From: Ehsanul Hoque on 23 Jul 2010 05:07 I'd like a sandbox that simply disallows system calls, like creating files etc, so that anybody can supply some code that can be eval-ed within the sandbox, with no known potential for harm. I know about safe levels, but I googled it and there was some discussion about how there were ways to thwart that. I also found this, which seems quite nice: http://github.com/tario/shikashi But I have yet to get that working. Are there any other ways to go about this? Perhaps there are other ways in JRuby? I'd just like to allow the sort of operations you'd need for most algorithms, so all the usual methods of arrays, numbers, hashes and strings basically, and perhaps some selected custom classes. It would also probably be nice if you could somehow limit the memory/cpu taken up by the code in the sandbox, if that's at all possible. _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox
From: Ehsanul Hoque on 23 Jul 2010 22:15 > I'd like a sandbox that simply disallows system calls, like creating files etc, so that anybody can supply some code that can be eval-ed within the sandbox, with no known potential for harm. > I know about safe levels, but I googled it and there was some discussion about how there were ways to thwart that. I also found this, which seems quite nice: http://github.com/tario/shikashi > But I have yet to get that working. Are there any other ways to go about this? Perhaps there are other ways in JRuby? I'd just like to allow the sort of operations you'd need for most algorithms, so all the usual methods of arrays, numbers, hashes and strings basically, and perhaps some selected custom classes. It would also probably be nice if you could somehow limit the memory/cpu taken up by the code in the sandbox, if that's at all possible. Update: I found a replacement for why's old freaky sandbox that works with jruby: http://flouri.sh/2009/4/4/how-to-set-up-the-jruby-sandboxStill not sure how to account for memory consumption/cpu, but I'm guessing there may be some JVM configuration setting that can do something about that. And a simple timeout for infinite or lengthy loops is good enough for my case. _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox
From: Charles Oliver Nutter on 24 Jul 2010 04:40 It would be pretty simple to assembly a JVM security policy file and apply it to a JRuby run. You can disallow all filesystem access or access to specific locations, and a lot more. I've thought about trying to explicitly define some policies for the same things Ruby safe levels give you, but in general it's not that hard to put together a sandboxed JVM running JRuby. On Fri, Jul 23, 2010 at 2:07 AM, Ehsanul Hoque <ehsanul_g3(a)hotmail.com> wrote: > > I'd like a sandbox that simply disallows system calls, like creating files etc, so that anybody can supply some code that can be eval-ed within the sandbox, with no known potential for harm. > I know about safe levels, but I googled it and there was some discussion about how there were ways to thwart that. I also found this, which seems quite nice: http://github.com/tario/shikashi > But I have yet to get that working. Are there any other ways to go about this? Perhaps there are other ways in JRuby? I'd just like to allow the sort of operations you'd need for most algorithms, so all the usual methods of arrays, numbers, hashes and strings basically, and perhaps some selected custom classes. It would also probably be nice if you could somehow limit the memory/cpu taken up by the code in the sandbox, if that's at all possible
|
Pages: 1 Prev: Snippet to append code to method Next: WORK FROM YOUR HOME AWESOME EARNINGS NO INVESTMENT |