Skip to content

RLBox

How is Sandboxed Function Invoked?

main application.invoke_sandbox_function acts as the interface for invoking sandboxed functions. This API finally calls into the internal function: INTERNAL_invoke_with_func_ptr (defined in rlbox_sandbox.hpp). Here is my understanding of the structure of this function.

RLBox allows transition actions to be overridden by defining two macro functions:

#ifdef RLBOX_TRANSITION_ACTION_IN
    RLBOX_TRANSITION_ACTION_IN(...);
#endif
#ifdef RLBOX_TRANSITION_ACTION_OUT
    auto on_exit_transition = rlbox::detail::make_scope_exit([&] {
      RLBOX_TRANSITION_ACTION_OUT(...);
    });
#endif

RLBox ensures type safety when calling into sandboxed functions. It performs type checks with:

(check_invoke_param_type_is_ok<T_Args>(), ...);

RLBox parses the return type of the invoked function.

using T_Result = rlbox::detail::polyfill::invoke_result_t<T,
    detail::rlbox_remove_wrapper_t<std::remove_reference_t<T_Args>>...>;

For a void return type, RLBox simply invokes the sandboxed function and returns:

if constexpr (std::is_void_v<T_Result>) {
    this->template impl_invoke_with_func_ptr<T>(
        reinterpret_cast<T_Converted*>(func_ptr),
        invoke_process_param(params)...);
    return;
}

For a non-void return type, RLBox converts the raw result:

else {
    auto raw_result = this->template impl_invoke_with_func_ptr<T>(
        reinterpret_cast<T_Converted*>(func_ptr),
        invoke_process_param(params)...);
    tainted<T_Result, T_Sbx> wrapped_result;
    using namespace detail;
    convert_type<T_Sbx,
                adjust_type_direction::TO_APPLICATION,
                adjust_type_context::SANDBOX>(
        wrapped_result.get_raw_value_ref(),
        raw_result,
        nullptr /* example_unsandboxed_ptr */,
        this /* sandbox_ptr */);
    return wrapped_result;
}

How Firefox Uses RLBox

Using searchfox, we can spot components that use RLBox:

  1. ogg parser
  2. hunspell
  3. ots (OpenType Sanitizer)
  4. Thebes graphics API
  5. htmlparser

Use RLBox to Sandbox PNG Library in ClamAV

Troubleshootings

  1. /usr/local/include/rlbox/rlbox_sandbox.hpp:83:4: error: #error "RLBox does not yet support threading. Please define RLBOX_SINGLE_THREADED_INVOCATIONS prior to including RLBox and ensure you are only using it from a single thread. If threading is required, please file a bug."
  2. clamav project is mainly written in C, not in C++.
  3. macro functions may not be able to ...