[erlang-questions] Preventing calling some functions

Joe Armstrong erlang@REDACTED
Fri Dec 11 11:07:38 CET 2009 

It's a but tricky but doable.

You need to do a parse transform of the source code, the parse transform can
decide which functions are legal.

Suppose you don' t want to call gen_tcp:listen then you do a parse
transform that looks for
gen_tcp:listen and replaces it with exit(badArg) or whatever.

Now suppose somebody want to break this and writes:

      F = list_to_atom("listen"),
      receive
           {From, M} ->
              M:F(...)


You transform this into:

  F = list_to_atom("listen"),
      receive
           {From, M} ->
              check_call(M, F, ...)

where

   check_call(gen_tcp, listen, ...) -> exit(badArg);
   check_call(M, F, A) -> apply(M, F, A)

Certain checks can be done statically, others at run time.

Sandboxing things like spawn and list_to_atom which are potentially
dangerous is much more
difficult - so it all depends on what you want to do.

There is also a technique for allowing two plugins to use the same
namespace without colliding

The basic idea is to transform the module name to the MD5 of the
module content in a consistent
way. I have experimented with this, see:

http://github.com/joearms/elib1/blob/master/supported/versions/versions.html

The general problem is difficult - which is probably why there are no
standard libraries for this.

Specific problems like "only dissallowing calls to gen_tcop:listen" is
easier (though there might be some
problem with dynamic code upgrade, I haven't thought so much about

Cheers

/Joe



On Thu, Dec 10, 2009 at 3:41 PM, Brentley Jones <the.ajarn@REDACTED> wrote:
>
> On Dec 10, 2009, at 5:06 AM, Kiran Khaladkar wrote:
>
>> hi,
>> I have a server written in which i allow erlang plugins also. But the problem is i dont want the plugin code the call certain functions such as 'gen_tcp:listen' etc .. The plugin writer should not be able to call certain functions thought he might know all the erlang lib.
>> Can anyone suggest a way to do such a thing??
>> regards,
>>
>> ________________________________________________________________
>> erlang-questions mailing list. See http://www.erlang.org/faq.html
>> erlang-questions (at) erlang.org
>>
>
> Now, don't take what I say as definitive, since I'm still sort of new to Erlang myself, but I don't think that what you are asking is currently possible. I myself was asking the same question just a couple says ago [1], with the same intent as you (I want to have plugins/scripts that are sandboxed).
>
> One solution would be the implementation of reified environments [2]. I personally believe that their implementation would allow for a much safer Erlang, allowing for the possibility of sandboxed environments that know only about modules that you want it to know about. For example, the plugins could be exposed only to your custom modules plus a few BIFs, if you so wanted.
>
> Maybe someone knows something that I don't though.
>
> - Brentley Jones
>
>
> [1] http://groups.google.com/group/erlang-programming/browse_frm/thread/e0b6a4b60ce03469/b07ec46a989bcd9c
>
> [2] http://www.erlang.org/pipermail/erlang-questions/2006-November/023879.html
> ________________________________________________________________
> erlang-questions mailing list. See http://www.erlang.org/faq.html
> erlang-questions (at) erlang.org
>
>

More information about the erlang-questions mailing list