| OLD | NEW |
|---|
| 1 Design | 1 Design |
| 2 ====== | 2 ====== |
| 3 | 3 |
| 4 | 4 |
| 5 Overview | 5 Overview |
| 6 -------- | 6 -------- |
| 7 Allows trying out Skia code in the browser. | 7 Allows trying out Skia code in the browser. |
| 8 | 8 |
| 9 | 9 |
| 10 Security | 10 Security |
| 11 -------- | 11 -------- |
| 12 We're putting a C++ compiler on the web, and promising to run the results of | 12 We're putting a C++ compiler on the web, and promising to run the results of |
| 13 user submitted code, so security is a large concern. Security is handled in a | 13 user submitted code, so security is a large concern. Security is handled in a |
| 14 layered approach, using a combination of seccomp-bpf, chroot jail and rlimits. | 14 layered approach, using a combination of seccomp-bpf, chroot jail and rlimits. |
| 15 | 15 |
| 16 *seccomp-bpf* - Used to limit the types of system calls that the user code can | 16 *seccomp-bpf* - Used to limit the types of system calls that the user code can |
| 17 make. Any attempts to make a system call that isn't allowed causes the | 17 make. Any attempts to make a system call that isn't allowed causes the |
| 18 application to terminate immediately. | 18 application to terminate immediately. |
| 19 | 19 |
| 20 *chroot jail* - The code is run in a chroot jail, making the rest of the | 20 *chroot jail* - The code is run in a chroot jail, making the rest of the |
| 21 operating system files unreachable from the running code. | 21 operating system files unreachable from the running code. |
| 22 | 22 |
| 23 *rlimits* - Used to limit the resources the running code can get access to, | 23 *rlimits* - Used to limit the resources the running code can get access to, |
| 24 for example runtime is limited to 5s of CPU. | 24 for example runtime is limited to 5s of CPU. |
| 25 | 25 |
| 26 User submitted code is also restricted in the following ways: | 26 User submitted code is also restricted in the following ways: |
| 27 * Limited to 10K of code total. | 27 * Limited to 10K of code total. |
| 28 * No preprocessor use is allowed (no lines can begin with \s*#). | 28 * No preprocessor use is allowed (no lines can begin with #includes). |
| 29 | 29 |
| 30 | 30 |
| 31 Architecture | 31 Architecture |
| 32 ------------ | 32 ------------ |
| 33 | 33 |
| 34 The server runs on GCE, and consists of a Go Web Server that calls out to the | 34 The server runs on GCE, and consists of a Go Web Server that calls out to the |
| 35 c++ compiler and executes code in a chroot jail. See the diagram below: | 35 c++ compiler and executes code in a chroot jail. See the diagram below: |
| 36 | 36 |
| 37 | 37 |
| 38 +–––––––––––––+ | 38 +–––––––––––––+ |
| 39 | | | 39 | | |
| 40 | Browser | | 40 | Browser | |
| 41 | | | 41 | | |
| 42 +––––––+––––––+ | 42 +––––––+––––––+ |
| 43 | | 43 | |
| 44 +––––––+––––––+ | 44 +––––––+––––––+ |
| 45 | | | 45 | | |
| 46 | | | 46 | | |
| 47 | Web Server | | 47 | Web Server | |
| 48 | | | 48 | | |
| 49 | (Go) | | 49 | (Go) | |
| 50 | | | 50 | | |
| 51 | | | 51 | | |
| 52 +–––––––+–––––+ | 52 +–––––––+–––––+ |
| 53 | | 53 | |
| 54 +–––––––+––––––––––+ | 54 +–––––––+––––––––––+ |
| 55 | chroot jail | | 55 | chroot jail | |
| 56 | +––––––––––––––+| | 56 | +––––––––––––––+| |
| 57 | | seccomp || | 57 | | seccomp || |
| 58 | | +––––––––––+|| | 58 | | +––––––––––+|| |
| 59 | | |User code ||| | 59 | | |User code ||| |
| 60 | | | ||| | 60 | | | ||| |
| 61 | | +----------+|| | 61 | | +––––––––––+|| |
| 62 | +––------------+| | 62 | +––––––––––––––+| |
| 63 | | | 63 | | |
| 64 +––––––––––––––––––+ | 64 +––––––––––––––––––+ |
| 65 | 65 |
| 66 | 66 |
| 67 The user code is expanded into a simple template and linked against libskia | 67 The user code is expanded into a simple template and linked against libskia |
| 68 and a couple other .o files that contain main() and the code that sets up the | 68 and a couple other .o files that contain main() and the code that sets up the |
| 69 seccomp and rlimit restrictions. This code also sets up the SkCanvas that is | 69 seccomp and rlimit restrictions. This code also sets up the SkCanvas that is |
| 70 handed to the user code. Any code the user submits is restricted to running in | 70 handed to the user code. Any code the user submits is restricted to running in |
| 71 a single function that looks like this: | 71 a single function that looks like this: |
| 72 | 72 |
| 73 | 73 |
| 74 void draw(SkCanvas* canvas) { | 74 void draw(SkCanvas* canvas) { |
| 75 // User code goes here. | 75 // User code goes here. |
| 76 } | 76 } |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 112 close | 112 close |
| 113 mmap | 113 mmap |
| 114 munmap | 114 munmap |
| 115 brk | 115 brk |
| 116 | 116 |
| 117 Installation | 117 Installation |
| 118 ------------ | 118 ------------ |
| 119 See the README file. | 119 See the README file. |
| 120 | 120 |
| 121 | 121 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 232883004:
Flesh out the list of includes, also fix up README markdown (Closed)
Base URL: https://skia.googlesource.com/skia.git@master