Sandbox implementation, attempt #2
[
Date Prev][
Date Next][
Thread Prev][
Thread Next]
[
Date Index]
[
Thread Index]
- Subject: Sandbox implementation, attempt #2
- From: "David F" <kumpuu@...>
- Date: 2017年3月19日 00:35:21 +0100
On 18/03/17 10:47 PM, Soni L. wrote:
> You don't need to worry about 2 and 3 if you disable "os" lib.
os is disabled except clock, difftime and time.
> Wrapping "io" lib is painful but possible.
> Remember to also remove "require", "loadfile", "dofile", etc, then
> reimplement them using wrapped "io". Use a wrapped "load"/"loadstring"
> and implement signed bytecode loading so you don't load untrusted
> bytecode. (With the caveat that an user could manually retrieve the key
> and manually load untrusted bytecode, but the key isn't portable anyway
> so it's a non-issue. Just use a secure CSPRNG when the user runs the
> game for the first time.)
Did exactly that.
safeIO =
{
close = _G.io.close,
flush = _G.io.flush,
type = _G.io.type,
tmpfile = _G.io.tmpfile,
read = _G.io.read,
write = _G.io.write,
input = function(file)
if file and not _G.io.type(file) then
file = sandbox.makeSafePath(file)
end
return _G.io.input(file)
end,
output = function(file)
if file and not _G.io.type(file) then
file = sandbox.makeSafePath(file)
end
return _G.io.output(file)
end,
lines = function(fileName)
if fileName then
fileName = sandbox.makeSafePath(fileName)
end
return _G.io.lines(fileName)
end,
open = function(fileName, mode)
fileName = sandbox.makeSafePath(fileName)
return _G.io.open(fileName, mode)
end
},
Bytecode is disabled entirely since there seem to be exploits.
--David