use Safe; $sandbox = Safe->new(); # anonymous sandbox $sandbox = Safe->new("PackName"); # in that symbol table # Enable or disable opcodes by group or name. $sandbox->permit(qw(:base_core)); $sandbox->permit_only(qw(:base_core :base_loop :base_mem)); $sandbox->deny("die"); # like do(), but in the sandbox $ok = $sandbox->rdo($filename); # like do(), but in the sandbox $ok = $sandbox->reval($code); # without 'use strict' $ok = $sandbox->reval($code, 1); # with 'use strict'
The Safe
module attempts to provide a
restricted environment to protect the rest of the program from
dangerous operations. It uses two different strategies to do this.
Much as an anonymous FTP daemon's use of chroot
(2) alters the view of the root of the filesystem, creating a
compartment object with Safe->new("PackName")
alters that compartment's view of its own namespace. The compartment
now sees as its root symbol table (main:
:) the
symbol table that the rest of the program sees as
PackName:
:. What looks like
Frobnitz:
: on the inside of the compartment is
really PackName::Frobnitz:
: on the outside. If you
don't give an argument to the constructor, a random new package name
is selected for you.
The second and more important facility that a
Safe
compartment provides is a way to limit code
that is deemed legal within an eval
. You can tweak
the allowable opcode set (legal Perl operations) using method calls on
your Safe
object. Two methods are available to
compile code in a Safe
compartment:
rdo
("restricted do") for files and
reval
("restricted eval") for strings. These are
like do
on a filename and eval
on a string but execute in a restricted namespace with limited
opcodes. The first argument is the filename or string to compile, and
the optional second argument is whether the code should be compiled
under use strict
.
This module is scheduled for a rewrite (we intend to isolate the
sandbox into a different interpreter thread for additional safety), so
be sure to check the Safe
manpage for updates. See
also Chapter 23.