Dear Haskellers,

As some of you may have seen if you have me in one of your circles, I'm working on a webapp where you paste haskell code and get the GHC Core for it in return. This is all going pretty smoothly, except for one thing. 

I must forbid the use of Template Haskell (which allows arbitrary I/O at compile time) and some other nasty extensions (ability to call out to other binaries -- preprocessors and the likes -- among other things). This would be ideal: http://hackage.haskell.org/trac/ghc/wiki/SafeHaskell/SafeCompilation -- but I haven't seen anything about it in HEAD nor in the last releases.

How would you guys go about doing this?

Thanks for taking some time for a fellow haskeller.
8
1
Alp Mestanogullari's profile photoŁukasz Dąbek's profile photoMichael Snoyman's profile photoDavid Terei's profile photo
5 comments
 
Don't rely on safe Haskell alone to save you here: run the compilation in a privilege-limited sandbox.
 
We never got around to doing safe compilation and I don't know if we ever will at this point. Your best bet is to run the compilation in a sandbox as Gregory suggest. One nice tool (early in development though, so no homepage) is libvirt-sandbox that allows very easy sandboxing of individual commands (https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/) using multiple backend technologies, but LXC should suffice for your needs and offer great performance.
 
I think +Gregory Collins is spot on. This is precisely why the School of Haskell does almost all user actions in an OS-level sandbox. Even something as simple as type checking can be dangerous due to TH and code formatters.
 
Thanks for the tips and for the pointers.

+Michael Snoyman I was indeed wondering what trick you guys at fpco were using for SoH. But yeah, I will have to setup some kind of application sandboxing anyway. 

+David Terei libvirt-sandbox looks very interesting! I'll read more about it and see how that goes.

Thank you Lukasz for that code -- to be honest I will investigate David's suggestion first I think, it seems to offer a decently simple solution to this problem whereas the isolation code you linked will most likely eat much more of my time and keep me from working on other things for this web app.

Alright, I think I have everything I need, thanks again guys.
Add a comment...