Permalink
Browse files

Safe compartment updates

  • Loading branch information...
1 parent 048593d commit d5d82cc070c5a8566d673f75e064f55376c72e08 mschilli committed May 6, 2003
Showing with 660 additions and 40 deletions.
  1. +6 −0 Changes
  2. +1 −0 MANIFEST
  3. +131 −9 README
  4. +167 −10 lib/Log/Log4perl.pm
  5. +148 −5 lib/Log/Log4perl/Config.pm
  6. +2 −2 lib/Log/Log4perl/FAQ.pm
  7. +24 −12 lib/Log/Log4perl/Layout/PatternLayout.pm
  8. +2 −2 t/033UsrCspec.t
  9. +179 −0 t/041SafeEval.t
View
@@ -8,6 +8,12 @@ Revision history for Log::Log4perl
* (ms) changed config_and_watch to ignore clock differences between
system time and file system time (helpful with skewed NFS
systems). Added Log::Log4perl::Config::Watch.
+ * James FitzGibbon <james.fitzgibbon@target.com>: Added support for
+ optionally restricting eval'd code to Safe compartments.
+ * (ms) allow/deny code in configuration files should now be controlled
+ via the accessor Log::Log4perl::Config->allow_code(0/1).
+ $Log::Log4perl::ALLOW_CODE_IN_CONFIG_FILE is still supported
+ for backwards compatibility.
0.30 03/14/2003
* (ms) Added Log4perl custom filter logic and standard filter set
View
@@ -84,6 +84,7 @@ t/037JWin32Event.t
t/038XML-DOM1.t
t/039XML-DOM2.t
t/040Filter.t
+t/041SafeEval.t
t/compare.pl
t/deeper1.expected
t/deeper6.expected
View
140 README
@@ -1,5 +1,5 @@
######################################################################
- Log::Log4perl 0.31
+ Log::Log4perl 0.31dev
######################################################################
NAME
@@ -605,18 +605,25 @@ How to use it
right in the config file like this:
log4perl.PatternLayout.cspec.U = sub { return "UID $<" }
-
+
+ See Log::Log4perl::Layout::PatternLayout for further details on
+ customized specifiers.
+
+ Please note that the subroutines you're defining in this way are
+ going to be run in the "main" namespace, so be sure to fully qualify
+ functions and variables if they're located in different packages.
+
SECURITY NOTE: this feature means arbitrary perl code can be
embedded in the config file. In the rare case where the people who
have access to your config file are different from the people who
write your code and shouldn't have execute rights, you might want to
- set
+ call
- $Log::Log4perl::ALLOW_CODE_IN_CONFIG_FILE = 0;
+ Log::Log4perl::Config->allow_code(0);
- before you call init().
-
- See Log::Log4perl::Layout::PatternLayout for details.
+ before you call init(). Alternatively you can supply a restricted
+ set of Perl opcodes that can be embedded in the config file as
+ described in "Restricting what Opcodes can be in a Perl Hook".
All placeholders are quantifiable, just like in *printf*. Following this
tradition, "%-20c" will reserve 20 chars for the category and
@@ -980,9 +987,123 @@ Cool Tricks
your config file are different from the people who write your code and
shouldn't have execute rights, you might want to set
- $Log::Log4perl::ALLOW_CODE_IN_CONFIG_FILE = 0;
+ Log::Log4perl::Config->allow_code(0);
+
+ before you call init(). Alternatively you can supply a restricted set of
+ Perl opcodes that can be embedded in the config file as described in
+ "Restricting what Opcodes can be in a Perl Hook".
+
+ Restricting what Opcodes can be in a Perl Hook
+ The value you pass to Log::Log4perl::Config->allow_code() determines
+ whether the code that is embedded in the config file is eval'd
+ unrestricted, or eval'd in a Safe compartment. By default, a value of
+ '1' is assumed, which does a normal 'eval' without any restrictions. A
+ value of '0' however prevents any embedded code from being evaluated.
+
+ If you would like fine-grained control over what can and cannot be
+ included in embedded code, then please utilize the following methods:
+
+ Log::Log4perl::Config->allow_code( $allow );
+ Log::Log4perl::Config->allowed_code_ops($op1, $op2, ... );
+ Log::Log4perl::Config->vars_shared_with_safe_compartment( [ \%vars | $package, \@vars ] );
+ Log::Log4perl::Config->allowed_code_ops_convenience_map( [ \%map | $name, \@mask ] );
+
+ Log::Log4perl::Config->allowed_code_ops() takes a list of opcode masks
+ that are allowed to run in the compartment. The opcode masks must be
+ specified as described in Opcode:
+
+ Log::Log4perl::Config->allowed_code_ops(':subprocess');
+
+ This example would allow Perl operations like backticks, system, fork,
+ and waitpid to be executed in the compartment. Of course, you probably
+ don't want to use this mask -- it would allow exactly what the Safe
+ compartment is designed to prevent.
+
+ Log::Log4perl::Config->vars_shared_with_safe_compartment() takes the
+ symbols which should be exported into the Safe compartment before the
+ code is evaluated. The keys of this hash are the package names that the
+ symbols are in, and the values are array references to the literal
+ symbol names. For convenience, the default settings export the '%ENV'
+ hash from the 'main' package into the compartment:
+
+ Log::Log4perl::Config->vars_shared_with_safe_compartment(
+ main => [ '%ENV' ],
+ );
+
+ Log::Log4perl::Config->allowed_code_ops_convenience_map() is an accessor
+ method to a map of convenience names to opcode masks. At present, the
+ following convenience names are defined:
+
+ safe = [ ':browse' ]
+ restrictive = [ ':default' ]
+
+ For convenience, if Log::Log4perl::Config->allow_code() is called with a
+ value which is a key of the map previously defined with
+ Log::Log4perl::Config->allowed_code_ops_convenience_map(), then the
+ allowed opcodes are set according to the value defined in the map. If
+ this is confusing, consider the following:
+
+ use Log::Log4perl;
+
+ my $config = <<'END';
+ log4perl.logger = INFO, Main
+ log4perl.appender.Main = Log::Dispatch::File
+ log4perl.appender.Main.filename = \
+ sub { "example" . getpwuid($<) . ".log" }
+ log4perl.appender.Main.layout = Log::Log4perl::Layout::SimpleLayout
+ END
+
+ $Log::Log4perl::Config->allow_code('restrictive');
+ Log::Log4perl->init( \$config ); # will fail
+ $Log::Log4perl::Config->allow_code('safe');
+ Log::Log4perl->init( \$config ); # will succeed
+
+ The reason that the first call to ->init() fails is because the
+ 'restrictive' name maps to an opcode mask of ':default'. getpwuid() is
+ not part of ':default', so ->init() fails. The 'safe' name maps to an
+ opcode mask of ':browse', which allows getpwuid() to run, so ->init()
+ succeeds.
+
+ allowed_code_ops_convenience_map() can be invoked in several ways:
+
+ allowed_code_ops_convenience_map()
+ Returns the entire convenience name map as a hash reference in
+ scalar context or a hash in list context.
+
+ allowed_code_ops_convenience_map( \%map )
+ Replaces the entire conveniece name map with the supplied hash
+ reference.
+
+ allowed_code_ops_convenience_map( $name )
+ Returns the opcode mask for the given convenience name, or undef if
+ no such name is defined in the map.
+
+ allowed_code_ops_convenience_map( $name, \@mask )
+ Adds the given name/mask pair to the convenience name map. If the
+ name already exists in the map, it's value is replaced with the new
+ mask.
+
+ as can vars_shared_with_safe_compartment():
+
+ vars_shared_with_safe_compartment()
+ Return the entire map of packages to variables as a hash reference
+ in scalar context or a hash in list context.
+
+ vars_shared_with_safe_compartment( \%packages )
+ Replaces the entire map of packages to variables with the supplied
+ hash reference.
+
+ vars_shared_with_safe_compartment( $package )
+ Returns the arrayref of variables to be shared for a specific
+ package.
+
+ vars_shared_with_safe_compartment( $package, \@vars )
+ Adds the given package / varlist pair to the map. If the package
+ already exists in the map, it's value is replaced with the new
+ arrayref of variable names.
- before you call init().
+ For more information on opcodes and Safe Compartments, see Opcode and
+ Safe.
Incrementing and Decrementing the Log Levels
Log4perl provides some internal functions for quickly adjusting the log
@@ -1428,6 +1549,7 @@ AUTHORS
Contributors:
Chris R. Donnelly <cdonnelly@digitalmotorworks.com>
+ James FitzGibbon <james.fitzgibbon@target.com>
Paul Harrington <Paul-Harrington@deshaw.com>
Erik Selberg <erik@selberg.com>
Aaron Straup Cope <asc@vineyard.net>
Oops, something went wrong.

0 comments on commit d5d82cc

Please sign in to comment.