[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: LuaJIT FFI __gc metamethod?
- From: Josh Haberman <jhaberman@...>
- Date: Mon, 28 Feb 2011 21:23:15 +0000 (UTC)
Mike Pall <mikelu-1102 <at> mike.de> writes:
> That's not a viable approach for sandboxing. The only reasonably
> safe way to run untrusted/malicious Lua scripts is to sandbox it
> at the process level.
What you are saying applies only to FFI, right? Without FFI,
can't either Lua or LuaJIT be very tightly sandboxed in-process
with an approach like this?
http://lua-users.org/wiki/SandBoxes
This might be a reason to maintain both FFI and non-FFI bindings
for C libraries: FFI for speed, non-FFI when robust sandboxing of
untrusted code is required.
If this analysis is sound, I think my FFI bindings will indeed
use the ctype finalizer support you have just added, since the
cdata-wrapping userdata isn't actually any more secure than
giving the user a cdata directly, from a sandboxing perspective
(it's just a little bit more obscure).
Josh