Dia 1.1 released!

R

Robert Gleeson

Hey

For anyone on OSX who has a few minutes to spare you might "Dia" a fun
project to play around with.

It can run a Ruby block or an OSX Application under a sandbox with five
different profiles that affect the restrictions of the sandbox.

Here is a quick example:


require 'rubygems'
require 'dia'
require 'open-uri'

Dia::SandBox.new(Dia::profiles::NO_INTERNET).run_with_block do
open(URI.parse('http://www.google.com')).read # Exception raised.
end

If anyone is curious, it use's the features exposed in the C header file
"sandbox.h" on OSX to create a sandbox ..

I released 1.1 today .

http://gemcutter.org/gems/dia
http://github.com/robgleeson/dia


</spam>

Cheers,
Rob
 
D

Daniel Berger

Hey

For anyone on OSX who has a few minutes to spare you might "Dia" a fun
project to play around with.

It can run a Ruby block or an OSX Application under a sandbox with five
different profiles that affect the restrictions of the sandbox.

Here is a quick example:

require 'rubygems'
require 'dia'
require 'open-uri'

Dia::SandBox.new(Dia::profiles::NO_INTERNET).run_with_block do
=A0 open(URI.parse('http://www.google.com')).read# Exception raised.
end

If anyone is curious, it use's the features exposed in the C header file
"sandbox.h" on OSX to create a sandbox ..

I released 1.1 today .

http://gemcutter.org/gems/diahttp://github.com/robgleeson/dia

Looks interesting. I'm curious about the name, though. When I think of
"Dia" I first think of this:

http://projects.gnome.org/dia/

Regards,

Dan
 
R

Robert Gleeson

Dan --

Thanks for the reply .. I think this project has been mentioned to me
before but I took the name "Dia" from the Gaelic language. It translates
to "God".

Thanks,
Rob
 
R

Robert Gleeson

I'm just leaving an update:

Dia 1.3 was released a few days ago, and introduces some convenience
methods like Dia::Sandbox#terminate and Dia::Sandbox#alive? . Also
included in this release are API changes that add some
consistency(whether you are running a block or an application in a
sandbox, both are supplied to the constructer and initiated with
Dia::Sandbox#run)

Documentation: http://www.flowof.info/dia

Rob ,
http://blog.flowof.info
 
J

Josh Cheek

[Note: parts of this message were removed to make it a legal post.]

I'm just leaving an update:

Dia 1.3 was released a few days ago, and introduces some convenience
methods like Dia::Sandbox#terminate and Dia::Sandbox#alive? . Also
included in this release are API changes that add some
consistency(whether you are running a block or an application in a
sandbox, both are supplied to the constructer and initiated with
Dia::Sandbox#run)

Documentation: http://www.flowof.info/dia

Rob ,
http://blog.flowof.info
Hi, Robert, I've been wanting to do a Rails project for my ACM group at
school that includes functionality similar to codepad.org and javabat.com,
where code is submitted by the user and executed on the server. Of course,
there are huge security risks with this, that I don't currently have the
knowledge to address. Would Dia be able to handle situations like this (at
least for Ruby)?

In particular, I want to take user submitted code and
1) execute it, evaluate the output
2) run some predesigned set of unit tests / specs against it, and report the
success/failures

I feel like this could be a very effective learning tool, but like I said,
security has been a big hurdle.

-Josh
 
R

Robert Gleeson

Josh --

Thanks for the interest!
Dia works on the operating system level by using features exposed by the
Mac OSX header "sandbox.h" .. The most restrictive profile you can use
is Dia::profiles::NO_OS_SERVICES, and this disallows all operating
system services.

If you were to setup a sandbox like you were talking about, I'd suggest
this profile.

You won't be able to:

* Read from the filesystem
* Write to the filesystem
* Access the internet
* Do any kind of socket based communication
* fork()

.. And the restrictions go on, I've probably missed a few.

I'll leave you with an example to give you some ideas:

sandbox = Dia::Sandbox(Dia::profiles::NO_OS_SERVICES) do
open(URI.parse('http://www.google.com')).read
end

# Child process is spawned.
# Ruby block is executed.
# An attempt to access the internet encountered, and a subclass of
SystemCallError(Errno::EPERM) raised.
sandbox.run

If you have any question, please ask.

Thanks,
Rob
 
R

Robert Gleeson

Another mistake I made, this is the exception that actually gets raised
with the following code:

"could not lookup DNS configuration info service: Permission denied
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:560:in
`initialize': getaddrinfo: nodename nor servname provided, or not known
(hope:flowof.info robertgleeson$ SocketError)"


you will need to require 'open-uri' and 'net/http' _before_ you call
Dia::Sandbox#run because require() will also fail under this sandbox.
 
J

Josh Cheek

[Note: parts of this message were removed to make it a legal post.]

Thanks for the feedback, Robert. I won't be able to play with it for a bit
because of work, school, and a business project I'm engaged in, but this
idea has been flirting with me for over a year, and I've been on the lookout
for a tool like this to make it possible :) I'll definitely sit down and
play with it (aka see if it can stop my subversity, lol)

I'm really excited about this, thank you for making it available ^_^

(lol, I have 6 minutes before I have to leave for school, and I'm looking at
the clock debating whether I can install and try some of the examples from
the github page within that time)
 
R

Robert Gleeson

Josh --

Let me know how it goes :) If you need any help you can get back to me
here, or on IRC (irc.freenode.net / "robgleeson")

Since a child process is spawned by DIa::Sandbox#run, and you want to
capture a return value from your block i'd suggest using IO.pipe if you
haven't thought of that already.

Thanks,
Rob
 
J

Josh Cheek

[Note: parts of this message were removed to make it a legal post.]

Josh --

Let me know how it goes :) If you need any help you can get back to me
here, or on IRC (irc.freenode.net / "robgleeson")

Since a child process is spawned by DIa::Sandbox#run, and you want to
capture a return value from your block i'd suggest using IO.pipe if you
haven't thought of that already.

Thanks,
Rob
Hi, Robert. I seem to be having difficulty. I tried to hello world, but I'm
getting a NullPointerError

http://img341.imageshack.us/img341/3522/picture12nc.png

I'm using RVM, and tried it with 1.8.6 and 7, and 1.9.1
I'm on OS X 10.5.6

When I run it in TextMate, it gives this backtrace
FFI::NullPointerError: invalid memory read at address=0x0
method get_string in pointer.rb at line 57
method read_string in pointer.rb at line 57
method run in sandbox.rb at line 58
method fork in sandbox.rb at line 56
method run in sandbox.rb at line 56
at top level in test1.rb at line 7


Here is the code:
require 'rubygems'
require 'dia'

sandbox = Dia::Sandbox.new(Dia::profiles::NO_OS_SERVICES) do
puts 'hello world'
end
sandbox.run
 
R

Robert Gleeson

Josh said:
Hi, Robert. I seem to be having difficulty. I tried to hello world, but
I'm
getting a NullPointerError

http://img341.imageshack.us/img341/3522/picture12nc.png

I'm using RVM, and tried it with 1.8.6 and 7, and 1.9.1
I'm on OS X 10.5.6

When I run it in TextMate, it gives this backtrace
FFI::NullPointerError: invalid memory read at address=0x0
method get_string in pointer.rb at line 57
method read_string in pointer.rb at line 57
method run in sandbox.rb at line 58
method fork in sandbox.rb at line 56
method run in sandbox.rb at line 56
at top level in test1.rb at line 7

Hmm, I haven't seen that before but I think I know what it is. I think a
call to sandbox_init() fails, and then we call #read_string on a NULL
pointer. It may be the hard-coded value passed as the second argument to
sandbox_init() causing this. It should be SANDBOX_NAMED.

I'll work on a patch in the next hour or so(only waking up here), and
get back to you.

Sorry for the inconvenience.

Rob
 
R

Robert Gleeson

Josh --

I'm not 100% sure if this bug has been fixed or not, but I've made a few
changes.
I released Dia 1.4.pre for you to be able to get it easily, so all you
need to do is:

gem install dia --pre

If this doesn't fix your issue maybe you can come on IRC(if you have the
time) so we can hack on the problem there.

Thanks,
Rob
 
J

Josh Cheek

[Note: parts of this message were removed to make it a legal post.]

Josh --

I'm not 100% sure if this bug has been fixed or not, but I've made a few
changes.
I released Dia 1.4.pre for you to be able to get it easily, so all you
need to do is:

gem install dia --pre

If this doesn't fix your issue maybe you can come on IRC(if you have the
time) so we can hack on the problem there.

Thanks,
Rob
Thanks, Robert. I still get the same error, though. Tomorrow (Thurs), I'll
be at work between classes. I'll try it out on my work computer and see how
it goes, and should be able to get on IRC as well.

-Josh
 
R

Robert Gleeson

Josh --

I managed to get a hold of somebody on IRC running 10.5, and it seems
sandbox_init() fails but it doesn't write an error message. In other
words, we don't know why the sandbox failed. It "Just did". If you can
come onto IRC i'd appreciate it so we can try and find a solution.

irc.freenode.net , with nickname "robgleeson"

Thanks,
Rob
 
J

Josh Cheek

[Note: parts of this message were removed to make it a legal post.]

Wanted to say thanks to Robert, who sat down with me and helped resolve the
issue, everyone can try it out on irc channel flowof.info, type
rb_eval_str: puts 'hello world'

And the robot will execute your Ruby in the sandbox, and return the results.
Really cool stuff!
 
R

Robert Gleeson

Just a quick update:
The bug reported by Josh Creek on 10.5 has been fixed in Dia 1.4.pre.2.
If anyone encounters any problems please get in touch..

Many thanks Josh :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top