Dia 1.1 released!

Discussion in 'Ruby' started by Robert Gleeson, Feb 16, 2010.

  1. Hey

    For anyone on OSX who has a few minutes to spare you might "Dia" a fun
    project to play around with.

    It can run a Ruby block or an OSX Application under a sandbox with five
    different profiles that affect the restrictions of the sandbox.

    Here is a quick example:


    require 'rubygems'
    require 'dia'
    require 'open-uri'

    Dia::SandBox.new(Dia::profiles::NO_INTERNET).run_with_block do
    open(URI.parse('http://www.google.com')).read # Exception raised.
    end

    If anyone is curious, it use's the features exposed in the C header file
    "sandbox.h" on OSX to create a sandbox ..

    I released 1.1 today .

    http://gemcutter.org/gems/dia
    http://github.com/robgleeson/dia


    </spam>

    Cheers,
    Rob
    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 16, 2010
    #1
    1. Advertising

  2. On Feb 16, 7:24=A0am, Robert Gleeson <> wrote:
    > Hey
    >
    > For anyone on OSX who has a few minutes to spare you might "Dia" a fun
    > project to play around with.
    >
    > It can run a Ruby block or an OSX Application under a sandbox with five
    > different profiles that affect the restrictions of the sandbox.
    >
    > Here is a quick example:
    >
    > require 'rubygems'
    > require 'dia'
    > require 'open-uri'
    >
    > Dia::SandBox.new(Dia::profiles::NO_INTERNET).run_with_block do
    > =A0 open(URI.parse('http://www.google.com')).read# Exception raised.
    > end
    >
    > If anyone is curious, it use's the features exposed in the C header file
    > "sandbox.h" on OSX to create a sandbox ..
    >
    > I released 1.1 today .
    >
    > http://gemcutter.org/gems/diahttp://github.com/robgleeson/dia


    Looks interesting. I'm curious about the name, though. When I think of
    "Dia" I first think of this:

    http://projects.gnome.org/dia/

    Regards,

    Dan
    Daniel Berger, Feb 16, 2010
    #2
    1. Advertising

  3. Dan --

    Thanks for the reply .. I think this project has been mentioned to me
    before but I took the name "Dia" from the Gaelic language. It translates
    to "God".

    Thanks,
    Rob

    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 16, 2010
    #3
  4. I'm just leaving an update:

    Dia 1.3 was released a few days ago, and introduces some convenience
    methods like Dia::Sandbox#terminate and Dia::Sandbox#alive? . Also
    included in this release are API changes that add some
    consistency(whether you are running a block or an application in a
    sandbox, both are supplied to the constructer and initiated with
    Dia::Sandbox#run)

    Documentation: http://www.flowof.info/dia

    Rob ,
    http://blog.flowof.info
    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 23, 2010
    #4
  5. Robert Gleeson

    Josh Cheek Guest

    [Note: parts of this message were removed to make it a legal post.]

    On Tue, Feb 23, 2010 at 5:19 AM, Robert Gleeson <> wrote:

    > I'm just leaving an update:
    >
    > Dia 1.3 was released a few days ago, and introduces some convenience
    > methods like Dia::Sandbox#terminate and Dia::Sandbox#alive? . Also
    > included in this release are API changes that add some
    > consistency(whether you are running a block or an application in a
    > sandbox, both are supplied to the constructer and initiated with
    > Dia::Sandbox#run)
    >
    > Documentation: http://www.flowof.info/dia
    >
    > Rob ,
    > http://blog.flowof.info
    > --
    > Posted via http://www.ruby-forum.com/.
    >
    >

    Hi, Robert, I've been wanting to do a Rails project for my ACM group at
    school that includes functionality similar to codepad.org and javabat.com,
    where code is submitted by the user and executed on the server. Of course,
    there are huge security risks with this, that I don't currently have the
    knowledge to address. Would Dia be able to handle situations like this (at
    least for Ruby)?

    In particular, I want to take user submitted code and
    1) execute it, evaluate the output
    2) run some predesigned set of unit tests / specs against it, and report the
    success/failures

    I feel like this could be a very effective learning tool, but like I said,
    security has been a big hurdle.

    -Josh
    Josh Cheek, Feb 23, 2010
    #5
  6. Josh --

    Thanks for the interest!
    Dia works on the operating system level by using features exposed by the
    Mac OSX header "sandbox.h" .. The most restrictive profile you can use
    is Dia::profiles::NO_OS_SERVICES, and this disallows all operating
    system services.

    If you were to setup a sandbox like you were talking about, I'd suggest
    this profile.

    You won't be able to:

    * Read from the filesystem
    * Write to the filesystem
    * Access the internet
    * Do any kind of socket based communication
    * fork()

    .. And the restrictions go on, I've probably missed a few.

    I'll leave you with an example to give you some ideas:

    sandbox = Dia::Sandbox(Dia::profiles::NO_OS_SERVICES) do
    open(URI.parse('http://www.google.com')).read
    end

    # Child process is spawned.
    # Ruby block is executed.
    # An attempt to access the internet encountered, and a subclass of
    SystemCallError(Errno::EPERM) raised.
    sandbox.run

    If you have any question, please ask.

    Thanks,
    Rob



    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 23, 2010
    #6
  7. Typo fix:

    > sandbox = Dia::Sandbox.new(Dia::profiles::NO_OS_SERVICES) do
    > open(URI.parse('http://www.google.com')).read
    > end
    >



    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 23, 2010
    #7
  8. Another mistake I made, this is the exception that actually gets raised
    with the following code:

    "could not lookup DNS configuration info service: Permission denied
    /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:560:in
    `initialize': getaddrinfo: nodename nor servname provided, or not known
    (hope:flowof.info robertgleeson$ SocketError)"


    you will need to require 'open-uri' and 'net/http' _before_ you call
    Dia::Sandbox#run because require() will also fail under this sandbox.

    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 23, 2010
    #8
  9. Robert Gleeson

    Josh Cheek Guest

    [Note: parts of this message were removed to make it a legal post.]

    Thanks for the feedback, Robert. I won't be able to play with it for a bit
    because of work, school, and a business project I'm engaged in, but this
    idea has been flirting with me for over a year, and I've been on the lookout
    for a tool like this to make it possible :) I'll definitely sit down and
    play with it (aka see if it can stop my subversity, lol)

    I'm really excited about this, thank you for making it available ^_^

    (lol, I have 6 minutes before I have to leave for school, and I'm looking at
    the clock debating whether I can install and try some of the examples from
    the github page within that time)
    Josh Cheek, Feb 23, 2010
    #9
  10. Josh --

    Let me know how it goes :) If you need any help you can get back to me
    here, or on IRC (irc.freenode.net / "robgleeson")

    Since a child process is spawned by DIa::Sandbox#run, and you want to
    capture a return value from your block i'd suggest using IO.pipe if you
    haven't thought of that already.

    Thanks,
    Rob
    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 24, 2010
    #10
  11. Robert Gleeson

    Josh Cheek Guest

    [Note: parts of this message were removed to make it a legal post.]

    On Wed, Feb 24, 2010 at 12:02 AM, Robert Gleeson <> wrote:

    > Josh --
    >
    > Let me know how it goes :) If you need any help you can get back to me
    > here, or on IRC (irc.freenode.net / "robgleeson")
    >
    > Since a child process is spawned by DIa::Sandbox#run, and you want to
    > capture a return value from your block i'd suggest using IO.pipe if you
    > haven't thought of that already.
    >
    > Thanks,
    > Rob
    > --
    > Posted via http://www.ruby-forum.com/.
    >
    >

    Hi, Robert. I seem to be having difficulty. I tried to hello world, but I'm
    getting a NullPointerError

    http://img341.imageshack.us/img341/3522/picture12nc.png

    I'm using RVM, and tried it with 1.8.6 and 7, and 1.9.1
    I'm on OS X 10.5.6

    When I run it in TextMate, it gives this backtrace
    FFI::NullPointerError: invalid memory read at address=0x0
    method get_string in pointer.rb at line 57
    method read_string in pointer.rb at line 57
    method run in sandbox.rb at line 58
    method fork in sandbox.rb at line 56
    method run in sandbox.rb at line 56
    at top level in test1.rb at line 7


    Here is the code:
    require 'rubygems'
    require 'dia'

    sandbox = Dia::Sandbox.new(Dia::profiles::NO_OS_SERVICES) do
    puts 'hello world'
    end
    sandbox.run
    Josh Cheek, Feb 25, 2010
    #11
  12. Josh Cheek wrote:
    > On Wed, Feb 24, 2010 at 12:02 AM, Robert Gleeson <>
    > wrote:
    >
    >> Rob
    >> --
    >> Posted via http://www.ruby-forum.com/.
    >>
    >>

    > Hi, Robert. I seem to be having difficulty. I tried to hello world, but
    > I'm
    > getting a NullPointerError
    >
    > http://img341.imageshack.us/img341/3522/picture12nc.png
    >
    > I'm using RVM, and tried it with 1.8.6 and 7, and 1.9.1
    > I'm on OS X 10.5.6
    >
    > When I run it in TextMate, it gives this backtrace
    > FFI::NullPointerError: invalid memory read at address=0x0
    > method get_string in pointer.rb at line 57
    > method read_string in pointer.rb at line 57
    > method run in sandbox.rb at line 58
    > method fork in sandbox.rb at line 56
    > method run in sandbox.rb at line 56
    > at top level in test1.rb at line 7
    >
    >


    Hmm, I haven't seen that before but I think I know what it is. I think a
    call to sandbox_init() fails, and then we call #read_string on a NULL
    pointer. It may be the hard-coded value passed as the second argument to
    sandbox_init() causing this. It should be SANDBOX_NAMED.

    I'll work on a patch in the next hour or so(only waking up here), and
    get back to you.

    Sorry for the inconvenience.

    Rob

    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 25, 2010
    #12
  13. Josh --

    I'm not 100% sure if this bug has been fixed or not, but I've made a few
    changes.
    I released Dia 1.4.pre for you to be able to get it easily, so all you
    need to do is:

    gem install dia --pre

    If this doesn't fix your issue maybe you can come on IRC(if you have the
    time) so we can hack on the problem there.

    Thanks,
    Rob

    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 25, 2010
    #13
  14. Robert Gleeson

    Josh Cheek Guest

    [Note: parts of this message were removed to make it a legal post.]

    On Thu, Feb 25, 2010 at 12:19 AM, Robert Gleeson <> wrote:

    > Josh --
    >
    > I'm not 100% sure if this bug has been fixed or not, but I've made a few
    > changes.
    > I released Dia 1.4.pre for you to be able to get it easily, so all you
    > need to do is:
    >
    > gem install dia --pre
    >
    > If this doesn't fix your issue maybe you can come on IRC(if you have the
    > time) so we can hack on the problem there.
    >
    > Thanks,
    > Rob
    >
    > --
    > Posted via http://www.ruby-forum.com/.
    >
    >

    Thanks, Robert. I still get the same error, though. Tomorrow (Thurs), I'll
    be at work between classes. I'll try it out on my work computer and see how
    it goes, and should be able to get on IRC as well.

    -Josh
    Josh Cheek, Feb 25, 2010
    #14
  15. Josh --

    I managed to get a hold of somebody on IRC running 10.5, and it seems
    sandbox_init() fails but it doesn't write an error message. In other
    words, we don't know why the sandbox failed. It "Just did". If you can
    come onto IRC i'd appreciate it so we can try and find a solution.

    irc.freenode.net , with nickname "robgleeson"

    Thanks,
    Rob
    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 25, 2010
    #15
  16. Robert Gleeson

    Josh Cheek Guest

    [Note: parts of this message were removed to make it a legal post.]

    Wanted to say thanks to Robert, who sat down with me and helped resolve the
    issue, everyone can try it out on irc channel flowof.info, type
    rb_eval_str: puts 'hello world'

    And the robot will execute your Ruby in the sandbox, and return the results.
    Really cool stuff!
    Josh Cheek, Feb 25, 2010
    #16
  17. Just a quick update:
    The bug reported by Josh Creek on 10.5 has been fixed in Dia 1.4.pre.2.
    If anyone encounters any problems please get in touch..

    Many thanks Josh :)

    --
    Posted via http://www.ruby-forum.com/.
    Robert Gleeson, Feb 25, 2010
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    466
  2. Hayato Iriumi

    When will Whidbey be released?

    Hayato Iriumi, Feb 12, 2004, in forum: ASP .Net
    Replies:
    11
    Views:
    668
    Matthew
    Apr 6, 2004
  3. Richard

    When will .NET 2 be released?

    Richard, Jun 11, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    429
    Phil Wright
    Jun 12, 2005
  4. Tom Hawkins

    [ANN] Confluence 0.7.1 Released

    Tom Hawkins, Oct 23, 2003, in forum: VHDL
    Replies:
    0
    Views:
    485
    Tom Hawkins
    Oct 23, 2003
  5. Qauzzix
    Replies:
    3
    Views:
    2,265
    Vesa Köppä
    Jul 27, 2009
Loading...

Share This Page