Fix: allow external modules to access the OCaml stdlib

This would deserve a further look into it, but for now it's impeding development without providing any meaningful security.
2024-11-08 07:51:43 +03:00 · 2024-04-13 10:07:20 +02:00 · 2024-04-13 10:07:20 +02:00 · c8e529dd9f
commit c8e529dd9f
parent 87b2c4ded2
1 changed files with 7 additions and 3 deletions
--- a/compiler/driver.ml
+++ b/compiler/driver.ml
@ -1142,9 +1142,13 @@ let main () =
          | exception Sys_error _ ->
            Message.debug "Could not read plugin directory %s" d)
      plugins_dirs;
-    Dynlink.allow_only ["Runtime_ocaml__Runtime"];
-    (* We may use dynlink again, but only for runtime modules: no plugin
-       registration after this point *)
+    Dynlink.allow_only
+      (List.filter (( <> ) "Driver__Plugin") (Dynlink.all_units ()));
+    (* From here on, no plugin registration is allowed. However, the interpreter
+       may yet use Dynlink to load external modules. - TODO: This used to allow
+       only "Runtime_ocaml__Runtime", but forbidding external Catala modules to
+       use the OCaml Stdlib was a bit much. We should examine how to re-add some
+       more filtering here without being too restrictive. *)
    Plugin.list ()
  in
  let command = catala_t plugins in