Date: Wed, 17 Jul 2013 04:08:18 +0530 From: Ambarisha B <b.ambarisha@gmail.com> To: Xin LI <d@delphij.net>, David Chisnall <theraven@freebsd.org>, soc-status@freebsd.org Subject: IDMS: Second thoughts about sandboxing Message-ID: <CAJP25sMGv3TxgPzuZB4w1JjaYv_G3-OxYRWe5p_H_CGk7ZCTew@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, As we discussed, I was planning to sandbox the worker. For this I modified the libfetch to accept a connection. After feeling uneasy for a while, now I am convinced that I am doing it all wrong. I don't think we should sandbox the worker. All the sandboxing, capsicum integration etc. should be done within libfetch. My arguments for this: There are multiple independent (http/ftp) requests happening in each worker. As such, it is both tedious and pointless to create all those connections before hand, then sandbox and then use the connections. I realized libfetch abstracted out creating a connection for a reason. If we make a connection and sandbox, we won't be able to handle redirects as we'll have to create a connection with the new target site. If we handle redirects before sandboxing, we're basically doing all the header processing before sandboxing anyway. Just the data transfer would be sandboxed, which seemed pointless to me as it is pretty straightforward. Modifying libfetch to accept a connection, itself, was a hack. I had three options. Sneak in the connection object in the url struct or change all the function prototypes or double all the functions with an additional connection object parameter. I chose the first. I think all the sandboxing should be done within libfetch because that is the point where we can confidently say "I don't need to create any more connections now". Ofcourse, this means more work with libfetch and that some of the work I did is useless or has to be undone. But I think its better to fix it now than later. I think, the best way to go is to just assume libfetch is foolproof now and then make it foolproof later by integrating it with capsicum. After spending some time on this, I'm interested in trying it out myself. I would love to be proven wrong here. That'll save a lot of work :) Cheers Ambarish
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJP25sMGv3TxgPzuZB4w1JjaYv_G3-OxYRWe5p_H_CGk7ZCTew>