[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Sandbox implementation
- From: Frank Kastenholz <fkastenholz@...>
- Date: Mon, 20 Mar 2017 08:06:54 -0500 (CDT)
I've built Lua sandboxes
there are a couple of other things to consider besides filesystem, i/o and the various
os library functions
1 memory use. you want to ensure that the thing running in the sandbox can't over consume memory. if the sandboxed software does something like
s = " "
for i =1,128,1 do
s = s..s
you would have a problem in that it could prevent other parts of the system from executing
2 cpu use. as in #1, if you do
for i=1,1000000000000000,1 do
it might lock the cpu up executing the for loop, preventing other things from running.
the host os dispatcher might help, or it might not ... depending on how sophisticated it is
and what other things might be running in the same thread/process as the lua program
3 access to the host application's apis needs to be mediated. if the lua app can make calls back to that api and cause it to do Bad Things
then you would also have a problem. Suppose your game has a call like "allocate_game_elements(int number_of_elements,...)" and a
rogue app asks to allocate 2^128 elements....
For what it's worth, when we developed our system we looked at luajit and decided against it in part because it was
difficult to provide protections. Luajit, and its ffi, can generate direct calls to functions in the host environment --- we would
not be able to mediate the call, check the parameters, etc, etc. We found that standard PUC-RIO Lua was quite fast enough
for our applications (digital signal processing) and had ways for us to get in and develop the protections needed for our target
On 03/18/17, Anon ym wrote:
I'm currently adding lua (5.1/luajit) to a game (the stock modding system they provide is really crappy).
Now I don't want any modders to mess peoples PC's up, that's why I decided it needs a sandbox (also, hosting providers wouldn't accept it otherwise). So I patched one together from bits and pieces I found while doing research and extended it with my own ideas.
The problem is, sandboxing has many pitfalls, and I'm really new to lua. So I would really appreciate if anyone could take a look at my code and tell me if there is anything wrong with it. Don't want to waste anyones time but I figured this is the place to ask.
My goals were:
- Lock user to a specific directory and allow I/O on everything in it
- Prevent program execution, except lua scripts in user dir
- Prevent access to parent environment
I don't care about crashes.
I decided to link the code instead of pasting it, because the message would be really long otherwise.