sandboxes and libraries that use the ffi
19 views
Skip to first unread message
Ryan Culpepper
May 28, 2015, 3:12:56 PM5/28/15
to d...@racket-lang.org
The following interaction fails:
> (require racket/sandbox)
> (define sb-eval
(make-evaluator 'racket/base
#:allow-for-require '(math)))
> (sb-eval '(require math))
current-directory: `exists' access denied for /tmp/ryan/
context...:
/Applications/Racket v6.1.1/collects/setup/dirs.rkt:291:2: dll-dir
/Applications/Racket v6.1.1/collects/racket/promise.rkt:70:15
/Applications/Racket v6.1.1/collects/racket/private/more-scheme.rkt:264:2: call-with-exception-handler
/Applications/Racket v6.1.1/collects/racket/promise.rkt:38:2
/Applications/Racket v6.1.1/collects/setup/dirs.rkt:167:7: get-lib-search-dirs
/Applications/Racket v6.1.1/collects/racket/private/so-search.rkt:28:0: so-find
/Applications/Racket v6.1.1/collects/racket/runtime-path.rkt:83:9
/Applications/Racket v6.1.1/collects/racket/runtime-path.rkt:81:0: resolve-paths
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/gmp.rkt: [running body]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/mpfr.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/bigfloat-mpfr.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/bigfloat-struct.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/bigfloat.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/polynomial/chebyshev.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/functions/stirling-error.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/flonum/flonum-factorial.rkt: [traversing imports]…
The problem seems to be that the math library wants to load a foreign library (mpfr), but the sandbox security guard is getting in its way. In other words, the allow-for-require blessing does not extend to the FFI.
Question 1: Is there an easy workaround for this particular issue? (Other than broadly relaxing the security guard?)
Question 2: Is there anything the math library (and other libraries that use ffi bindings) could do to make this automatically work?
Ryan
> (require racket/sandbox)
> (define sb-eval
(make-evaluator 'racket/base
#:allow-for-require '(math)))
> (sb-eval '(require math))
current-directory: `exists' access denied for /tmp/ryan/
context...:
/Applications/Racket v6.1.1/collects/setup/dirs.rkt:291:2: dll-dir
/Applications/Racket v6.1.1/collects/racket/promise.rkt:70:15
/Applications/Racket v6.1.1/collects/racket/private/more-scheme.rkt:264:2: call-with-exception-handler
/Applications/Racket v6.1.1/collects/racket/promise.rkt:38:2
/Applications/Racket v6.1.1/collects/setup/dirs.rkt:167:7: get-lib-search-dirs
/Applications/Racket v6.1.1/collects/racket/private/so-search.rkt:28:0: so-find
/Applications/Racket v6.1.1/collects/racket/runtime-path.rkt:83:9
/Applications/Racket v6.1.1/collects/racket/runtime-path.rkt:81:0: resolve-paths
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/gmp.rkt: [running body]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/mpfr.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/bigfloat-mpfr.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/bigfloat/bigfloat-struct.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/bigfloat.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/polynomial/chebyshev.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/functions/stirling-error.rkt: [traversing imports]
/Applications/Racket v6.1.1/share/pkgs/math-lib/math/private/flonum/flonum-factorial.rkt: [traversing imports]…
The problem seems to be that the math library wants to load a foreign library (mpfr), but the sandbox security guard is getting in its way. In other words, the allow-for-require blessing does not extend to the FFI.
Question 1: Is there an easy workaround for this particular issue? (Other than broadly relaxing the security guard?)
Question 2: Is there anything the math library (and other libraries that use ffi bindings) could do to make this automatically work?
Ryan
Reply all
Reply to author
Forward
0 new messages