RLBox
How is Sandboxed Function Invoked?
main application.invoke_sandbox_function
acts as the interface to invoke sandboxed function. This API finally calls into the internal function: INTERNAL_invoke_with_func_ptr
(defined in rlbox_sandbox.hpp
). Here is my undersanding of the structure of this function.
RLBox allows overriding transition action by defining two macro functions:
#ifdef RLBOX_TRANSITION_ACTION_IN
RLBOX_TRANSITION_ACTION_IN(...);
#endif
#ifdef RLBOX_TRANSITION_ACTION_OUT
auto on_exit_transition = rlbox::detail::make_scope_exit([&] {
RLBOX_TRANSITION_ACTION_OUT(...);
});
#endif
RLBox ensure the type safety when calling into sandboxed functions. It performs type checks with:
RLBox parses the return type of the invoked function.
using T_Result = rlbox::detail::polyfill::invoke_result_t<T,
detail::rlbox_remove_wrapper_t<std::remove_reference_t<T_Args>>...>;
For void return type, RLBox simply invoke the sandboxed function and return:
if constexpr (std::is_void_v<T_Result>) {
this->template impl_invoke_with_func_ptr<T>(
reinterpret_cast<T_Converted*>(func_ptr),
invoke_process_param(params)...);
return;
}
For non-void return type, RLBox convert the raw result:
else {
auto raw_result = this->template impl_invoke_with_func_ptr<T>(
reinterpret_cast<T_Converted*>(func_ptr),
invoke_process_param(params)...);
tainted<T_Result, T_Sbx> wrapped_result;
using namespace detail;
convert_type<T_Sbx,
adjust_type_direction::TO_APPLICATION,
adjust_type_context::SANDBOX>(
wrapped_result.get_raw_value_ref(),
raw_result,
nullptr /* example_unsandboxed_ptr */,
this /* sandbox_ptr */);
return wrapped_result;
}
How Firefox Use RLBox
Use searchfox we can spot components that use RLBox:
- ogg parser
- hunspell
- ots (OpenType Sanitizer)
- Thebes graphics API
- htmlparser
Use RLBox to Sandbox PNG Library in ClamAV
Troubleshootings
- /usr/local/include/rlbox/rlbox_sandbox.hpp:83:4: error: #error "RLBox does not yet support threading. Please define RLBOX_SINGLE_THREADED_INVOCATIONS prior to including RLBox and ensure you are only using it from a single thread. If threading is required, please file a bug."
- clamav project is mainly written in C, not in C++.
- macro functions may not be able to ...