Sandbox Plugin System Design

[AhmedAlaa2024]

🚀 Feature

Sandbox Plugin System Design

Description

Sandbox Plugin will provide a high-level API similar to Deno Permissions but with full control like in Docker containers. With this, any language like higher level ones like NodeJS, Ruby, Python.. will be able to control execution, especially for untrusted code. This also applies to any other supported language in MetaCall, like Rust, Java, C#

APIs

• API Flag Format: --allow-{category} / --disallow-{category}

• Mapped Function Format: int sandbox_{category}(void *ctx, bool allow)

Category	Syscalls Affected
io	read - write - open - close - lseek - dup - dup2 - pipe - select - poll - epoll - fcntl - ioctl - pread - pwrite - readv - writev - send - recv - sendto - recvfrom - sendmsg - recvmsg - fsync - fdatasync
sockets	socket - bind - listen - accept - connect - send - recv - sendto - recvfrom - shutdown - getsockname - getpeername - socketpair - setsockopt - getsockopt - select - poll - epoll - fcntl - ioctl - getaddrinfo - getnameinfo - gethostname - gethostbyname - gethostbyaddr
ipc	shmget - shmat - shmdt - shmctl - msgget - msgsnd - msgrcv - msgctl - semget - semop - semctl - ftok
process	fork - vfork - clone - exec - wait - waitpid - waitid - exit - exit_group - kill - getpid - getppid - setsid - setpgid - nice - sched_yield - setpriority - getpriority - getpgid - setsid
filesystems	open - close - read - write - lseek - unlink - mkdir - rmdir - rename - link - symlink - stat - fstat - lstat - chmod - newfstatat - chown - utime - access - truncate - ftruncate - sync - fsync - fdatasync - chdir - getcwd - opendir - readdir - closedir - chroot - mount - umount
time	time - gettimeofday - clock_gettime - clock_settime - clock_getres - date
memory	mmap - munmap - mprotect - brk - sbrk - sbrk - mincore - madvise - posix_memalign - malloc - calloc - realloc - free - mlock - munlock - mlockall - munlockall - getrlimit - setrlimit - getrusage - getpagesize
signals	signal - sigaction - kill - raise - abort - pause - sigpending - sigprocmask - sigsuspend - sigqueue - sigsetjmp - siglongjmp - sigaltstack - signalfd

System Calls Categories:

I/O (Input/Output):

I/O system calls in Linux enable processes to read from and write to various input and output devices, including files, network sockets, and terminals. These calls allow data to be transferred between the program and external resources.

1. read: Reads data from a file descriptor into a buffer.
2. write: Writes data from a buffer to a file descriptor.
3. open: Opens a file or creates a new one.
4. close: Closes a file descriptor.
5. lseek: Changes the file position of a file descriptor.
6. dup: Duplicates a file descriptor.
7. dup2: Duplicates a file descriptor to a specified target file descriptor.
8. pipe: Creates an interprocess communication (IPC) pipe.
9. select: Monitors multiple file descriptors for read, write, or error conditions.
10. poll: Similar to select, monitors multiple file descriptors for events.
11. epoll: Provides a scalable and more efficient mechanism for monitoring file descriptors.
12. fcntl: Performs various operations on file descriptors.
13. ioctl: Performs I/O control operations on devices or sockets.
14. pread: Reads data from a file descriptor at a specific offset without changing the file position.
15. pwrite: Writes data to a file descriptor at a specific offset without changing the file position.
16. readv: Reads data into multiple buffers from a file descriptor.
17. writev: Writes data from multiple buffers to a file descriptor.
18. send: Sends data on a connected socket.
19. recv: Receives data from a connected socket.
20. sendto: Sends data to a specified address and port on a socket.
21. recvfrom: Receives data from a socket, including the sender's address and port.
22. sendmsg: Sends a message on a socket with greater control over headers and data.
23. recvmsg: Receives a message from a socket with control information.
24. fsync: Synchronizes a file's in-memory state with its on-disk state.
25. fdatasync: Synchronizes only the data part of a file with its on-disk state.

Sockets:

Socket system calls provide the foundation for network communication in Linux. They allow processes to create, connect, send, and receive data over network sockets, facilitating communication between processes across different devices or even over a network.

1. socket: Creates a new socket.
2. bind: Associates a socket with a specific address and port.
3. listen: Puts a socket into listening mode for incoming connections (used with server sockets).
4. accept: Accepts an incoming connection on a listening socket.
5. connect: Initiates a connection to a remote socket.
6. send: Sends data on a connected socket.
7. recv: Receives data from a connected socket.
8. sendto: Sends data to a specified address and port on a socket.
9. recvfrom: Receives data from a socket, including the sender's address and port.
10. shutdown: Shuts down part or all of a socket's communication.
11. getsockname: Retrieves the local address and port of a socket.
12. getpeername: Retrieves the remote address and port of a connected socket.
13. socketpair: Creates a pair of connected sockets for local interprocess communication (IPC).
14. setsockopt: Sets options on a socket.
15. getsockopt: Retrieves options from a socket.
16. select: Monitors multiple sockets for read, write, or error conditions.
17. poll: Similar to select, monitors multiple sockets for events.
18. epoll: Provides a scalable and more efficient mechanism for monitoring sockets.
19. fcntl: Performs various operations on socket file descriptors.
20. ioctl: Performs I/O control operations on sockets.
21. getaddrinfo: Resolves hostnames and service names to socket addresses.
22. getnameinfo: Retrieves human-readable information from socket addresses.
23. gethostname: Retrieves the name of the local host.
24. gethostbyname: Retrieves host information based on a hostname (deprecated, use getaddrinfo instead).
25. gethostbyaddr: Retrieves host information based on an IP address (deprecated, use getaddrinfo instead).

IPC (Interprocess Communication):

IPC system calls enable processes to exchange data and synchronize their actions. This category includes shared memory, message queues, and semaphores, which facilitate communication and coordination between different processes running on the same system.

1. shmget: Allocates a shared memory segment.
2. shmat: Attaches a shared memory segment to the calling process's address space.
3. shmdt: Detaches a shared memory segment from the calling process.
4. shmctl: Performs control operations on a shared memory segment.
5. msgget: Allocates a new message queue.
6. msgsnd: Sends a message to a message queue.
7. msgrcv: Receives a message from a message queue.
8. msgctl: Performs control operations on a message queue.
9. semget: Allocates a new set of semaphores.
10. semop: Performs semaphore operations (e.g., wait, signal) on a semaphore set.
11. semctl: Performs control operations on a semaphore set.
12. ftok: Generates a key for interprocess communication resources.

Process Management:

Process management system calls are crucial for creating, controlling, and managing processes. These calls include process creation, termination, signal handling, and resource management, allowing processes to interact and coordinate their activities.

1. fork: Creates a new process by duplicating the calling process.
2. vfork: Creates a new process, but suspends the parent process until the child process terminates.
3. clone: Creates a new process or thread, allowing for more fine-grained control than fork.
4. exec: Replaces the current process image with a new one.
5. wait: Waits for a child process to terminate and collects its exit status.
6. waitpid: Waits for a specific child process to terminate and collects its exit status.
7. waitid: Waits for the termination of a specific process or group of processes.
8. exit: Terminates the calling process and returns an exit status to the parent process.
9. exit_group: Terminates all threads in the calling process and exits the process group.
10. kill: Sends a signal to a specified process or process group.
11. getpid: Retrieves the process ID (PID) of the calling process.
12. getppid: Retrieves the parent process's PID of the calling process.
13. setsid: Creates a new session and sets the calling process as the session leader.
14. setpgid: Sets the process group ID of a specified process.
15. nice: Adjusts the scheduling priority of a process.
16. sched_yield: Yields the CPU to other processes in the same priority range.
17. setpriority: Sets the scheduling priority of a process.
18. getpriority: Retrieves the scheduling priority of a process.
19. getpgid: Retrieves the process group ID of a process.
20. setsid: Creates a new session and sets the calling process as the session leader.

File Systems:

File system system calls provide the means to interact with the file system, including file and directory creation, manipulation, and access control. These calls allow processes to read, write, and manage files and directories on storage devices.

1. open: Opens a file or creates a new one.
2. close: Closes a file descriptor.
3. read: Reads data from a file descriptor into a buffer.
4. write: Writes data from a buffer to a file descriptor.
5. lseek: Changes the file position of a file descriptor.
6. unlink: Removes a directory entry or a file.
7. mkdir: Creates a new directory.
8. rmdir: Removes a directory.
9. rename: Renames a file or directory.
10. link: Creates a hard link to an existing file.
11. symlink: Creates a symbolic link to a file.
12. stat: Retrieves file status information.
13. fstat: Retrieves file status information for an open file.
14. lstat: Retrieves symbolic link status information.
15. chmod: Changes the permissions of a file or directory.
16. newfstatat: Retrieves file status information relative to a directory file descriptor.
17. chown: Changes the ownership of a file or directory.
18. utime: Sets access and modification times for a file.
19. access: Checks accessibility of a file.
20. truncate: Truncates a file to a specified length.
21. ftruncate: Truncates an open file to a specified length.
22. sync: Synchronizes cached writes to persistent storage.
23. fsync: Synchronizes a file's in-memory state with its on-disk state.
24. fdatasync: Synchronizes only the data part of a file with its on-disk state.
25. chdir: Changes the current working directory.
26. getcwd: Retrieves the current working directory.
27. opendir: Opens a directory for reading.
28. readdir: Reads the next entry from a directory.
29. closedir: Closes a directory.
30. chroot: Changes the root directory for a process.
31. mount: Mounts a file system.
32. umount: Unmounts a file system.

Date and Time:

Date and time system calls allow processes to work with time-related information. These calls include functions for retrieving the current time, setting timers, and manipulating time values, helping programs manage timestamps and schedule events.

1. time: Retrieves the current time since the Epoch.
2. gettimeofday: Retrieves the current time with microsecond precision.
3. clock_gettime: Retrieves the current time based on a specified clock.
4. clock_settime: Sets the time of a specified clock.
5. clock_getres: Retrieves the resolution of a specified clock.
6. date: Displays or sets the system date and time.
7. sleep: Suspends the execution of a process for a specified number of seconds.
8. usleep: Suspends the execution of a process for a specified number of microseconds.
9. nanosleep: Suspends the execution of a process for a specified number of nanoseconds.
10. clock_nanosleep: Suspends the execution of a process until a specified clock time is reached, with nanosecond precision.

Memory Management:

Memory management system calls deal with the allocation, deallocation, and manipulation of memory in a process's address space. They include functions for memory mapping, memory protection, dynamic memory allocation, and memory locking.

1. mmap: Maps files or devices into memory.
2. munmap: Unmaps files or devices from memory.
3. mprotect: Changes the protection of memory regions.
4. brk: Sets the end of the data (heap) segment.
5. sbrk: Increases or decreases the program's data space.
6. mincore: Determines whether pages are resident in memory.
7. madvise: Provides advice about memory use.
8. posix_memalign: Allocates aligned memory.
9. malloc: Allocates memory.
10. calloc: Allocates and initializes memory.
11. realloc: Changes the size of allocated memory.
12. free: Frees allocated memory.
13. mlock: Locks memory into RAM.
14. munlock: Unlocks memory locked with mlock.
15. mlockall: Locks all current and future pages into RAM.
16. munlockall: Unlocks all locked pages.
17. getrlimit: Gets resource limits.
18. setrlimit: Sets resource limits.
19. getrusage: Gets resource usage statistics.
20. getpagesize: Gets the system page size.

Signal Handling:

Signal handling system calls are essential for managing asynchronous notifications, known as signals, sent to processes. These calls allow processes to establish signal handlers, send signals to other processes, and respond to specific events or exceptions, ensuring proper error handling and process coordination.

1. signal: Sets a function to handle a signal.
2. sigaction: Examines and modifies signal action.
3. kill: Sends a signal to a process.
4. raise: Sends a signal to the calling process.
5. abort: Terminates the calling process.
6. pause: Suspends the calling process until a signal is received.
7. sigpending: Gets the set of blocked signals.
8. sigprocmask: Examines and modifies the signal mask.
9. sigsuspend: Replaces the signal mask and suspends the process.
10. sigqueue: Sends a signal with data to a process.
11. sigsetjmp: Saves the calling environment for later use with siglongjmp.
12. siglongjmp: Restores the environment saved by sigsetjmp and returns control.
13. sigaltstack: Sets an alternative signal stack.
14. signalfd: Creates a file descriptor for signals.

Issues to be considered

1. Is seccomp filters affect the caller process only or the children too?
2. You should ensure the security for the sandbox plugin to prevent anyone from disabling or missing the sandbox source code.

Todo

1. Add the user management system calls to the table.
2. Implement the APIs using ext_loader.
3. Provide security for the sandbox plugin directory.
4. Write test suites for all the APIs and check all the common functions in different languages.

Resources

1. You can find all the provided system calls by Linux kernel here.

2. For inspiration, you can look at Seccomp Security Profiles for Docker

3. For more inspiration, you can look at Runtime privilege and Linux capabilities.

4. Like the previous resource, This is a similar approach for Seccomp called Capabilities introduced by Docker. But don't forget we are working on "Seccomp" approach.

5. For more and more inspiration, you can look at Deno's Permissions

[viferga]

This is finished, we should use this post to document the sandbox plugin, maybe also extend the cli_sandbox_plugin adding more options to metacallcli.