xref: /openbsd/gnu/usr.bin/perl/dist/Safe/Safe.pm (revision a6445c1d) 
1package Safe;
2
3use 5.003_11;
4use Scalar::Util qw(reftype refaddr);
5
6$Safe::VERSION = "2.37";
7
8# *** Don't declare any lexicals above this point ***
9#
10# This function should return a closure which contains an eval that can't
11# see any lexicals in scope (apart from __ExPr__ which is unavoidable)
12
13sub lexless_anon_sub {
14                 # $_[0] is package;
15                 # $_[1] is strict flag;
16    my $__ExPr__ = $_[2];   # must be a lexical to create the closure that
17                            # can be used to pass the value into the safe
18                            # world
19
20    # Create anon sub ref in root of compartment.
21    # Uses a closure (on $__ExPr__) to pass in the code to be executed.
22    # (eval on one line to keep line numbers as expected by caller)
23    eval sprintf
24    'package %s; %s sub { @_=(); eval q[local *SIG; my $__ExPr__;] . $__ExPr__; }',
25                $_[0], $_[1] ? 'use strict;' : '';
26}
27
28use strict;
29use Carp;
30BEGIN { eval q{
31    use Carp::Heavy;
32} }
33
34use B ();
35BEGIN {
36    no strict 'refs';
37    if (defined &B::sub_generation) {
38        *sub_generation = \&B::sub_generation;
39    }
40    else {
41        # fake sub generation changing for perls < 5.8.9
42        my $sg; *sub_generation = sub { ++$sg };
43    }
44}
45
46use Opcode 1.01, qw(
47    opset opset_to_ops opmask_add
48    empty_opset full_opset invert_opset verify_opset
49    opdesc opcodes opmask define_optag opset_to_hex
50);
51
52*ops_to_opset = \&opset;   # Temporary alias for old Penguins
53
54# Regular expressions and other unicode-aware code may need to call
55# utf8->SWASHNEW (via perl's utf8.c).  That will fail unless we share the
56# SWASHNEW method.
57# Sadly we can't just add utf8::SWASHNEW to $default_share because perl's
58# utf8.c code does a fetchmethod on SWASHNEW to check if utf8.pm is loaded,
59# and sharing makes it look like the method exists.
60# The simplest and most robust fix is to ensure the utf8 module is loaded when
61# Safe is loaded. Then we can add utf8::SWASHNEW to $default_share.
62require utf8;
63# we must ensure that utf8_heavy.pl, where SWASHNEW is defined, is loaded
64# but without depending on too much knowledge of that implementation detail.
65# This code (//i on a unicode string) should ensure utf8 is fully loaded
66# and also loads the ToFold SWASH, unless things change so that these
67# particular code points don't cause it to load.
68# (Swashes are cached internally by perl in PL_utf8_* variables
69# independent of being inside/outside of Safe. So once loaded they can be)
70do { my $a = pack('U',0x100); my $b = chr 0x101; utf8::upgrade $b; $a =~ /$b/i };
71# now we can safely include utf8::SWASHNEW in $default_share defined below.
72
73my $default_root  = 0;
74# share *_ and functions defined in universal.c
75# Don't share stuff like *UNIVERSAL:: otherwise code from the
76# compartment can 0wn functions in UNIVERSAL
77my $default_share = [qw[
78    *_
79    &PerlIO::get_layers
80    &UNIVERSAL::isa
81    &UNIVERSAL::can
82    &UNIVERSAL::VERSION
83    &utf8::is_utf8
84    &utf8::valid
85    &utf8::encode
86    &utf8::decode
87    &utf8::upgrade
88    &utf8::downgrade
89    &utf8::native_to_unicode
90    &utf8::unicode_to_native
91    &utf8::SWASHNEW
92    $version::VERSION
93    $version::CLASS
94    $version::STRICT
95    $version::LAX
96    @version::ISA
97], ($] < 5.010 && qw[
98    &utf8::SWASHGET
99]), ($] >= 5.008001 && qw[
100    &Regexp::DESTROY
101]), ($] >= 5.010 && qw[
102    &re::is_regexp
103    &re::regname
104    &re::regnames
105    &re::regnames_count
106    &UNIVERSAL::DOES
107    &version::()
108    &version::new
109    &version::(""
110    &version::stringify
111    &version::(0+
112    &version::numify
113    &version::normal
114    &version::(cmp
115    &version::(<=>
116    &version::vcmp
117    &version::(bool
118    &version::boolean
119    &version::(nomethod
120    &version::noop
121    &version::is_alpha
122    &version::qv
123    &version::vxs::declare
124    &version::vxs::qv
125    &version::vxs::_VERSION
126    &version::vxs::stringify
127    &version::vxs::new
128    &version::vxs::parse
129    &version::vxs::VCMP
130]), ($] >= 5.011 && qw[
131    &re::regexp_pattern
132]), ($] >= 5.010 && $] < 5.014 && qw[
133    &Tie::Hash::NamedCapture::FETCH
134    &Tie::Hash::NamedCapture::STORE
135    &Tie::Hash::NamedCapture::DELETE
136    &Tie::Hash::NamedCapture::CLEAR
137    &Tie::Hash::NamedCapture::EXISTS
138    &Tie::Hash::NamedCapture::FIRSTKEY
139    &Tie::Hash::NamedCapture::NEXTKEY
140    &Tie::Hash::NamedCapture::SCALAR
141    &Tie::Hash::NamedCapture::flags
142])];
143if (defined $Devel::Cover::VERSION) {
144    push @$default_share, '&Devel::Cover::use_file';
145}
146
147sub new {
148    my($class, $root, $mask) = @_;
149    my $obj = {};
150    bless $obj, $class;
151
152    if (defined($root)) {
153        croak "Can't use \"$root\" as root name"
154            if $root =~ /^main\b/ or $root !~ /^\w[:\w]*$/;
155        $obj->{Root}  = $root;
156        $obj->{Erase} = 0;
157    }
158    else {
159        $obj->{Root}  = "Safe::Root".$default_root++;
160        $obj->{Erase} = 1;
161    }
162
163    # use permit/deny methods instead till interface issues resolved
164    # XXX perhaps new Safe 'Root', mask => $mask, foo => bar, ...;
165    croak "Mask parameter to new no longer supported" if defined $mask;
166    $obj->permit_only(':default');
167
168    # We must share $_ and @_ with the compartment or else ops such
169    # as split, length and so on won't default to $_ properly, nor
170    # will passing argument to subroutines work (via @_). In fact,
171    # for reasons I don't completely understand, we need to share
172    # the whole glob *_ rather than $_ and @_ separately, otherwise
173    # @_ in non default packages within the compartment don't work.
174    $obj->share_from('main', $default_share);
175
176    Opcode::_safe_pkg_prep($obj->{Root}) if($Opcode::VERSION > 1.04);
177
178    return $obj;
179}
180
181sub DESTROY {
182    my $obj = shift;
183    $obj->erase('DESTROY') if $obj->{Erase};
184}
185
186sub erase {
187    my ($obj, $action) = @_;
188    my $pkg = $obj->root();
189    my ($stem, $leaf);
190
191    no strict 'refs';
192    $pkg = "main::$pkg\::";     # expand to full symbol table name
193    ($stem, $leaf) = $pkg =~ m/(.*::)(\w+::)$/;
194
195    # The 'my $foo' is needed! Without it you get an
196    # 'Attempt to free unreferenced scalar' warning!
197    my $stem_symtab = *{$stem}{HASH};
198
199    #warn "erase($pkg) stem=$stem, leaf=$leaf";
200    #warn " stem_symtab hash ".scalar(%$stem_symtab)."\n";
201    # ", join(', ', %$stem_symtab),"\n";
202
203#    delete $stem_symtab->{$leaf};
204
205    my $leaf_glob   = $stem_symtab->{$leaf};
206    my $leaf_symtab = *{$leaf_glob}{HASH};
207#    warn " leaf_symtab ", join(', ', %$leaf_symtab),"\n";
208    %$leaf_symtab = ();
209    #delete $leaf_symtab->{'__ANON__'};
210    #delete $leaf_symtab->{'foo'};
211    #delete $leaf_symtab->{'main::'};
212#    my $foo = undef ${"$stem\::"}{"$leaf\::"};
213
214    if ($action and $action eq 'DESTROY') {
215        delete $stem_symtab->{$leaf};
216    } else {
217        $obj->share_from('main', $default_share);
218    }
219    1;
220}
221
222
223sub reinit {
224    my $obj= shift;
225    $obj->erase;
226    $obj->share_redo;
227}
228
229sub root {
230    my $obj = shift;
231    croak("Safe root method now read-only") if @_;
232    return $obj->{Root};
233}
234
235
236sub mask {
237    my $obj = shift;
238    return $obj->{Mask} unless @_;
239    $obj->deny_only(@_);
240}
241
242# v1 compatibility methods
243sub trap   { shift->deny(@_)   }
244sub untrap { shift->permit(@_) }
245
246sub deny {
247    my $obj = shift;
248    $obj->{Mask} |= opset(@_);
249}
250sub deny_only {
251    my $obj = shift;
252    $obj->{Mask} = opset(@_);
253}
254
255sub permit {
256    my $obj = shift;
257    # XXX needs testing
258    $obj->{Mask} &= invert_opset opset(@_);
259}
260sub permit_only {
261    my $obj = shift;
262    $obj->{Mask} = invert_opset opset(@_);
263}
264
265
266sub dump_mask {
267    my $obj = shift;
268    print opset_to_hex($obj->{Mask}),"\n";
269}
270
271
272sub share {
273    my($obj, @vars) = @_;
274    $obj->share_from(scalar(caller), \@vars);
275}
276
277
278sub share_from {
279    my $obj = shift;
280    my $pkg = shift;
281    my $vars = shift;
282    my $no_record = shift || 0;
283    my $root = $obj->root();
284    croak("vars not an array ref") unless ref $vars eq 'ARRAY';
285    no strict 'refs';
286    # Check that 'from' package actually exists
287    croak("Package \"$pkg\" does not exist")
288        unless keys %{"$pkg\::"};
289    my $arg;
290    foreach $arg (@$vars) {
291        # catch some $safe->share($var) errors:
292        my ($var, $type);
293        $type = $1 if ($var = $arg) =~ s/^(\W)//;
294        # warn "share_from $pkg $type $var";
295        for (1..2) { # assign twice to avoid any 'used once' warnings
296            *{$root."::$var"} = (!$type)   ? \&{$pkg."::$var"}
297                          : ($type eq '&') ? \&{$pkg."::$var"}
298                          : ($type eq '$') ? \${$pkg."::$var"}
299                          : ($type eq '@') ? \@{$pkg."::$var"}
300                          : ($type eq '%') ? \%{$pkg."::$var"}
301                          : ($type eq '*') ?  *{$pkg."::$var"}
302                          : croak(qq(Can't share "$type$var" of unknown type));
303        }
304    }
305    $obj->share_record($pkg, $vars) unless $no_record or !$vars;
306}
307
308
309sub share_record {
310    my $obj = shift;
311    my $pkg = shift;
312    my $vars = shift;
313    my $shares = \%{$obj->{Shares} ||= {}};
314    # Record shares using keys of $obj->{Shares}. See reinit.
315    @{$shares}{@$vars} = ($pkg) x @$vars if @$vars;
316}
317
318
319sub share_redo {
320    my $obj = shift;
321    my $shares = \%{$obj->{Shares} ||= {}};
322    my($var, $pkg);
323    while(($var, $pkg) = each %$shares) {
324        # warn "share_redo $pkg\:: $var";
325        $obj->share_from($pkg,  [ $var ], 1);
326    }
327}
328
329
330sub share_forget {
331    delete shift->{Shares};
332}
333
334
335sub varglob {
336    my ($obj, $var) = @_;
337    no strict 'refs';
338    return *{$obj->root()."::$var"};
339}
340
341sub _clean_stash {
342    my ($root, $saved_refs) = @_;
343    $saved_refs ||= [];
344    no strict 'refs';
345    foreach my $hook (qw(DESTROY AUTOLOAD), grep /^\(/, keys %$root) {
346        push @$saved_refs, \*{$root.$hook};
347        delete ${$root}{$hook};
348    }
349
350    for (grep /::$/, keys %$root) {
351        next if \%{$root.$_} eq \%$root;
352        _clean_stash($root.$_, $saved_refs);
353    }
354}
355
356sub reval {
357    my ($obj, $expr, $strict) = @_;
358    die "Bad Safe object" unless $obj->isa('Safe');
359
360    my $root = $obj->{Root};
361
362    my $evalsub = lexless_anon_sub($root, $strict, $expr);
363    # propagate context
364    my $sg = sub_generation();
365    my @subret = (wantarray)
366               ?        Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
367               : scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
368    _clean_stash($root.'::') if $sg != sub_generation();
369    $obj->wrap_code_refs_within(@subret);
370    return (wantarray) ? @subret : $subret[0];
371}
372
373my %OID;
374
375sub wrap_code_refs_within {
376    my $obj = shift;
377
378    %OID = ();
379    $obj->_find_code_refs('wrap_code_ref', @_);
380}
381
382
383sub _find_code_refs {
384    my $obj = shift;
385    my $visitor = shift;
386
387    for my $item (@_) {
388        my $reftype = $item && reftype $item
389            or next;
390
391        # skip references already seen
392        next if ++$OID{refaddr $item} > 1;
393
394        if ($reftype eq 'ARRAY') {
395            $obj->_find_code_refs($visitor, @$item);
396        }
397        elsif ($reftype eq 'HASH') {
398            $obj->_find_code_refs($visitor, values %$item);
399        }
400        # XXX GLOBs?
401        elsif ($reftype eq 'CODE') {
402            $item = $obj->$visitor($item);
403        }
404    }
405}
406
407
408sub wrap_code_ref {
409    my ($obj, $sub) = @_;
410    die "Bad safe object" unless $obj->isa('Safe');
411
412    # wrap code ref $sub with _safe_call_sv so that, when called, the
413    # execution will happen with the compartment fully 'in effect'.
414
415    croak "Not a CODE reference"
416        if reftype $sub ne 'CODE';
417
418    my $ret = sub {
419        my @args = @_; # lexical to close over
420        my $sub_with_args = sub { $sub->(@args) };
421
422        my @subret;
423        my $error;
424        do {
425            local $@;  # needed due to perl_call_sv(sv, G_EVAL|G_KEEPERR)
426            my $sg = sub_generation();
427            @subret = (wantarray)
428                ?        Opcode::_safe_call_sv($obj->{Root}, $obj->{Mask}, $sub_with_args)
429                : scalar Opcode::_safe_call_sv($obj->{Root}, $obj->{Mask}, $sub_with_args);
430            $error = $@;
431            _clean_stash($obj->{Root}.'::') if $sg != sub_generation();
432        };
433        if ($error) { # rethrow exception
434            $error =~ s/\t\(in cleanup\) //; # prefix added by G_KEEPERR
435            die $error;
436        }
437        return (wantarray) ? @subret : $subret[0];
438    };
439
440    return $ret;
441}
442
443
444sub rdo {
445    my ($obj, $file) = @_;
446    die "Bad Safe object" unless $obj->isa('Safe');
447
448    my $root = $obj->{Root};
449
450    my $sg = sub_generation();
451    my $evalsub = eval
452            sprintf('package %s; sub { @_ = (); do $file }', $root);
453    my @subret = (wantarray)
454               ?        Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
455               : scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
456    _clean_stash($root.'::') if $sg != sub_generation();
457    $obj->wrap_code_refs_within(@subret);
458    return (wantarray) ? @subret : $subret[0];
459}
460
461
4621;
463
464__END__
465
466=head1 NAME
467
468Safe - Compile and execute code in restricted compartments
469
470=head1 SYNOPSIS
471
472  use Safe;
473
474  $compartment = new Safe;
475
476  $compartment->permit(qw(time sort :browse));
477
478  $result = $compartment->reval($unsafe_code);
479
480=head1 DESCRIPTION
481
482The Safe extension module allows the creation of compartments
483in which perl code can be evaluated. Each compartment has
484
485=over 8
486
487=item a new namespace
488
489The "root" of the namespace (i.e. "main::") is changed to a
490different package and code evaluated in the compartment cannot
491refer to variables outside this namespace, even with run-time
492glob lookups and other tricks.
493
494Code which is compiled outside the compartment can choose to place
495variables into (or I<share> variables with) the compartment's namespace
496and only that data will be visible to code evaluated in the
497compartment.
498
499By default, the only variables shared with compartments are the
500"underscore" variables $_ and @_ (and, technically, the less frequently
501used %_, the _ filehandle and so on). This is because otherwise perl
502operators which default to $_ will not work and neither will the
503assignment of arguments to @_ on subroutine entry.
504
505=item an operator mask
506
507Each compartment has an associated "operator mask". Recall that
508perl code is compiled into an internal format before execution.
509Evaluating perl code (e.g. via "eval" or "do 'file'") causes
510the code to be compiled into an internal format and then,
511provided there was no error in the compilation, executed.
512Code evaluated in a compartment compiles subject to the
513compartment's operator mask. Attempting to evaluate code in a
514compartment which contains a masked operator will cause the
515compilation to fail with an error. The code will not be executed.
516
517The default operator mask for a newly created compartment is
518the ':default' optag.
519
520It is important that you read the L<Opcode> module documentation
521for more information, especially for detailed definitions of opnames,
522optags and opsets.
523
524Since it is only at the compilation stage that the operator mask
525applies, controlled access to potentially unsafe operations can
526be achieved by having a handle to a wrapper subroutine (written
527outside the compartment) placed into the compartment. For example,
528
529    $cpt = new Safe;
530    sub wrapper {
531      # vet arguments and perform potentially unsafe operations
532    }
533    $cpt->share('&wrapper');
534
535=back
536
537
538=head1 WARNING
539
540The authors make B<no warranty>, implied or otherwise, about the
541suitability of this software for safety or security purposes.
542
543The authors shall not in any case be liable for special, incidental,
544consequential, indirect or other similar damages arising from the use
545of this software.
546
547Your mileage will vary. If in any doubt B<do not use it>.
548
549
550=head1 METHODS
551
552To create a new compartment, use
553
554    $cpt = new Safe;
555
556Optional argument is (NAMESPACE), where NAMESPACE is the root namespace
557to use for the compartment (defaults to "Safe::Root0", incremented for
558each new compartment).
559
560Note that version 1.00 of the Safe module supported a second optional
561parameter, MASK.  That functionality has been withdrawn pending deeper
562consideration. Use the permit and deny methods described below.
563
564The following methods can then be used on the compartment
565object returned by the above constructor. The object argument
566is implicit in each case.
567
568
569=head2 permit (OP, ...)
570
571Permit the listed operators to be used when compiling code in the
572compartment (in I<addition> to any operators already permitted).
573
574You can list opcodes by names, or use a tag name; see
575L<Opcode/"Predefined Opcode Tags">.
576
577=head2 permit_only (OP, ...)
578
579Permit I<only> the listed operators to be used when compiling code in
580the compartment (I<no> other operators are permitted).
581
582=head2 deny (OP, ...)
583
584Deny the listed operators from being used when compiling code in the
585compartment (other operators may still be permitted).
586
587=head2 deny_only (OP, ...)
588
589Deny I<only> the listed operators from being used when compiling code
590in the compartment (I<all> other operators will be permitted, so you probably
591don't want to use this method).
592
593=head2 trap (OP, ...), untrap (OP, ...)
594
595The trap and untrap methods are synonyms for deny and permit
596respectfully.
597
598=head2 share (NAME, ...)
599
600This shares the variable(s) in the argument list with the compartment.
601This is almost identical to exporting variables using the L<Exporter>
602module.
603
604Each NAME must be the B<name> of a non-lexical variable, typically
605with the leading type identifier included. A bareword is treated as a
606function name.
607
608Examples of legal names are '$foo' for a scalar, '@foo' for an
609array, '%foo' for a hash, '&foo' or 'foo' for a subroutine and '*foo'
610for a glob (i.e.  all symbol table entries associated with "foo",
611including scalar, array, hash, sub and filehandle).
612
613Each NAME is assumed to be in the calling package. See share_from
614for an alternative method (which C<share> uses).
615
616=head2 share_from (PACKAGE, ARRAYREF)
617
618This method is similar to share() but allows you to explicitly name the
619package that symbols should be shared from. The symbol names (including
620type characters) are supplied as an array reference.
621
622    $safe->share_from('main', [ '$foo', '%bar', 'func' ]);
623
624Names can include package names, which are relative to the specified PACKAGE.
625So these two calls have the same effect:
626
627    $safe->share_from('Scalar::Util', [ 'reftype' ]);
628    $safe->share_from('main', [ 'Scalar::Util::reftype' ]);
629
630=head2 varglob (VARNAME)
631
632This returns a glob reference for the symbol table entry of VARNAME in
633the package of the compartment. VARNAME must be the B<name> of a
634variable without any leading type marker. For example:
635
636    ${$cpt->varglob('foo')} = "Hello world";
637
638has the same effect as:
639
640    $cpt = new Safe 'Root';
641    $Root::foo = "Hello world";
642
643but avoids the need to know $cpt's package name.
644
645
646=head2 reval (STRING, STRICT)
647
648This evaluates STRING as perl code inside the compartment.
649
650The code can only see the compartment's namespace (as returned by the
651B<root> method). The compartment's root package appears to be the
652C<main::> package to the code inside the compartment.
653
654Any attempt by the code in STRING to use an operator which is not permitted
655by the compartment will cause an error (at run-time of the main program
656but at compile-time for the code in STRING).  The error is of the form
657"'%s' trapped by operation mask...".
658
659If an operation is trapped in this way, then the code in STRING will
660not be executed. If such a trapped operation occurs or any other
661compile-time or return error, then $@ is set to the error message, just
662as with an eval().
663
664If there is no error, then the method returns the value of the last
665expression evaluated, or a return statement may be used, just as with
666subroutines and B<eval()>. The context (list or scalar) is determined
667by the caller as usual.
668
669If the return value of reval() is (or contains) any code reference,
670those code references are wrapped to be themselves executed always
671in the compartment. See L</wrap_code_refs_within>.
672
673The formerly undocumented STRICT argument sets strictness: if true
674'use strict;' is used, otherwise it uses 'no strict;'. B<Note>: if
675STRICT is omitted 'no strict;' is the default.
676
677Some points to note:
678
679If the entereval op is permitted then the code can use eval "..." to
680'hide' code which might use denied ops. This is not a major problem
681since when the code tries to execute the eval it will fail because the
682opmask is still in effect. However this technique would allow clever,
683and possibly harmful, code to 'probe' the boundaries of what is
684possible.
685
686Any string eval which is executed by code executing in a compartment,
687or by code called from code executing in a compartment, will be eval'd
688in the namespace of the compartment. This is potentially a serious
689problem.
690
691Consider a function foo() in package pkg compiled outside a compartment
692but shared with it. Assume the compartment has a root package called
693'Root'. If foo() contains an eval statement like eval '$foo = 1' then,
694normally, $pkg::foo will be set to 1.  If foo() is called from the
695compartment (by whatever means) then instead of setting $pkg::foo, the
696eval will actually set $Root::pkg::foo.
697
698This can easily be demonstrated by using a module, such as the Socket
699module, which uses eval "..." as part of an AUTOLOAD function. You can
700'use' the module outside the compartment and share an (autoloaded)
701function with the compartment. If an autoload is triggered by code in
702the compartment, or by any code anywhere that is called by any means
703from the compartment, then the eval in the Socket module's AUTOLOAD
704function happens in the namespace of the compartment. Any variables
705created or used by the eval'd code are now under the control of
706the code in the compartment.
707
708A similar effect applies to I<all> runtime symbol lookups in code
709called from a compartment but not compiled within it.
710
711=head2 rdo (FILENAME)
712
713This evaluates the contents of file FILENAME inside the compartment.
714See above documentation on the B<reval> method for further details.
715
716=head2 root (NAMESPACE)
717
718This method returns the name of the package that is the root of the
719compartment's namespace.
720
721Note that this behaviour differs from version 1.00 of the Safe module
722where the root module could be used to change the namespace. That
723functionality has been withdrawn pending deeper consideration.
724
725=head2 mask (MASK)
726
727This is a get-or-set method for the compartment's operator mask.
728
729With no MASK argument present, it returns the current operator mask of
730the compartment.
731
732With the MASK argument present, it sets the operator mask for the
733compartment (equivalent to calling the deny_only method).
734
735=head2 wrap_code_ref (CODEREF)
736
737Returns a reference to an anonymous subroutine that, when executed, will call
738CODEREF with the Safe compartment 'in effect'.  In other words, with the
739package namespace adjusted and the opmask enabled.
740
741Note that the opmask doesn't affect the already compiled code, it only affects
742any I<further> compilation that the already compiled code may try to perform.
743
744This is particularly useful when applied to code references returned from reval().
745
746(It also provides a kind of workaround for RT#60374: "Safe.pm sort {} bug with
747-Dusethreads". See L<http://rt.perl.org/rt3//Public/Bug/Display.html?id=60374>
748for I<much> more detail.)
749
750=head2 wrap_code_refs_within (...)
751
752Wraps any CODE references found within the arguments by replacing each with the
753result of calling L</wrap_code_ref> on the CODE reference. Any ARRAY or HASH
754references in the arguments are inspected recursively.
755
756Returns nothing.
757
758=head1 RISKS
759
760This section is just an outline of some of the things code in a compartment
761might do (intentionally or unintentionally) which can have an effect outside
762the compartment.
763
764=over 8
765
766=item Memory
767
768Consuming all (or nearly all) available memory.
769
770=item CPU
771
772Causing infinite loops etc.
773
774=item Snooping
775
776Copying private information out of your system. Even something as
777simple as your user name is of value to others. Much useful information
778could be gleaned from your environment variables for example.
779
780=item Signals
781
782Causing signals (especially SIGFPE and SIGALARM) to affect your process.
783
784Setting up a signal handler will need to be carefully considered
785and controlled.  What mask is in effect when a signal handler
786gets called?  If a user can get an imported function to get an
787exception and call the user's signal handler, does that user's
788restricted mask get re-instated before the handler is called?
789Does an imported handler get called with its original mask or
790the user's one?
791
792=item State Changes
793
794Ops such as chdir obviously effect the process as a whole and not just
795the code in the compartment. Ops such as rand and srand have a similar
796but more subtle effect.
797
798=back
799
800=head1 AUTHOR
801
802Originally designed and implemented by Malcolm Beattie.
803
804Reworked to use the Opcode module and other changes added by Tim Bunce.
805
806Currently maintained by the Perl 5 Porters, <perl5-porters@perl.org>.
807
808=cut
809
810