[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Sandbox implementation, attempt #2
- From: "Soni L." <fakedme@...>
- Date: Sat, 18 Mar 2017 19:47:06 -0300
On 18/03/17 07:26 PM, David F wrote:
Hello,
Sorry, I forgot to turn off HTML in my previous posting.
I'm currently adding lua (5.1/luajit) to a game (the stock modding system they provide is really crappy).
Now I don't want any modders to mess peoples PC's up, that's why I decided it needs a sandbox (also, hosting providers wouldn't accept it otherwise). So I patched one together from bits and pieces I found while doing research and extended it with my own ideas.
The problem is, sandboxing has many pitfalls, and I'm really new to lua. So I would really appreciate if anyone could take a look at my code and tell me if there is anything wrong with it. Don't want to waste anyones time but I figured this is the place to ask.
My goals were:
- Lock user to a specific directory and allow I/O on everything in it
- Prevent program execution, except lua scripts in user dir
- Prevent access to parent environment
I don't care about crashes.
I decided to link the code instead of pasting it, because the message would be really long otherwise.
https://bitbucket.org/Kumpuu/warband-script-enhancer/src/a2132009816653d67352332429137620f98e044d/WSELib/LuaSandbox.txt?at=lua&fileviewer=file-view-default
Cheers, David.
You don't need to worry about 2 and 3 if you disable "os" lib.
Wrapping "io" lib is painful but possible.
Remember to also remove "require", "loadfile", "dofile", etc, then
reimplement them using wrapped "io". Use a wrapped "load"/"loadstring"
and implement signed bytecode loading so you don't load untrusted
bytecode. (With the caveat that an user could manually retrieve the key
and manually load untrusted bytecode, but the key isn't portable anyway
so it's a non-issue. Just use a secure CSPRNG when the user runs the
game for the first time.)
I might be forgetting a thing or two, but that should be it. You might
wanna consider wrapping "print" as well, but that's more of a
convenience thing than a security thing.
--
Disclaimer: these emails may be made public at any given time, with or without reason. If you don't agree with this, DO NOT REPLY.