diff -rup R-2.11.0-orig//src/include/Defn.h R-2.11.0/src/include/Defn.h --- R-2.11.0-orig//src/include/Defn.h 2010-05-17 11:56:16.000000000 -0400 +++ R-2.11.0/src/include/Defn.h 2010-05-17 11:58:02.000000000 -0400 @@ -639,6 +639,8 @@ extern0 struct RPRSTACK *R_PendingPromis LibExtern Rboolean R_Interactive INI_as(TRUE); /* TRUE during interactive use*/ extern0 Rboolean R_Quiet INI_as(FALSE); /* Be as quiet as possible */ extern Rboolean R_Slave INI_as(FALSE); /* Run as a slave process */ +extern Rboolean R_Sandbox_requested INI_as(FALSE); /* Run in a sandbox */ +extern Rboolean R_Sandbox_active INI_as(FALSE); /* Run in a sandbox */ extern0 Rboolean R_Verbose INI_as(FALSE); /* Be verbose */ /* extern int R_Console; */ /* Console active flag */ /* IoBuffer R_ConsoleIob; : --> ./IOStuff.h */ diff -rup R-2.11.0-orig//src/include/R_ext/RStartup.h R-2.11.0/src/include/R_ext/RStartup.h --- R-2.11.0-orig//src/include/R_ext/RStartup.h 2010-05-17 11:56:16.000000000 -0400 +++ R-2.11.0/src/include/R_ext/RStartup.h 2010-05-17 11:59:01.000000000 -0400 @@ -84,6 +84,8 @@ typedef struct UImode CharacterMode; blah7 WriteConsoleEx; /* used only if WriteConsole is NULL */ #endif + + Rboolean R_Sandbox_requested; } structRstart; typedef structRstart *Rstart; diff -rup R-2.11.0-orig//src/main/CommandLineArgs.c R-2.11.0/src/main/CommandLineArgs.c --- R-2.11.0-orig//src/main/CommandLineArgs.c 2010-05-17 11:56:08.000000000 -0400 +++ R-2.11.0/src/main/CommandLineArgs.c 2010-05-17 11:59:23.000000000 -0400 @@ -244,6 +244,9 @@ R_common_command_line(int *pac, char **a R_ShowMessage(_("WARNING: '-max-ppsize' value is too large: ignored\n")); else Rp->ppsize = lval; } + else if (!strcmp(*av, "--sandbox")) { + Rp->R_Sandbox_requested = TRUE; + } else { /* unknown -option */ argv[newac++] = *av; } diff -rup R-2.11.0-orig//src/main/connections.c R-2.11.0/src/main/connections.c --- R-2.11.0-orig//src/main/connections.c 2010-05-17 11:56:08.000000000 -0400 +++ R-2.11.0/src/main/connections.c 2010-05-18 22:18:29.000000000 -0400 @@ -949,6 +949,9 @@ SEXP attribute_hidden do_fifo(SEXP call, int ncon, block; Rconnection con = NULL; + if (R_Sandbox_active) + error(_("fifo() is disabled in sandbox mode")); + checkArity(op, args); sfile = CAR(args); if(!isString(sfile) || length(sfile) < 1) @@ -1121,6 +1124,9 @@ SEXP attribute_hidden do_pipe(SEXP call, #else file = translateChar(STRING_ELT(scmd, 0)); #endif + if (R_Sandbox_active) + error(_("pipe() is disabled in sandbox mode")); + sopen = CADR(args); if(!isString(sopen) || length(sopen) != 1) error(_("invalid '%s' argument"), "open"); @@ -1679,6 +1685,9 @@ SEXP attribute_hidden do_gzfile(SEXP cal int type = PRIMVAL(op); int subtype = 0; + if (R_Sandbox_active) + error(_("gzfile() is disabled in sandbox mode")); + checkArity(op, args); sfile = CAR(args); if(!isString(sfile) || length(sfile) < 1) @@ -2329,6 +2338,9 @@ SEXP attribute_hidden do_rawconnection(S int ncon; Rconnection con = NULL; + if (R_Sandbox_active) + error(_("rawConnection() is disabled in sandbox mode")); + checkArity(op, args); sfile = CAR(args); if(!isString(sfile) || length(sfile) != 1) @@ -2367,6 +2379,9 @@ SEXP attribute_hidden do_rawconvalue(SEX Rrawconn this; SEXP ans; + if (R_Sandbox_active) + error(_("rawConnectionValue() is disabled in sandbox mode")); + checkArity(op, args); if(!inherits(CAR(args), "rawConnection")) error(_("'con' is not a rawConnection")); @@ -2718,6 +2733,9 @@ SEXP attribute_hidden do_textconnection( int ncon, type; Rconnection con = NULL; + if (R_Sandbox_active) + error(_("textConnection() is disabled in sandbox mode")); + checkArity(op, args); sfile = CAR(args); if(!isString(sfile) || length(sfile) != 1) @@ -2778,6 +2796,9 @@ SEXP attribute_hidden do_textconvalue(SE Rconnection con=NULL; Routtextconn this; + if (R_Sandbox_active) + error(_("textConnectionValue() is disabled in sandbox mode")); + checkArity(op, args); if(!inherits(CAR(args), "textConnection")) error(_("'con' is not a textConnection")); @@ -2801,6 +2822,9 @@ SEXP attribute_hidden do_sockconn(SEXP c int ncon, port, server, blocking; Rconnection con = NULL; + if (R_Sandbox_active) + error(_("socketConnection() is disabled in sandbox mode")); + checkArity(op, args); #ifdef HAVE_SOCKETS scmd = CAR(args); @@ -2871,6 +2895,10 @@ SEXP attribute_hidden do_unz(SEXP call, int ncon; Rconnection con = NULL; + if (R_Sandbox_active) + error(_("unz() is disabled in sandbox mode")); + + checkArity(op, args); sfile = CAR(args); if(!isString(sfile) || length(sfile) < 1) @@ -3051,6 +3079,9 @@ SEXP attribute_hidden do_seek(SEXP call, Rconnection con = NULL; double where; + if (R_Sandbox_active) + error(_("seek() is disabled in sandbox mode")); + checkArity(op, args); if(!inherits(CAR(args), "connection")) error(_("'con' is not a connection")); @@ -3074,6 +3105,9 @@ SEXP attribute_hidden do_truncate(SEXP c { Rconnection con = NULL; + if (R_Sandbox_active) + error(_("truncate() is disabled in sandbox mode")); + checkArity(op, args); if(!inherits(CAR(args), "connection")) error(_("'con' is not a connection")); @@ -3086,6 +3120,9 @@ SEXP attribute_hidden do_flush(SEXP call { Rconnection con = NULL; + if (R_Sandbox_active) + error(_("do_flush() is disabled in sandbox mode")); + checkArity(op, args); if(!inherits(CAR(args), "connection")) error(_("'con' is not a connection")); @@ -4451,6 +4488,8 @@ do_getallconnections(SEXP call, SEXP op, int i, j=0, n=0; SEXP ans; checkArity(op, args); + if (R_Sandbox_active) + error(_("getAllConnections() is disabled in sandbox mode")); for(i = 0; i < NCONNECTIONS; i++) if(Connections[i]) n++; PROTECT(ans = allocVector(INTSXP, n)); @@ -4468,6 +4507,9 @@ do_getconnection(SEXP call, SEXP op, SEX int what; Rconnection con; + if (R_Sandbox_active) + error(_("getConnection() is disabled in sandbox mode")); + checkArity(op, args); what = asInteger(CAR(args)); if (what == NA_INTEGER || what < 0 || what >= NCONNECTIONS || @@ -4566,6 +4608,9 @@ SEXP attribute_hidden do_url(SEXP call, else if (strncmp(url, "https://", 8) == 0) type = HTTPSsh; #endif + if (R_Sandbox_active && (strncmp(url,"stdin", 5)!=0) ) + error(_("url()/file() are disabled in sandbox mode (except for 'stdin').")); + sopen = CADR(args); if(!isString(sopen) || length(sopen) != 1) error(_("invalid '%s' argument"), "open"); @@ -4986,6 +5031,9 @@ SEXP attribute_hidden do_gzcon(SEXP call Rconnection incon=NULL, new=NULL; char *m, *mode = NULL /* -Wall */, description[1000]; + if (R_Sandbox_active) + error(_("gzcon() is disabled in sandbox mode")); + checkArity(op, args); if(!inherits(CAR(args), "connection")) error(_("'con' is not a connection")); @@ -5194,6 +5242,9 @@ SEXP attribute_hidden do_sockselect(SEXP SEXP insock, write, val, insockfd; double timeout; + if (R_Sandbox_active) + error(_("sockSelect() is disabled in sandbox mode")); + checkArity(op, args); insock = CAR(args); @@ -5343,6 +5394,9 @@ do_memCompress(SEXP call, SEXP op, SEXP SEXP ans, from; int type, res; + if (R_Sandbox_active) + error(_("memCompress() is disabled in sandbox mode")); + checkArity(op, args); ans = from = CAR(args); if(TYPEOF(from) != RAWSXP) error("'from' must be raw or character"); @@ -5421,6 +5475,9 @@ do_memDecompress(SEXP call, SEXP op, SEX SEXP ans, from; int type, subtype = 0; + if (R_Sandbox_active) + error(_("memDecompress() is disabled in sandbox mode")); + checkArity(op, args); ans = from = CAR(args); if(TYPEOF(from) != RAWSXP) error("'from' must be raw or character"); diff -rup R-2.11.0-orig//src/main/internet.c R-2.11.0/src/main/internet.c --- R-2.11.0-orig//src/main/internet.c 2010-05-17 11:56:08.000000000 -0400 +++ R-2.11.0/src/main/internet.c 2010-05-17 14:33:21.000000000 -0400 @@ -78,6 +78,9 @@ extern Rboolean UseInternet2; static void internet_Init(void) { int res; + if (R_Sandbox_active) + error(_("internet routines ares disabled in sandbox mode")); + #ifdef Win32 res = UseInternet2 ? R_moduleCdynload("internet2", 1, 1) : R_moduleCdynload("internet", 1, 1); diff -rup R-2.11.0-orig//src/main/main.c R-2.11.0/src/main/main.c --- R-2.11.0-orig//src/main/main.c 2010-05-17 11:56:08.000000000 -0400 +++ R-2.11.0/src/main/main.c 2010-05-17 14:10:18.000000000 -0400 @@ -961,7 +961,10 @@ void run_Rmainloop(void) R_IoBufferInit(&R_ConsoleIob); SETJMP(R_Toplevel.cjmpbuf); R_GlobalContext = R_ToplevelContext = &R_Toplevel; + if (R_Sandbox_requested) + R_Sandbox_active = TRUE; R_ReplConsole(R_GlobalEnv, 0, 0); + R_Sandbox_active = FALSE; end_Rmainloop(); /* must go here */ } diff -rup R-2.11.0-orig//src/main/startup.c R-2.11.0/src/main/startup.c --- R-2.11.0-orig//src/main/startup.c 2010-05-17 11:56:08.000000000 -0400 +++ R-2.11.0/src/main/startup.c 2010-05-17 12:00:22.000000000 -0400 @@ -135,6 +135,7 @@ void R_DefParams(Rstart Rp) Rp->R_Slave = FALSE; Rp->R_Interactive = TRUE; Rp->R_Verbose = FALSE; + Rp->R_Sandbox_requested = FALSE; Rp->RestoreAction = SA_RESTORE; Rp->SaveAction = SA_SAVEASK; Rp->LoadSiteFile = TRUE; @@ -207,6 +208,7 @@ void R_SetParams(Rstart Rp) { R_Quiet = Rp->R_Quiet; R_Slave = Rp->R_Slave; + R_Sandbox_requested = Rp->R_Sandbox_requested; R_Interactive = Rp->R_Interactive; R_Verbose = Rp->R_Verbose; RestoreAction = Rp->RestoreAction; diff -rup R-2.11.0-orig//src/unix/sys-unix.c R-2.11.0/src/unix/sys-unix.c --- R-2.11.0-orig//src/unix/sys-unix.c 2010-05-17 11:56:16.000000000 -0400 +++ R-2.11.0/src/unix/sys-unix.c 2010-05-18 22:17:28.000000000 -0400 @@ -256,6 +256,9 @@ SEXP attribute_hidden do_system(SEXP cal SEXP tlist = R_NilValue; int read=0; + if (R_Sandbox_active) + error(_("system() is disabled in sandbox mode")); + checkArity(op, args); if (!isValidStringF(CAR(args))) errorcall(call, _("non-empty character argument expected"));