emacs.d/clones/lisp/docs.racket-lang.org/guide/code-inspectors_protect.html

34 lines
No EOL
14 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"/><meta name="viewport" content="width=device-width, initial-scale=0.8"/><title>15.4&nbsp;Code Inspectors for Trusted and Untrusted Code</title><link rel="stylesheet" type="text/css" href="../scribble.css" title="default"/><link rel="stylesheet" type="text/css" href="../racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-style.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../manual-racket.css" title="default"/><link rel="stylesheet" type="text/css" href="../doc-site.css" title="default"/><script type="text/javascript" src="../scribble-common.js"></script><script type="text/javascript" src="../manual-racket.js"></script><script type="text/javascript" src="../manual-racket.js"></script><script type="text/javascript" src="../doc-site.js"></script><script type="text/javascript" src="../local-redirect/local-redirect.js"></script><script type="text/javascript" src="../local-redirect/local-user-redirect.js"></script><!--[if IE 6]><style type="text/css">.SIEHidden { overflow: hidden; }</style><![endif]--></head><body id="doc-racket-lang-org"><div class="tocset"><div class="tocview"><div class="tocviewlist tocviewlisttopspace"><div class="tocviewtitle"><table cellspacing="0" cellpadding="0"><tr><td style="width: 1em;"><a href="javascript:void(0);" title="Expand/Collapse" class="tocviewtoggle" onclick="TocviewToggle(this,&quot;tocview_0&quot;);">&#9658;</a></td><td></td><td><a href="index.html" class="tocviewlink" data-pltdoc="x">The Racket Guide</a></td></tr></table></div><div class="tocviewsublisttop" style="display: none;" id="tocview_0"><table cellspacing="0" cellpadding="0"><tr><td align="right">1&nbsp;</td><td><a href="intro.html" class="tocviewlink" data-pltdoc="x">Welcome to Racket</a></td></tr><tr><td align="right">2&nbsp;</td><td><a href="to-scheme.html" class="tocviewlink" data-pltdoc="x">Racket Essentials</a></td></tr><tr><td align="right">3&nbsp;</td><td><a href="datatypes.html" class="tocviewlink" data-pltdoc="x">Built-<wbr></wbr>In Datatypes</a></td></tr><tr><td align="right">4&nbsp;</td><td><a href="scheme-forms.html" class="tocviewlink" data-pltdoc="x">Expressions and Definitions</a></td></tr><tr><td align="right">5&nbsp;</td><td><a href="define-struct.html" class="tocviewlink" data-pltdoc="x">Programmer-<wbr></wbr>Defined Datatypes</a></td></tr><tr><td align="right">6&nbsp;</td><td><a href="modules.html" class="tocviewlink" data-pltdoc="x">Modules</a></td></tr><tr><td align="right">7&nbsp;</td><td><a href="contracts.html" class="tocviewlink" data-pltdoc="x">Contracts</a></td></tr><tr><td align="right">8&nbsp;</td><td><a href="i_o.html" class="tocviewlink" data-pltdoc="x">Input and Output</a></td></tr><tr><td align="right">9&nbsp;</td><td><a href="regexp.html" class="tocviewlink" data-pltdoc="x">Regular Expressions</a></td></tr><tr><td align="right">10&nbsp;</td><td><a href="control.html" class="tocviewlink" data-pltdoc="x">Exceptions and Control</a></td></tr><tr><td align="right">11&nbsp;</td><td><a href="for.html" class="tocviewlink" data-pltdoc="x">Iterations and Comprehensions</a></td></tr><tr><td align="right">12&nbsp;</td><td><a href="match.html" class="tocviewlink" data-pltdoc="x">Pattern Matching</a></td></tr><tr><td align="right">13&nbsp;</td><td><a href="classes.html" class="tocviewlink" data-pltdoc="x">Classes and Objects</a></td></tr><tr><td align="right">14&nbsp;</td><td><a href="units.html" class="tocviewlink" data-pltdoc="x">Units</a></td></tr><tr><td align="right">15&nbsp;</td><td><a href="reflection.html" class="tocviewselflink" data-pltdoc="x">Reflection and Dynamic Evaluation</a></td></tr><tr><td align="right">16&nbsp;</td><td><a href="macros.html" class="tocviewlink" data-pltdoc="x">Macros</a></td></tr><tr><td align="right">17&nbsp;</td><td><a href="languages.html" class="tocviewlink" data-pltdoc="x">Creating Languages</a></td></tr><tr><td align="right">18&nbsp;</td><td><a href="concurrency.html" class="tocviewlink" data-pltdoc="x">Concurrency and Synchronization</a></td></tr><tr><td align="right">19&nbsp;</td><td><a href="performance.html" class="tocviewlink" data-pltdoc="x">Performance</a></td></tr><tr><td align="right">20&nbsp;</td><td><a href="parallelism.html" class="tocviewlink" data-pltdoc="x">Parallelism</a></td></tr><tr><td align="right">21&nbsp;</td><td><a href="running.html" class="tocviewlink" data-pltdoc="x">Running and Creating Executables</a></td></tr><tr><td align="right">22&nbsp;</td><td><a href="More_Libraries.html" class="tocviewlink" data-pltdoc="x">More Libraries</a></td></tr><tr><td align="right">23&nbsp;</td><td><a href="dialects.html" class="tocviewlink" data-pltdoc="x">Dialects of Racket and Scheme</a></td></tr><tr><td align="right">24&nbsp;</td><td><a href="other-editors.html" class="tocviewlink" data-pltdoc="x">Command-<wbr></wbr>Line Tools and Your Editor of Choice</a></td></tr><tr><td align="right"></td><td><a href="doc-bibliography.html" class="tocviewlink" data-pltdoc="x">Bibliography</a></td></tr><tr><td align="right"></td><td><a href="doc-index.html" class="tocviewlink" data-pltdoc="x">Index</a></td></tr></table></div></div><div class="tocviewlist"><table cellspacing="0" cellpadding="0"><tr><td style="width: 1em;"><a href="javascript:void(0);" title="Expand/Collapse" class="tocviewtoggle" onclick="TocviewToggle(this,&quot;tocview_1&quot;);">&#9660;</a></td><td>15&nbsp;</td><td><a href="reflection.html" class="tocviewlink" data-pltdoc="x">Reflection and Dynamic Evaluation</a></td></tr></table><div class="tocviewsublistbottom" style="display: block;" id="tocview_1"><table cellspacing="0" cellpadding="0"><tr><td align="right">15.1&nbsp;</td><td><a href="eval.html" class="tocviewlink" data-pltdoc="x"><span class="RktSym"><span class="RktValLink">eval</span></span></a></td></tr><tr><td align="right">15.2&nbsp;</td><td><a href="mk-namespace.html" class="tocviewlink" data-pltdoc="x">Manipulating Namespaces</a></td></tr><tr><td align="right">15.3&nbsp;</td><td><a href="load.html" class="tocviewlink" data-pltdoc="x">Scripting Evaluation and Using <span class="RktSym"><span class="RktValLink">load</span></span></a></td></tr><tr><td align="right">15.4&nbsp;</td><td><a href="code-inspectors_protect.html" class="tocviewselflink" data-pltdoc="x">Code Inspectors for Trusted and Untrusted Code</a></td></tr></table></div></div></div></div><div class="maincolumn"><div class="main"><div class="navsettop"><span class="navleft"><form class="searchform"><input class="searchbox" id="searchbox" type="text" tabindex="1" placeholder="...search manuals..." title="Enter a search string to search the manuals" onkeypress="return DoSearchKey(event, this, &quot;8.6&quot;, &quot;../&quot;);"/></form>&nbsp;&nbsp;<a href="https://docs.racket-lang.org/index.html" title="up to the documentation top" data-pltdoc="x" onclick="return GotoPLTRoot(&quot;8.6&quot;);">top</a><span class="tocsettoggle">&nbsp;&nbsp;<a href="javascript:void(0);" title="show/hide table of contents" onclick="TocsetToggle();">contents</a></span></span><span class="navright">&nbsp;&nbsp;<a href="load.html" title="backward to &quot;15.3 Scripting Evaluation and Using load&quot;" data-pltdoc="x">&larr; prev</a>&nbsp;&nbsp;<a href="reflection.html" title="up to &quot;15 Reflection and Dynamic Evaluation&quot;" data-pltdoc="x">up</a>&nbsp;&nbsp;<a href="macros.html" title="forward to &quot;16 Macros&quot;" data-pltdoc="x">next &rarr;</a></span>&nbsp;</div><h4 x-source-module="(lib &quot;scribblings/guide/guide.scrbl&quot;)" x-source-pkg="racket-doc" x-part-tag="&quot;code-inspectors+protect&quot;">15.4<tt>&nbsp;</tt><a name="(part._code-inspectors+protect)"></a>Code Inspectors for Trusted and Untrusted Code</h4><p><a name="(tech._code._inspector)"></a><span style="font-style: italic">Code inspectors</span> provide the mechanism for determining which
modules are trusted to use functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=Namespaces.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._module-%7E3enamespace%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">module-&gt;namespace</a></span>
or unsafe modules like <span class="RktSym">ffi/unsafe</span>. When a module is declared,
the value of <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span> is associated to the
module declaration. When a module is instantiated (i.e., when the body
of the declaration is actually executed), a sub-inspector is created
to guard the module&rsquo;s exports. Access to the module&rsquo;s <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a>
exports requires a code inspector that is stronger (i.e., higher in
the inspector hierarchy) than the module&rsquo;s instantiation inspector;
note that a module&rsquo;s declaration inspector is always stronger than its
instantiation inspector, so modules are declared with the same code
inspector can access each other&rsquo;s exports.</p><p>To distinguish between trusted an untrusted code, load trusted code
first, then set <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span> to the result of
<span class="RktPn">(</span><span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=inspectors.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._make-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">make-inspector</a></span><span class="stt"> </span><span class="RktPn">(</span><span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=modprotect.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._current-code-inspector%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">current-code-inspector</a></span><span class="RktPn">)</span><span class="RktPn">)</span> to install a weaker
inspector, and finally load untrusted code with the weaker inspector
in place. The weaker inspector should stay in place when any untrusted
code is run. If necessary, trusted code can restore the original
inspector temporarily during the dynamic extent of trusted code (as
long as it does not call back into untrusted code).</p><p>Syntax-object constants within a module, such as literal identifiers
in a template, retain the inspector of their source module. In this
way, a macro from a trusted module can be used within an untrusted
module, and <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a> identifiers in the macro expansion still
work, even through they ultimately appear in an untrusted module. To
prevent abuse of identifiers by extracting them from expanded code,
functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=stxtrans.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._local-expand%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">local-expand</a></span> are <a href="protect-out.html#%28tech._protected%29" class="techoutside" data-pltdoc="x"><span class="techinside">protected</span></a>, and
functions like <span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=Expanding_Top-Level_Forms.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._expand%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">expand</a></span> return <a href="stx-certs.html#%28tech._tainted%29" class="techoutside" data-pltdoc="x"><span class="techinside">tainted</span></a> syntax if not
given a sufficiently powerful inspector.</p><p>Compiled code from a <span class="stt">".zo"</span> file is inherently untrustworthy,
unfortunately, since it can be synthesized by means other than
<span class="RktSym"><a href="https://download.racket-lang.org/releases/8.6/doc/local-redirect/index.html?doc=reference&amp;rel=eval.html%23%2528def._%2528%2528quote._%7E23%7E25kernel%2529._compile%2529%2529&amp;version=8.6" class="RktValLink Sq" data-pltdoc="x">compile</a></span>. When compiled code is written to a <span class="stt">".zo"</span>
file, syntax-object constants within the compiled code lose their
inspectors. All syntax-object constants within compiled code acquire
the enclosing module&rsquo;s declaration-time inspector when the code is
loaded.</p><div class="navsetbottom"><span class="navleft"><form class="searchform"><input class="searchbox" id="searchbox" type="text" tabindex="1" placeholder="...search manuals..." title="Enter a search string to search the manuals" onkeypress="return DoSearchKey(event, this, &quot;8.6&quot;, &quot;../&quot;);"/></form>&nbsp;&nbsp;<a href="https://docs.racket-lang.org/index.html" title="up to the documentation top" data-pltdoc="x" onclick="return GotoPLTRoot(&quot;8.6&quot;);">top</a><span class="tocsettoggle">&nbsp;&nbsp;<a href="javascript:void(0);" title="show/hide table of contents" onclick="TocsetToggle();">contents</a></span></span><span class="navright">&nbsp;&nbsp;<a href="load.html" title="backward to &quot;15.3 Scripting Evaluation and Using load&quot;" data-pltdoc="x">&larr; prev</a>&nbsp;&nbsp;<a href="reflection.html" title="up to &quot;15 Reflection and Dynamic Evaluation&quot;" data-pltdoc="x">up</a>&nbsp;&nbsp;<a href="macros.html" title="forward to &quot;16 Macros&quot;" data-pltdoc="x">next &rarr;</a></span>&nbsp;</div></div></div><div id="contextindicator">&nbsp;</div></body></html>