Added settings to disable sandboxing

src/main/resources/application.conf

@@ -114,14 +114,6 @@ opencomputers {
       # already running - they'll have to be rebooted for this to take effect.
       timeout: 5.0
 
-      # Whether to allow loading precompiled bytecode via Lua's `load` function,
-      # or related functions (`loadfile`, `dofile`). Enable this only if you
-      # absolutely trust all users on your server and all Lua code you run. This
-      # can be a MASSIVE SECURITY RISK, since precompiled code can easily be
-      # used for exploits, running arbitrary code on the real server! I cannot
-      # stress this enough: only enable this is you know what you're doing.
-      allowBytecode: false
-
       # The time in seconds to wait after a computer has been restored before it
       # continues to run. This is meant to allow the world around the computer
       # to settle, avoiding issues such as components in neighboring chunks
@@ -207,6 +199,36 @@ opencomputers {
       # never exceed 50, a single tick, though) to reduce CPU load even more.
       executionDelay: 12
 
+      security {
+          # Whether to allow loading precompiled bytecode via Lua's `load` function,
+          # or related functions (`loadfile`, `dofile`). Enable this only if you
+          # absolutely trust all users on your server and all Lua code you run. This
+          # can be a MASSIVE SECURITY RISK, since precompiled code can easily be
+          # used for exploits, running arbitrary code on the real server! I cannot
+          # stress this enough: only enable this is you know what you're doing.
+          allowBytecode: false
+
+          # Whether to allow full access to the debug library.
+          # Only enable this if you trust all users on your server and all code that
+          # you run. This can be a MASSIVE SECURITY RISK, since the debug library
+          # can be used to access private data outside the sandbox. I cannot stress
+          # thus enough: only enable this if you know what you are doing
+          allowDebug: false
+
+          # If set to false, the mod will make no attempt to sandbox kernel.lua.
+          # This means, if there is a bug that allows to escape the sandbox, any
+          # player can access any files on your system. this can be a MASSIVE
+          # SECURITY RISK. Only enable this if you know exactly what you are doing
+          kernelSandbox: true
+
+          # Whether the sandbox should be disabled. If this is enabled, kernel.lua
+          # adds `kernel` to the sandbox which is a reference to the unsandboxed _G.
+          # In other words: It basicly disables ANY security of the OC computer.
+          # Code running on it can do whatever it wants to the server machine.
+          # ONLY ENABLE IF YOU KNOW EXACTLY WHAT YOU ARE DOING.
+          disableSandbox: false
+      }
+
       # Debugging related settings. You usually don't want to touch these
       # unless asked to do so by a developer.
       debug {

src/main/resources/assets/opencomputers/lua/kernel.lua

@@ -41,6 +41,16 @@ local function spcall(...)
   end
 end
 
+local function makeDebug()
+    if system.allowDebug() then
+        return debug
+    else
+        return {
+            traceback = debug.traceback
+        }
+    end
+end
+
 --[[ This is the global environment we make available to userland programs. ]]
 -- You'll notice that we do a lot of wrapping of native functions and adding
 -- parameter checks in those wrappers. This is to avoid errors from the host
@@ -260,13 +270,14 @@ sandbox = {
     tmpname = nil, -- in boot/*_os.lua
   },
 
-  debug = {
-    traceback = debug.traceback
-  },
+  debug = makeDebug(),
 
   checkArg = checkArg
 }
 sandbox._G = sandbox
+if system.disableSandbox() then
+    sandbox.kernel = _G
+end
 
 -------------------------------------------------------------------------------
 -- Start of non-standard stuff.

src/main/scala/li/cil/oc/Settings.scala

@@ -64,10 +64,17 @@ class Settings(config: Config) {
   val canComputersBeOwned = config.getBoolean("computer.canComputersBeOwned")
   val maxUsers = config.getInt("computer.maxUsers") max 0
   val maxUsernameLength = config.getInt("computer.maxUsernameLength") max 0
-  val allowBytecode = config.getBoolean("computer.allowBytecode")
   val eraseTmpOnReboot = config.getBoolean("computer.eraseTmpOnReboot")
   val executionDelay = config.getInt("computer.executionDelay") max 0
 
+  // ----------------------------------------------------------------------- //
+  // computer.security
+
+  val allowBytecode = config.getBoolean("computer.security.allowBytecode")
+  val allowDebug = config.getBoolean("computer.security.allowDebug")
+  val hardwareSandbox = config.getBoolean("computer.security.kernelSandbox")
+  val disableSandbox = config.getBoolean("computer.security.disableSandbox")
+
   // ----------------------------------------------------------------------- //
   // computer.debug
 

src/main/scala/li/cil/oc/server/component/machine/LuaJLuaArchitecture.scala

@@ -203,15 +203,22 @@ class LuaJLuaArchitecture(val machine: api.machine.Machine) extends Architecture
 
   override def initialize() = {
     lua = JsePlatform.debugGlobals()
-    lua.set("package", LuaValue.NIL)
-    lua.set("require", LuaValue.NIL)
-    lua.set("io", LuaValue.NIL)
-    lua.set("os", LuaValue.NIL)
-    lua.set("luajava", LuaValue.NIL)
-
-    // Remove some other functions we don't need and are dangerous.
-    lua.set("dofile", LuaValue.NIL)
-    lua.set("loadfile", LuaValue.NIL)
+    if (Settings.get.hardwareSandbox) {
+      lua.set("package", LuaValue.NIL)
+      lua.set("require", LuaValue.NIL)
+      lua.set("io", LuaValue.NIL)
+      lua.set("luajava", LuaValue.NIL)
+      lua.set("os", LuaValue.NIL)
+
+      // Remove some other functions we don't need and are dangerous.
+      lua.set("dofile", LuaValue.NIL)
+      lua.set("loadfile", LuaValue.NIL)
+    } else {
+      val t = LuaValue.tableOf()
+      t.set("io", lua.get("io"))
+      t.set("os", lua.get("os"))
+      lua.set("native", t)
+    }
 
     apis.foreach(_.initialize())
 

src/main/scala/li/cil/oc/server/component/machine/luac/SystemAPI.scala

@@ -33,6 +33,19 @@ class SystemAPI(owner: NativeLuaArchitecture) extends NativeLuaAPI(owner) {
     })
     lua.setField(-2, "allowBytecode")
 
+    // Whether debug library should not be stripped
+    lua.pushScalaFunction(lua => {
+      lua.pushBoolean(Settings.get.allowBytecode)
+      1
+    })
+    lua.setField(-2, "allowDebug")
+
+    lua.pushScalaFunction(lua => {
+      lua.pushBoolean(Settings.get.disableSandbox)
+      1
+    })
+    lua.setField(-2, "disableSandbox")
+
     // How long programs may run without yielding before we stop them.
     lua.pushScalaFunction(lua => {
       lua.pushNumber(Settings.get.timeout)

src/main/scala/li/cil/oc/server/component/machine/luaj/SystemAPI.scala

@@ -12,6 +12,9 @@ class SystemAPI(owner: LuaJLuaArchitecture) extends LuaJAPI(owner) {
     // Whether bytecode may be loaded directly.
     system.set("allowBytecode", (_: Varargs) => LuaValue.valueOf(Settings.get.allowBytecode))
 
+    // Whether debug library should not be stripped
+    system.set("allowDebug", (_: Varargs) => LuaValue.valueOf(Settings.get.allowDebug))
+
     // How long programs may run without yielding before we stop them.
     system.set("timeout", (_: Varargs) => LuaValue.valueOf(Settings.get.timeout))
 

src/main/scala/li/cil/oc/util/LuaStateFactory.scala

@@ -216,6 +216,27 @@ object LuaStateFactory {
         state.openLib(jnlua.LuaState.Library.TABLE)
         state.pop(8)
 
+        if (!Settings.get.hardwareSandbox) {
+          state.openLib(jnlua.LuaState.Library.IO)
+          state.openLib(jnlua.LuaState.Library.JAVA)
+          state.openLib(jnlua.LuaState.Library.OS)
+          state.openLib(jnlua.LuaState.Library.PACKAGE)
+          state.pop(4)
+
+          state.newTable()
+          state.getGlobal("os")
+          state.setField(-2, "os")
+
+          state.getGlobal("loadfile")
+          state.setField(-2, "loadfile")
+
+          state.getGlobal("dofile")
+          state.setField(-2, "dofile")
+
+          state.setGlobal("native")
+
+        }
+
         // Prepare table for os stuff.
         state.newTable()
         state.setGlobal("os")