Question and proposal: Can D be used to compile and run untrusted plug-ins?
Brian Callahan
bcallah at openbsd.org
Tue Dec 7 19:31:46 UTC 2021
On Saturday, 4 December 2021 at 11:33:21 UTC, Moamen Abdelsattar
wrote:
> I've recently known that D functions can be marked as `@safe`,
> which makes all unsafe operations unallowed inside the
> function, my question is: Can this feature be used to compile
> and run untrusted D code safely?
> I mean: Let's say We have a program written in D or C, and we
> want to allow the user to extend the program by writing
> plug-ins and compiling them into dynamic libraries (like
> notepadd++ plug-ins).
> Now the plug-in can access all system calls and can do
> something malicious, but what if the plug-in is written in D
> and we have something like `-forceSafe` compiler flag (which is
> the proposal) that will force every function written by the
> user to be `@safe`. Now, the user can only import the
> application's API and use it to perform functions and can't
> access the system directly. Is that true?
What you want appears to be similar to the pledge(2) system call
from OpenBSD:
https://man.openbsd.org/pledge.2
It is available on all D compilers, but only when running your
code on OpenBSD.
~Brian
More information about the Digitalmars-d
mailing list