Yesterday, Robby Findler wrote:
> Perhaps the right thing is to have the setup code export a small
> library that contains a "is my mark bound in the context" function
> and then the sandbox can call that function when deciding whether or
> not to grant permission.
>
> (That has the dependencies going the right way, right?)
Yes. But I'd like to hear Matthew's opinion before hacking something
like that in.
The thing that bothers me about this solution is that there might some
other code that needs to be treated as priviliged too, and in that
case the sandbox will need to invoke each file's predicate (they won't
be able to share this functionality since the actual values must be
hidden). For this reason, and assuming that this is a proper
solution, the parameter is better put at the "highest" entry point to
the priviliged code. I suspect that this means that it should be part
of the resolver, but only in the built-in unconfigurable core
(otherwise you can circumvent protection by a configured malicious
resolver), so perhaps this has to be done in the C core.
It's also not clear to me if a whole parameter is needed, or just a
continuation mark.
--
((lambda (x) (x x)) (lambda (x) (x x))) Eli Barzilay:
http://barzilay.org/ Maze is Life!
____________________
Racket Users list:
http://lists.racket-lang.org/users
