From owner-soc-status@FreeBSD.ORG Tue Jul 16 22:38:19 2013 Return-Path: Delivered-To: soc-status@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3ED9AD45; Tue, 16 Jul 2013 22:38:19 +0000 (UTC) (envelope-from b.ambarisha@gmail.com) Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by mx1.freebsd.org (Postfix) with ESMTP id 0480B6CE; Tue, 16 Jul 2013 22:38:18 +0000 (UTC) Received: by mail-ob0-f176.google.com with SMTP id v19so1435237obq.21 for ; Tue, 16 Jul 2013 15:38:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=oLb/bkK1XpERSth7qQpgdvpguft68vDUkyZAA/2/PvI=; b=yOXT213sN4AJNoiaDfFMjon0qTlfhrR+QmiI6eVNHAmjJ9PMxNiVWMIfTIo/JD5mio oF1aEbwu0S86/WIqB6ZWZGSZ/9NitjgWWM4KojjShrnX3LI4fh/2uDfQ0IFzJNexGQXQ Wdpv1iqLX2Q+nyRutoqY6jfH4W1QZqVBvuTsn1s5bLksnyH0iLPunUJazwjyi8hf/LKX Lylxn/FCNV7rKlvntL88WF2tyM5LASYCF06gjqEFuaGw9n2quGrSLVUce0C1KUap4GoB y/f1559RZSrpTylWCJ5GoDY284cviCfZ5FQHx7O8gBW4YFmdLfZ76wITn4jeFdoSk+Ue rq0w== MIME-Version: 1.0 X-Received: by 10.60.97.200 with SMTP id ec8mr4624314oeb.33.1374014298473; Tue, 16 Jul 2013 15:38:18 -0700 (PDT) Received: by 10.182.220.199 with HTTP; Tue, 16 Jul 2013 15:38:18 -0700 (PDT) Date: Wed, 17 Jul 2013 04:08:18 +0530 Message-ID: Subject: IDMS: Second thoughts about sandboxing From: Ambarisha B To: Xin LI , David Chisnall , soc-status@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: soc-status@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Summer of Code Status Reports and Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jul 2013 22:38:19 -0000 Hi, As we discussed, I was planning to sandbox the worker. For this I modified the libfetch to accept a connection. After feeling uneasy for a while, now I am convinced that I am doing it all wrong. I don't think we should sandbox the worker. All the sandboxing, capsicum integration etc. should be done within libfetch. My arguments for this: There are multiple independent (http/ftp) requests happening in each worker. As such, it is both tedious and pointless to create all those connections before hand, then sandbox and then use the connections. I realized libfetch abstracted out creating a connection for a reason. If we make a connection and sandbox, we won't be able to handle redirects as we'll have to create a connection with the new target site. If we handle redirects before sandboxing, we're basically doing all the header processing before sandboxing anyway. Just the data transfer would be sandboxed, which seemed pointless to me as it is pretty straightforward. Modifying libfetch to accept a connection, itself, was a hack. I had three options. Sneak in the connection object in the url struct or change all the function prototypes or double all the functions with an additional connection object parameter. I chose the first. I think all the sandboxing should be done within libfetch because that is the point where we can confidently say "I don't need to create any more connections now". Ofcourse, this means more work with libfetch and that some of the work I did is useless or has to be undone. But I think its better to fix it now than later. I think, the best way to go is to just assume libfetch is foolproof now and then make it foolproof later by integrating it with capsicum. After spending some time on this, I'm interested in trying it out myself. I would love to be proven wrong here. That'll save a lot of work :) Cheers Ambarish