diff options
Diffstat (limited to 'notes/design')
-rw-r--r-- | notes/design | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/notes/design b/notes/design index 3cd1c90..d055d1d 100644 --- a/notes/design +++ b/notes/design @@ -147,3 +147,25 @@ can be written explicitly and the deserialiser can simply be a generic loader followed by a series of asserts and measures to ensure nothing malicious gets injected. + +# New terminology + +* Host -- The program which wants to run untrusted code +* Sandbox -- The subprocess which is going to run the code on the Host's behalf + +# What happens when a host wants to run untrusted code? + +1. The host starts by preparing a socketpair and forking. +2. The forked process dup2()s the socketpair onto fd 0 and force-closes every + FD (regardless of the likelyhood of it being open). +3. Then the forked process executes a specifically compiled lua interpreter. +4. The interpreter loads the Supple modules and then the one module so + instructed by the host. +5. Said interpreter, if setuid(root) then + 1. makes a directory owned by root + 2. changes into that directory + 4. removes that directory + 5. chroot()s into that (now) ephemeral directory + 6. drops privileges +6. Finally the interpreter, now referred to as the Sandbox enters a receive + state where it waits for a procedure call. |