How to load sqlite3 package in safe interpreter

Question

Since I can't load package as normal in safe interpreter as usuall, I alias the package command to safe interpreter like this:

set $safeInterp [safe::interpCreate]
$safeInterp alias package package 
$safeInterp eval {package require sqlite3}

##After that, I executed 
$safeInterp eval {sqlite3 db hello.sqlite3}
##But it failed and shows an error: invalid command name "sqlite3"

##So I alias the sqlite3 command, and connect to the database.
$safeInterp alias sqlite3 sqlite3
$safeInterp eval {sqlite3 db hello.sqlite3}

##But then even the db function cannot be found in safe interpreter.

I'm wondering if there any way to load the sqlite3 package and create connection in safe interpreter as normal, so that I don't need to alias every command from master interpreter.

Answer 1

The tclsqlite package does deliberately not define a SafeInit entry point, as commented in the source code. _SafeInit() is used instead of _Init() when a package is loaded in a safe interpreter to provide a safer subset of commands.

/* Because it accesses the file-system and uses persistent state, SQLite
 ** is not considered appropriate for safe interpreters.  Hence, we cause
 ** the _SafeInit() interfaces return TCL_ERROR.
 */
EXTERN int Sqlite3_SafeInit(Tcl_Interp *interp){ return TCL_ERROR; }
EXTERN int Sqlite3_SafeUnload(Tcl_Interp *interp, int flags){return TCL_ERROR;}

(from https://www.sqlite.org/src/artifact/916a92de77ec5cbe)

Simply aliasing the sqlite command into a safe interpreter probably makes it unsafe, especially if some of the extra options are available like loadable modules.

So no, its not possible to simply load it without aliasing. And to make it safe you should probably add some policy wrapper that sanitizes commands and restricts the available options, depending on your security needs.