From 53444511938cc3999729a4c2aa6eccc9a2741ab2 Mon Sep 17 00:00:00 2001
From: Daniel Silverstone <dsilvers@digital-scurf.org>
Date: Sat, 28 Jul 2012 11:26:10 +0100
Subject: Notes

---
 notes/design | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/notes/design b/notes/design
index 3cd1c90..d055d1d 100644
--- a/notes/design
+++ b/notes/design
@@ -147,3 +147,25 @@ can be written explicitly and the deserialiser can simply be a generic loader
 followed by a series of asserts and measures to ensure nothing malicious gets
 injected.
 
+
+# New terminology
+
+* Host -- The program which wants to run untrusted code
+* Sandbox -- The subprocess which is going to run the code on the Host's behalf
+
+# What happens when a host wants to run untrusted code?
+
+1. The host starts by preparing a socketpair and forking.
+2. The forked process dup2()s the socketpair onto fd 0 and force-closes every
+   FD (regardless of the likelyhood of it being open).
+3. Then the forked process executes a specifically compiled lua interpreter.
+4. The interpreter loads the Supple modules and then the one module so
+   instructed by the host.
+5. Said interpreter, if setuid(root) then
+   1. makes a directory owned by root
+   2. changes into that directory
+   4. removes that directory
+   5. chroot()s into that (now) ephemeral directory
+   6. drops privileges
+6. Finally the interpreter, now referred to as the Sandbox enters a receive
+   state where it waits for a procedure call.
-- 
cgit v1.2.1