| blob | 5bc421d6f8ef70a5c9f9a830eaac604438240f85 |
1 This directory includes some working notes to audit the entire Teliva codebase
2 for side-effects that should be gated/sandboxed.
4 Founding principle for this approach: Side-effects come from the OS. There can
5 be no effects visible outside a Unix process (regardless of language) if it
6 doesn't invoke any OS syscalls.
8 ## Top down
10 Things to secure:
11 * screen? Keep apps from drawing over standard Teliva UI elements.
12 * Teliva currently doesn't stop apps from overwriting the menu, if they're
13 clever. However, it always redraws its UI elements before accepting any
14 input from the keyboard.
16 * code? There are currently no protections against .tlv files clobbering
17 existing definitions. I'm hoping that disallowing native code keeps this
18 safe. Apps can only affect themselves.
20 * files opened (for read/write) on file system
21 * `io_open`
22 * `io_lines`
24 * destinations opened (for read/write) on network
25 * `inet_tryconnect` // `socket_connect`
26 * `inet_tryaccept` // `socket_accept`
28 It seems more difficult to control what is written to a file or socket once
29 it's opened. For starters let's just focus on the interfaces that convert a
30 string path or url to a file descriptor.
32 Scenarios:
33 * (1) app reads system files
34 * (1) app sends data to a remote server
35 * (1) app should _never_ be allowed to open Teliva's system files:
36 - `teliva_editor_state`
37 - app-specific sandboxing policies
38 * (2) app can read from a remote server but not write (POST)
39 * (1) app permissions are saved across restart
40 * (1) permissions the owner grants to one app are not automatically granted
41 to another
42 * (2) downloading a second app with identical name doesn't receive its
43 predecessors permissions
44 * app gains access to a remote server for a legitimate purpose, reads
45 sensitive data from the local system file for legitimate purpose. Now
46 there's nothing preventing it from exfiltrating the sensitive data to the
47 remote server.
48 - (2) solution: make it obvious in the UI that granting both permissions
49 allows an app to do anything. Educate people to separate apps that read
50 sensitive data from apps that access remote servers.
51 - (2) solution: map phases within an app to distinct permission sets
52 * app A legitimately needs to read sensitive data. It saves a copy to file
53 X. app B seems to legitimately needs to access the network, but also
54 asks to read file X. If the owner forgets who wrote file X and what it
55 contains, sensitive data could be exfiltrated.
56 * (3) app wants access to system() or exec() or popen()
58 Difficulty levels
59 1. I have some sense of how to enforce this.
60 2. Seems vaguely doable.
61 3. Seems unlikely to be doable.
63 UX:
64 * distinguish what Teliva can do, what the app can do, and Teliva's ability
65 to police the app.
66 * easily visualize Teliva's ability to police an app.
67 - maybe show a lock in halves; left half = file system, right half =
68 network. One half unlocked = orange. Both unlocked = red.
70 ## Bottom up
72 * `includes`: all `#include`s throughout the codebase. I assume that C the
73 language itself can't invoke any syscalls without at least triggering
74 warnings from the compiler.
75 ```
76 cd src
77 grep '#include' * */* > ../sandboxing/includes
78 ```
79 * `system_includes`: all `#include <...>`s throughout the codebase. I assume
80 side-effects require going outside the codebase. `#include`s could smuggle
81 out of the codebase using relative paths (`../`) but I assume it's easy to
82 protect against this using code review.
83 ```
84 grep '<' sandboxing/includes > sandboxing/system_includes
85 ```
86 * `unique_system_includes`: deduped
87 ```
88 sed 's/.*<\|>.*//g' sandboxing/system_includes |sort |uniq > sandboxing/unique_system_includes
89 ```