From fd0c4577a4b6e85ca2db664906e1a03807ce133f Mon Sep 17 00:00:00 2001
From: Hans Hagen <pragma@wxs.nl>
Date: Sun, 14 May 2017 19:58:50 +0200
Subject: 2017-05-14 19:15:00

---
 web2c/contextcnf.lua | 42 +++++++++++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 13 deletions(-)

(limited to 'web2c/contextcnf.lua')

diff --git a/web2c/contextcnf.lua b/web2c/contextcnf.lua
index a2025e6ef..cd948c23e 100644
--- a/web2c/contextcnf.lua
+++ b/web2c/contextcnf.lua
@@ -144,8 +144,8 @@ return {
             ["luatex.maxprintline"]      = " 10000", --    79
             ["luatex.maxstrings"]        = "500000", -- 15000 -- obsolete
             ["luatex.paramsize"]         =  "25000", --    60
-            ["luatex.savesize"]          =  "50000", --  4000
-            ["luatex.stacksize"]         =  "10000", --   300
+            ["luatex.savesize"]          = "100000", --  4000
+            ["luatex.stacksize"]         = "100000", --   300
 
             -- A few process related variables come next.
 
@@ -155,17 +155,33 @@ return {
             ["system.compile.cleanup"]   = "no",    -- remove tma files
             ["system.compile.strip"]     = "yes",   -- strip tmc files
 
-            -- The io modes are similar to the traditional ones. Possible values
-            -- are all, paranoid and restricted.
-
-         -- ["system.outputmode"]        = "restricted",
-         -- ["system.inputmode"]         = "any",
-
-            -- The following variable is under consideration. We do have protection
-            -- mechanims but it's not enabled by default.
-
-            ["system.commandmode"]       = "any", -- any none list
-            ["system.commandlist"]       = "mtxrun, convert, inkscape, gs, imagemagick, curl, bibtex, pstoedit",
+            -- sandboxing (these only kick in when --sandbox is given) .. the examples
+            -- below are just that, examples, as sandboxing is off by default ... when
+            -- turned on, restrictions kick in, and programs registered at runtime have
+            -- (even) more restrictions than already registered ones
+
+         -- ["system.rootlist"]          = { "/data" }, -- { { "/data", "read" }, ... }
+         --
+         -- ["system.executionmode"]     = "list", -- none | list | all
+         -- ["system.executionlist"]     = {
+         --     "context",
+         --     "bibtex", "mlbibcontext",
+         --     "curl",
+         --     "gswin64c", "gswin32c", "gs",
+         --     "gm", "graphicmagick", "imagemagick",
+         --     "pdftops",
+         --     "pstoedit",
+         --     "inkscape",
+         --     "woff2_decompress",
+         --     "hb-shape",
+         -- },
+         --
+         -- ["system.librarymode"]       = "list", -- none | list | all
+         -- ["system.librarylist"]       = {
+         --     "mysql",
+         --     "sqlite3",
+         --     "libharfbuzz", "libharfbuzz-0",
+         -- }
 
             -- The mplib library support mechanisms have their own
             -- configuration. Normally these variables can be left as
-- 
cgit v1.2.3