mirror of
https://github.com/DrBeef/Raze.git
synced 2025-01-18 23:21:43 +00:00
lunatic: more sandboxing mechanisms, makefile lines for OSX
git-svn-id: https://svn.eduke32.com/eduke32@2074 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
parent
9196bdbd81
commit
2247b77126
5 changed files with 100 additions and 20 deletions
|
@ -139,7 +139,15 @@ ifneq (0,$(LUNATIC))
|
||||||
OURCFLAGS+= -I/usr/local/include/luajit-2.0 -I$(SRC)/lunatic -DLUNATIC_ENABLE
|
OURCFLAGS+= -I/usr/local/include/luajit-2.0 -I$(SRC)/lunatic -DLUNATIC_ENABLE
|
||||||
LIBS+= -L/usr/local/lib -lluajit-5.1
|
LIBS+= -L/usr/local/lib -lluajit-5.1
|
||||||
GAMEOBJS+= $(OBJ)/lunatic.$o
|
GAMEOBJS+= $(OBJ)/lunatic.$o
|
||||||
MISCLINKOPTS+= -Wl,--dynamic-list=$(SRC)/lunatic/dynsymlist
|
# strip on OSX says: removing global symbols from a final linked no longer supported.
|
||||||
|
# Use -exported_symbols_list at link time when building
|
||||||
|
# But, not doing this does not give us the symbols! wtf?
|
||||||
|
STRIP+= -s $(SRC)/lunatic/dynsymlist_osx
|
||||||
|
ifeq ($(PLATFORM),DARWIN)
|
||||||
|
MISCLINKOPTS+= -pagezero_size 10000 -image_base 100000000 #-Wl,-alias_list -Wl,$(SRC)/lunatic/aliases_list #-exported_symbols_list $(SRC)/lunatic/dynsymlist_osx
|
||||||
|
else
|
||||||
|
MISCLINKOPTS+= -Wl,--dynamic-list=$(SRC)/lunatic/dynsymlist
|
||||||
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# PLATFORM SPECIFIC SETTINGS
|
# PLATFORM SPECIFIC SETTINGS
|
||||||
|
@ -307,6 +315,12 @@ $(OBJ)/%.$o: $(SRC)/lunatic/%.c
|
||||||
$(COMPILE_STATUS)
|
$(COMPILE_STATUS)
|
||||||
if $(CC) $(CFLAGS) $(OURCFLAGS) -c $< -o $@; then $(COMPILE_OK); else $(COMPILE_FAILED); fi
|
if $(CC) $(CFLAGS) $(OURCFLAGS) -c $< -o $@; then $(COMPILE_OK); else $(COMPILE_FAILED); fi
|
||||||
|
|
||||||
|
$(SRC)/lunatic/dynsymlist_osx: $(SRC)/lunatic/dynsymlist
|
||||||
|
sed 's/[{};]//g;s/[A-Za-z_][A-Za-z_0-9]*/_&/g' $< > $@
|
||||||
|
|
||||||
|
$(SRC)/lunatic/aliases_list: $(SRC)/lunatic/dynsymlist_osx
|
||||||
|
sed 's/_\([A-Za-z_][A-Za-z_0-9]*\)/_\1 \1/g' $< > $@
|
||||||
|
|
||||||
$(OBJ)/%.$o: Apple/%.m
|
$(OBJ)/%.$o: Apple/%.m
|
||||||
$(COMPILE_STATUS)
|
$(COMPILE_STATUS)
|
||||||
if $(CC) $(CFLAGS) $(OURCFLAGS) -c $< -o $@; then $(COMPILE_OK); else $(COMPILE_FAILED); fi
|
if $(CC) $(CFLAGS) $(OURCFLAGS) -c $< -o $@; then $(COMPILE_OK); else $(COMPILE_FAILED); fi
|
||||||
|
|
|
@ -58,7 +58,56 @@ const int16_t prevspritesect[16384], prevspritestat[16384];
|
||||||
const int16_t nextspritesect[16384], nextspritestat[16384];
|
const int16_t nextspritesect[16384], nextspritestat[16384];
|
||||||
]]
|
]]
|
||||||
|
|
||||||
--
|
---- _G tweaks -- pull in only 'safe' stuff ----
|
||||||
|
|
||||||
|
local G_ = {} -- our soon-to-be global environment
|
||||||
|
local oG = _G
|
||||||
|
|
||||||
|
G_.coroutine = coroutine
|
||||||
|
G_.assert = assert
|
||||||
|
G_.tostring = tostring
|
||||||
|
G_.tonumber = tonumber
|
||||||
|
--rawget
|
||||||
|
G_.xpcall = xpcall
|
||||||
|
G_.ipairs = ipairs
|
||||||
|
G_.print = print
|
||||||
|
G_.pcall = pcall
|
||||||
|
--gcinfo --DEPRECATED
|
||||||
|
--module
|
||||||
|
--setfenv
|
||||||
|
--require
|
||||||
|
--rawset
|
||||||
|
--jit
|
||||||
|
G_.bit = bit
|
||||||
|
--package
|
||||||
|
G_.error = error
|
||||||
|
--debug
|
||||||
|
--loadfile
|
||||||
|
--rawequal
|
||||||
|
--load
|
||||||
|
G_.unpack = unpack
|
||||||
|
G_.pairs = pairs
|
||||||
|
G_.table = table
|
||||||
|
G_._VERSION = _VERSION
|
||||||
|
--newproxy --NOT STD?
|
||||||
|
--collectgarbage
|
||||||
|
--dofile
|
||||||
|
G_.next = next
|
||||||
|
G_.math = math
|
||||||
|
--loadstring
|
||||||
|
--_G
|
||||||
|
G_.select = select
|
||||||
|
G_.string = string
|
||||||
|
G_.type = type
|
||||||
|
--getmetatable
|
||||||
|
--getfenv
|
||||||
|
--setmetatable
|
||||||
|
|
||||||
|
G_._G = G_
|
||||||
|
|
||||||
|
-- REMOVE this for release
|
||||||
|
DBG_ = {}
|
||||||
|
DBG_.loadstring = oG.loadstring
|
||||||
|
|
||||||
---- Set up restricted access to ffi.C from lunatic. ----
|
---- Set up restricted access to ffi.C from lunatic. ----
|
||||||
local ffiC = ffi.C
|
local ffiC = ffi.C
|
||||||
|
@ -69,7 +118,7 @@ local tmpmt = {
|
||||||
__newindex = function() error('dummy variable: write access forbidden') end,
|
__newindex = function() error('dummy variable: write access forbidden') end,
|
||||||
__metatable = true -- forbid setting the metatable
|
__metatable = true -- forbid setting the metatable
|
||||||
}
|
}
|
||||||
setmetatable(det, tmpmt)
|
oG.setmetatable(det, tmpmt)
|
||||||
|
|
||||||
-- GLOBAL gv: provides access to C global *scalars*
|
-- GLOBAL gv: provides access to C global *scalars*
|
||||||
gv = {
|
gv = {
|
||||||
|
@ -89,7 +138,7 @@ local tmpmt = {
|
||||||
__newindex = function() error("cannot create new fields in 'gv'") end,
|
__newindex = function() error("cannot create new fields in 'gv'") end,
|
||||||
__metatable = true,
|
__metatable = true,
|
||||||
}
|
}
|
||||||
setmetatable(gv, tmpmt)
|
oG.setmetatable(gv, tmpmt)
|
||||||
|
|
||||||
---- indirect C array access ----
|
---- indirect C array access ----
|
||||||
sector = {}
|
sector = {}
|
||||||
|
@ -102,7 +151,7 @@ local tmpmt = {
|
||||||
__newindex = function(tab, key, val) error('cannot write to sector[] struct directly') end,
|
__newindex = function(tab, key, val) error('cannot write to sector[] struct directly') end,
|
||||||
__metatable = true,
|
__metatable = true,
|
||||||
}
|
}
|
||||||
setmetatable(sector, tmpmt)
|
oG.setmetatable(sector, tmpmt)
|
||||||
|
|
||||||
wall = {}
|
wall = {}
|
||||||
local tmpmt = {
|
local tmpmt = {
|
||||||
|
@ -114,7 +163,7 @@ local tmpmt = {
|
||||||
__newindex = function(tab, key, val) error('cannot write to wall[] struct directly') end,
|
__newindex = function(tab, key, val) error('cannot write to wall[] struct directly') end,
|
||||||
__metatable = true,
|
__metatable = true,
|
||||||
}
|
}
|
||||||
setmetatable(wall, tmpmt)
|
oG.setmetatable(wall, tmpmt)
|
||||||
|
|
||||||
-- create a safe indirection for a ffi.C array
|
-- create a safe indirection for a ffi.C array
|
||||||
local function creategtab(ctab, maxidx, name)
|
local function creategtab(ctab, maxidx, name)
|
||||||
|
@ -131,7 +180,7 @@ local function creategtab(ctab, maxidx, name)
|
||||||
end,
|
end,
|
||||||
__metatable = true,
|
__metatable = true,
|
||||||
}
|
}
|
||||||
setmetatable(tab, tmpmt)
|
oG.setmetatable(tab, tmpmt)
|
||||||
return tab
|
return tab
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -176,6 +225,21 @@ function spritesofstat(stat)
|
||||||
return iter_spritesofstat , stat, -1
|
return iter_spritesofstat , stat, -1
|
||||||
end
|
end
|
||||||
|
|
||||||
-- restrict access to potentially unsafe standard Lua modules (not yet done)
|
|
||||||
os = nil
|
-- add new variables/functions living in the global environment
|
||||||
io = nil
|
G_.DBG_ = DBG_ -- REMOVE this for release
|
||||||
|
G_.gv = gv
|
||||||
|
G_.sector = sector
|
||||||
|
G_.wall = wall
|
||||||
|
G_.sprite = sprite
|
||||||
|
G_.headspritesect = headspritesect
|
||||||
|
G_.headspritestat = headspritestat
|
||||||
|
G_.nextspritesect = nextspritesect
|
||||||
|
G_.nextspritestat = nextspritestat
|
||||||
|
G_.prevspritesect = prevspritesect
|
||||||
|
G_.prevspritestat = prevspritestat
|
||||||
|
G_.spritesofsect = spritesofsect
|
||||||
|
G_.spritesofstat = spritesofstat
|
||||||
|
|
||||||
|
-- change the environment of the running Lua thread to the table G_
|
||||||
|
setfenv(0, G_)
|
||||||
|
|
|
@ -6,7 +6,10 @@ sprite;
|
||||||
numsectors;
|
numsectors;
|
||||||
numwalls;
|
numwalls;
|
||||||
|
|
||||||
headspritesect; headspritestat;
|
headspritesect;
|
||||||
prevspritesect; prevspritestat;
|
headspritestat;
|
||||||
nextspritesect; nextspritestat;
|
prevspritesect;
|
||||||
|
prevspritestat;
|
||||||
|
nextspritesect;
|
||||||
|
nextspritestat;
|
||||||
};
|
};
|
||||||
|
|
|
@ -25,7 +25,7 @@ int32_t El_CreateState(El_State *estate, const char *name)
|
||||||
{
|
{
|
||||||
Bfree((char *)estate->name);
|
Bfree((char *)estate->name);
|
||||||
estate->name = NULL;
|
estate->name = NULL;
|
||||||
return -1;
|
return -2;
|
||||||
}
|
}
|
||||||
|
|
||||||
luaL_openlibs(estate->L); // XXX: only for internal use and testing, obviously
|
luaL_openlibs(estate->L); // XXX: only for internal use and testing, obviously
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
print('--- ELua Test script ---')
|
print('--- ELua Test script ---')
|
||||||
|
|
||||||
local function checkfail(funcstr)
|
local function checkfail(funcstr)
|
||||||
local status, res = pcall(loadstring(funcstr))
|
local status, res = pcall(DBG_.loadstring(funcstr))
|
||||||
if (status) then
|
if (status) then
|
||||||
print('ERROR: '..funcstr.." DIDN'T fail")
|
print('ERROR: '..funcstr.." DIDN'T fail")
|
||||||
else
|
else
|
||||||
|
@ -14,6 +14,7 @@ end
|
||||||
local i
|
local i
|
||||||
|
|
||||||
print('tweaking sector pals')
|
print('tweaking sector pals')
|
||||||
|
---[[
|
||||||
for i = 0, gv.numsectors/2 do
|
for i = 0, gv.numsectors/2 do
|
||||||
sector[i].floorpal = 1;
|
sector[i].floorpal = 1;
|
||||||
sector[i].ceilingpal = 2;
|
sector[i].ceilingpal = 2;
|
||||||
|
@ -28,7 +29,7 @@ end
|
||||||
for spr in spritesofsect(236) do
|
for spr in spritesofsect(236) do
|
||||||
print('#spr', spr)
|
print('#spr', spr)
|
||||||
end
|
end
|
||||||
|
--]]
|
||||||
print('_G contains:')
|
print('_G contains:')
|
||||||
for k,v in pairs(_G) do
|
for k,v in pairs(_G) do
|
||||||
print(k, v)
|
print(k, v)
|
||||||
|
@ -40,9 +41,7 @@ checkfail('sector[-1].ceilingpal = 4') -- oob write access
|
||||||
checkfail('sector[0].wallnum = 0') -- wallnum member is read-only
|
checkfail('sector[0].wallnum = 0') -- wallnum member is read-only
|
||||||
checkfail('gv.numsectors = 4') -- gv.numsectors is read-only
|
checkfail('gv.numsectors = 4') -- gv.numsectors is read-only
|
||||||
checkfail('sector[4] = sector[6]') -- direct sector write access forbidden
|
checkfail('sector[4] = sector[6]') -- direct sector write access forbidden
|
||||||
|
checkfail("require('os')") -- 'require' has been thrown away to be replaced by
|
||||||
|
-- something more restricted later
|
||||||
|
|
||||||
print('--- end test script ---')
|
print('--- end test script ---')
|
||||||
|
|
||||||
os = require("os")
|
|
||||||
print('clk', os.clock())
|
|
||||||
|
|
Loading…
Reference in a new issue