tested:
>
> (define (make-pure-math-module)
>                (let ((m (make-module)))
>              (begin
>                (module-define! m '* *)
>                (module-define! m 'load load)
>                m)))
>
> following up with a call
>
> (eval '(load "testEvalLoad.scm") (make-pure-math-module))
>
> where testEvalLoad.scm contains
>
> (* 2 2)
>
> or it contains
>
> (+ 2 2)
>
> The loading of the file with the first command succeeds, with the 
> second fails: so far, so good.
>
> Now the
>
> --- Questions:
>
> 1)
>
> I cannot add either define or set! to the bindings:
>
> (define (make-pure-math-module)
>                (let ((m (make-module)))
>              (begin
>                (module-define! m '* *)
>                (module-define! m 'load load)
>            (module-define! m 'define define)
>                m)))
>
> fails with
>
> Syntax error:
> unknown location: unexpected syntax in form define
>
> How to circumvent this? Having define available would help.
>
> 2)
>
> Maybe incompatible with 1)
>
> The language that comes out of the filtering should not be too 
> "strong": I do not want that it is able to redefine "forbidden" 
> functions using "allowed" ones. Any ideas? Perhaps I should keep 
> "define" out of it?
>
>
>
>
>
>
>
>
> _______________________________________________
> Texmacs-dev mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/texmacs-dev