Sandbox with the REPL

The initial REPL sandbox accepts all Java calls and Venice functions without any restrictions

venice> !sandbox status
No sandbox active (AcceptAllInterceptor)
venice>

Change to a restricted reject-all sandbox

venice> !sandbox reject-all
venice> !sandbox status
Sandbox active (RejectAllInterceptor). Rejects all Java calls and default blacklisted Venice functions
venice> !sandbox config
[reject-all] SAFE restricted sandbox
Java calls:
   All rejected!
Blacklisted Venice functions:
   agent
   agent-error
   agent-error-mode
     :
venice>

Change to a customized sandbox

venice> !sandbox customized
venice> !sandbox status
Customized sandbox active (SandboxInterceptor)
venice> !sandbox config
[customized] Customized sandbox
Sandbox rules:
   class:java.io.IOException:*
   class:java.io.InputStream
   class:java.io.OutputStream
   class:java.io.PrintStream:append
   class:java.lang.Boolean
   class:java.lang.Byte
   class:java.lang.Character
   class:java.lang.Double
   class:java.lang.Exception:*
   class:java.lang.Float
     :
venice>

Testing the reject-all sandbox

Enable the reject-all sandbox

venice> !sandbox reject-all

Test the sandbox

; all Venice I/O functions are rejected
(io/exists-dir? (io/file "/tmp"))

; all Java calls are rejected
(. :java.lang.Math :min 2 3)

Testing the customized sandbox

Enable the customized sandbox.

venice> !sandbox customized

Test the sandbox

; Venice I/O functions are accepted
(io/exists-dir? (io/file "/tmp"))

; Java calls matching the default rules are accepted
(. :java.util.Date :new)

; Java calls not matching the default rules are rejected
(. :java.lang.Math :min 2 3)

Customize the sandbox...

enable calls to java.lang.Math
enable access to system property java.class.path
enable access to system environment variable JAVA___HOME
blacklist all Venice I/O functions
blacklist the Venice 'count' function

venice> !sandbox customized
venice> !sandbox add-rule class:java.lang.Math:*
venice> !sandbox add-rule system.property:java.class.path
venice> !sandbox add-rule system.env:JAVA_HOME
venice> !sandbox add-rule blacklist:venice:*io*
venice> !sandbox add-rule blacklist:venice:count

...and test it

; Java calls to java.lang.Math are accepted
(. :java.lang.Math :min 2 3)

; Accessing system property 'java.class.path'
(system-prop :java.class.path)

; Accessing environment variable 'JAVA_HOME'
(system-env :JAVA_HOME)

; all Venice I/O functions are rejected
(io/exists-dir? (io/file "/tmp"))

; the Venice function 'count' is rejected
(count [1 2 3])

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

repl-sandbox.md

repl-sandbox.md

Sandbox with the REPL

Change to a restricted reject-all sandbox

Change to a customized sandbox

Testing the reject-all sandbox

Enable the reject-all sandbox

Test the sandbox

Testing the customized sandbox

Enable the customized sandbox.

Test the sandbox

Customize the sandbox...

...and test it

Files

repl-sandbox.md

Latest commit

History

repl-sandbox.md

File metadata and controls

Sandbox with the REPL

Change to a restricted reject-all sandbox

Change to a customized sandbox

Testing the reject-all sandbox

Enable the reject-all sandbox

Test the sandbox

Testing the customized sandbox

Enable the customized sandbox.

Test the sandbox

Customize the sandbox...

...and test it