a-shruti
commented
3 months ago Based on a little code viewing and the docs I tried to put some dots together and I'm guessing it's (2), or more precisel: that (gVisor + application) becomes the Sandbox2 "Sandboxee", the dispatcher uses SAPI based rpcs to the app which is gVisor configured for appropriate syscall allowance/rejection for the binary, and hooks like getValue or runQuery go to the UDF dispatcher via IPC?
Is that correct?
Yes; that is correct. 👍 It will be replacing the sandbox2 part. It will not be using V8. gVisor itself is a double sandbox (syscall filtering + Sentry).
Semi related, what would happen if the app uses a disallowed syscall?
gVisor has a doc on this. https://gvisor.dev/docs/user_guide/compatibility/linux/arm64/, https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
We will be sharing more details in the upcoming weeks.
Thanks!
dmdabbs
thegreatfatzby
What is the current ~plan~ R&D thinking for how gVisor ~will~ might fit into the Roma double sandboxing structure? (Or am I top line wrong and it ~won't be trying~ might not try to "fit into that"?)
In trying to think through the problems that this could solve, I'm in particular trying to understand how the gVisor Container (application + gVisor) as drawn here:
would fit into the Roma diagram here:
I'm fairly sure that that the (gVisor + application) is not somehow running inside V8, so I'm wondering if it's replacing:
Based on a little code viewing and the docs I tried to put some dots together and I'm guessing it's (2), or more precisel: that (gVisor + application) becomes the Sandbox2 "Sandboxee", the dispatcher uses SAPI based rpcs to the app which is gVisor configured for appropriate syscall allowance/rejection for the binary, and hooks like
getValueorrunQuerygo to the UDF dispatcher via IPC?Is that correct?
Semi related, what would happen if the app uses a disallowed syscall?