diff options
author | Daniel Silverstone <dsilvers@digital-scurf.org> | 2012-07-28 11:26:10 +0100 |
---|---|---|
committer | Daniel Silverstone <dsilvers@digital-scurf.org> | 2012-07-28 11:26:10 +0100 |
commit | 53444511938cc3999729a4c2aa6eccc9a2741ab2 (patch) | |
tree | 4613a4309ac29b624b562f23fd596fdb6ebd6448 /notes | |
parent | f3ba95101aabd9c308ef746db32c6eb7536a5a7f (diff) | |
download | supple-53444511938cc3999729a4c2aa6eccc9a2741ab2.tar.gz |
Notes
Diffstat (limited to 'notes')
-rw-r--r-- | notes/design | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/notes/design b/notes/design index 3cd1c90..d055d1d 100644 --- a/notes/design +++ b/notes/design @@ -147,3 +147,25 @@ can be written explicitly and the deserialiser can simply be a generic loader followed by a series of asserts and measures to ensure nothing malicious gets injected. + +# New terminology + +* Host -- The program which wants to run untrusted code +* Sandbox -- The subprocess which is going to run the code on the Host's behalf + +# What happens when a host wants to run untrusted code? + +1. The host starts by preparing a socketpair and forking. +2. The forked process dup2()s the socketpair onto fd 0 and force-closes every + FD (regardless of the likelyhood of it being open). +3. Then the forked process executes a specifically compiled lua interpreter. +4. The interpreter loads the Supple modules and then the one module so + instructed by the host. +5. Said interpreter, if setuid(root) then + 1. makes a directory owned by root + 2. changes into that directory + 4. removes that directory + 5. chroot()s into that (now) ephemeral directory + 6. drops privileges +6. Finally the interpreter, now referred to as the Sandbox enters a receive + state where it waits for a procedure call. |