[erlang-questions] Sandbox for Erlang emulator

Ulf Wiger ulf@REDACTED
Sun Dec 3 16:44:50 CET 2006


Den 2006-12-03 15:05:06 skrev Kirill Zaborski <qrilka@REDACTED>:

> What do you think is the best way to implement a sandbox
> for Erlang emulator?

I'd say that depends on what you want to do, more specifically.

> Actually I want to restrict access to the file system,
> network (and maybe something else) from the code running
> inside the emulator. Is Erlhive a suitable tool for it?

Erlhive doesn't restrict the emulator, but rather restricts
what you can do in your programs. Currently, it also carries
the overhead of mnesia transactions. The code transformation
could probably be separated, but that hasn't been done yet.

Without knowing more, it's difficult to say whether Erlhive
would be a good choice. It assumes some kind of authenticating
front-end (the example code is Yaws-based). Erlhive ought to
be a suitable sandbox for a data driven web application.

> The only other way I see to do this is to run the emulator
> under the user with minimal privileges.
> Any other ideas?

You could run a VMWare appliance - e.g. an Ubuntu image with
erlang installed. This would give you a sandbox without
limiting what can be done in the Erlang/OTP environment.
It will carry some overhead, though.

BR,
Ulf Wiger
-- 
Ulf Wiger



More information about the erlang-questions mailing list