OLD | NEW |
1 Design | 1 Design |
2 ====== | 2 ====== |
3 | 3 |
4 | 4 |
5 Overview | 5 Overview |
6 -------- | 6 -------- |
7 Allows trying out Skia code in the browser. | 7 Allows trying out Skia code in the browser. |
8 | 8 |
9 | 9 |
10 Security | 10 Security |
11 -------- | 11 -------- |
12 We're putting a C++ compiler on the web, and promising to run the results of | 12 We're putting a C++ compiler on the web, and promising to run the results of |
13 user submitted code, so security is a large concern. Security is handled in a | 13 user submitted code, so security is a large concern. Security is handled in a |
14 layered approach, using a combination of seccomp-bpf, chroot jail and rlimits. | 14 layered approach, using a combination of seccomp-bpf, chroot jail and rlimits. |
15 | 15 |
16 *seccomp-bpf* - Used to limit the types of system calls that the user code can | 16 *seccomp-bpf* - Used to limit the types of system calls that the user code can |
17 make. Any attempts to make a system call that isn't allowed causes the | 17 make. Any attempts to make a system call that isn't allowed causes the |
18 application to terminate immediately. | 18 application to terminate immediately. |
19 | 19 |
20 *chroot jail* - The code is run in a chroot jail, making the rest of the | 20 *chroot jail* - The code is run in a chroot jail, making the rest of the |
21 operating system files unreachable from the running code. | 21 operating system files unreachable from the running code. |
22 | 22 |
23 *rlimits* - Used to limit the resources the running code can get access to, | 23 *rlimits* - Used to limit the resources the running code can get access to, |
24 for example runtime is limited to 5s of CPU. | 24 for example runtime is limited to 5s of CPU. |
25 | 25 |
26 User submitted code is also restricted in the following ways: | 26 User submitted code is also restricted in the following ways: |
27 * Limited to 10K of code total. | 27 * Limited to 10K of code total. |
28 * No preprocessor use is allowed (no lines can begin with \s*#). | 28 * No preprocessor use is allowed (no lines can begin with #includes). |
29 | 29 |
30 | 30 |
31 Architecture | 31 Architecture |
32 ------------ | 32 ------------ |
33 | 33 |
34 The server runs on GCE, and consists of a Go Web Server that calls out to the | 34 The server runs on GCE, and consists of a Go Web Server that calls out to the |
35 c++ compiler and executes code in a chroot jail. See the diagram below: | 35 c++ compiler and executes code in a chroot jail. See the diagram below: |
36 | 36 |
37 | 37 |
38 +–––––––––––––+ | 38 +–––––––––––––+ |
39 | | | 39 | | |
40 | Browser | | 40 | Browser | |
41 | | | 41 | | |
42 +––––––+––––––+ | 42 +––––––+––––––+ |
43 | | 43 | |
44 +––––––+––––––+ | 44 +––––––+––––––+ |
45 | | | 45 | | |
46 | | | 46 | | |
47 | Web Server | | 47 | Web Server | |
48 | | | 48 | | |
49 | (Go) | | 49 | (Go) | |
50 | | | 50 | | |
51 | | | 51 | | |
52 +–––––––+–––––+ | 52 +–––––––+–––––+ |
53 | | 53 | |
54 +–––––––+––––––––––+ | 54 +–––––––+––––––––––+ |
55 | chroot jail | | 55 | chroot jail | |
56 | +––––––––––––––+| | 56 | +––––––––––––––+| |
57 | | seccomp || | 57 | | seccomp || |
58 | | +––––––––––+|| | 58 | | +––––––––––+|| |
59 | | |User code ||| | 59 | | |User code ||| |
60 | | | ||| | 60 | | | ||| |
61 | | +----------+|| | 61 | | +––––––––––+|| |
62 | +––------------+| | 62 | +––––––––––––––+| |
63 | | | 63 | | |
64 +––––––––––––––––––+ | 64 +––––––––––––––––––+ |
65 | 65 |
66 | 66 |
67 The user code is expanded into a simple template and linked against libskia | 67 The user code is expanded into a simple template and linked against libskia |
68 and a couple other .o files that contain main() and the code that sets up the | 68 and a couple other .o files that contain main() and the code that sets up the |
69 seccomp and rlimit restrictions. This code also sets up the SkCanvas that is | 69 seccomp and rlimit restrictions. This code also sets up the SkCanvas that is |
70 handed to the user code. Any code the user submits is restricted to running in | 70 handed to the user code. Any code the user submits is restricted to running in |
71 a single function that looks like this: | 71 a single function that looks like this: |
72 | 72 |
73 | 73 |
74 void draw(SkCanvas* canvas) { | 74 void draw(SkCanvas* canvas) { |
75 // User code goes here. | 75 // User code goes here. |
76 } | 76 } |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
112 close | 112 close |
113 mmap | 113 mmap |
114 munmap | 114 munmap |
115 brk | 115 brk |
116 | 116 |
117 Installation | 117 Installation |
118 ------------ | 118 ------------ |
119 See the README file. | 119 See the README file. |
120 | 120 |
121 | 121 |
OLD | NEW |