Lambda Smalltalk provides a sandbox mode for running untrusted scripts securely.
Sandbox Modes
| Mode | Description |
|---|---|
permissive | All operations allowed (default) |
read-only | Only file reads allowed |
restrictive | All operations denied |
Usage
# Default: all operations allowed
lambda-st run script.st
# Read-only: can read files, but no writes/process/network
lambda-st run --sandbox read-only script.st
# Restrictive: all I/O operations denied
lambda-st run --sandbox restrictive script.st
What Each Mode Controls
File System
- permissive: Read and write any file
- read-only: Read any file, no writes
- restrictive: No file access
Process Execution
- permissive:
System exec:allowed - read-only: Denied
- restrictive: Denied
Network Access
- permissive:
Http get:,Http post:etc. allowed - read-only: Denied
- restrictive: Denied
Plugin Loading
- permissive:
Plugin load:allowed - read-only: Denied
- restrictive: Denied
Example: Safe Script Execution
# Run a user-provided script that should only read data
lambda-st run --sandbox read-only user_script.st
# Run a completely isolated script (pure computation only)
lambda-st run --sandbox restrictive compute.st
Error Handling
When a sandbox denies an operation, an exception is raised:
sandbox: file_write on 'output.txt': file write access denied by sandbox policy
Scripts can catch these with on:do::
[
File write: 'test.txt' contents: 'data'.
] on: Error do: [:ex |
'Write denied by sandbox' printNl.
].