nethack-gwaa-kiwi/nethack
1
0
Fork 0
Code Pull Requests Activity

Lua sandbox

Browse Source 
This is enough to prevent abuse by denying access to functions and
    denial of service (RAM and instruction step limits), but not enough
    to allow restricted use of things that require finer control (e.g.
    filesystem access).

    If something goes wrong, the whole thing can be turned off, for
    now, in config.h (see NHL_SANDBOX).

    None of the current functionality requires changes to build systems;
    some of the possible future functionality may require some #defines
    - TBD.  There is lots of dead code (#ifdef notyet) for bits of that
    additional functionality; we can rip it out if we don't want those
    additions or we can complete (parts of) it depending on our needs.

    All current uses of Lua are connected to sandboxes and guarded with
    nhl_pcall (sandbox and lua_pcall wrapper); options and limits can
    be set at the callsites in the passed nhl_sandbox_info.  Some of
    the error handling may be wrong - panic() vs.  impossible() vs
    silence.

    Memory and instruction step limits should be tuned prior to release;
    there's no point tuning them now.
This commit is contained in:
nhkeni
2022-04-29 19:46:33 -04:00
parent 5d56da3d32
commit 6bd2172ba7
11 changed files with 779 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/extern.h
View File

@@ -1773,10 +1773,11 @@ extern int l_obj_register(lua_State *);
extern void l_nhcore_init(void);
extern void l_nhcore_done(void);
extern void l_nhcore_call(int);
extern lua_State * nhl_init(void);
extern lua_State * nhl_init(nhl_sandbox_info *);
extern void nhl_done(lua_State *);
extern boolean nhl_loadlua(lua_State *, const char *);
extern boolean load_lua(const char *);
extern int nhl_pcall(lua_State *, int, int);
extern boolean load_lua(const char *, nhl_sandbox_info *);
extern void nhl_error(lua_State *, const char *) NORETURN;
extern void lcheck_param_table(lua_State *);
extern schar get_table_mapchr(lua_State *, const char *);
@@ -1802,6 +1803,7 @@ extern int get_table_option(lua_State *, const char *, const char *,
extern int str_lines_max_width(const char *);
extern char *stripdigits(char *);
extern const char *get_lua_version(void);
extern void nhl_pushhooked_open_table(lua_State *L);
#endif /* !CROSSCOMPILE || CROSSCOMPILE_TARGET */
/* ### nhregex.c ### */