In prio, we ran into a really awkward thing to debug:

tainted_prio<PrioNSSCtx*> nss = sandbox.malloc_in_sandbox<PrioNSSCtx>()
...
nss->NSS_IsInitialized = sandbox.register_callback(t_NSS_IsInitialized);  

eneded up getting unregister at the end of the function call.

We probably want to just manually do the unregistering and have a separate type for automatically unregistering callbacks.

dev build has lots of warnings; we should probably allow formatting source in resease builds too

It would be useful to document this a bit better.

For memcpy: the last parameter the number of elements, right? The type makes it seem like that is indeed the case; since this is different from POSIX memcpy which takes the number of bytes, we should be clear about this.

For malloc: it's again the length of elements not bytes, right? (no argument = 1?)

I can update docs on ACK.

For prio, it would be useful to check if the sandbox has been created and create it if not. I know that we can only expose a sandbox.is_created() that may have concurrency concerns, but maybe that's still better than nothing? Maybe not though and the right things is to just keep track of this outside rlbox. WDYT?

In Prio, I"m getting a warning about int vs. size_t comparison here:

https://github.com/PLSysSec/rlbox_sandboxing_api/blob/master/code/include/rlbox_stdlib.hpp#L152-L154

In general we probably want to avoid this

I was trying out the "hello world" example in rlbox, and wanted to confirm that it guards against the library returning garbage. When I changed call_cb() in mylib.c to invoke cb(NULL), running hello crashed with a segfault.

As far as I can tell, the example doesn't seem to properly guard against the library function call_cb passing a null string to the cb() callback, in the verifier that hello_cb() passes to copy_and_verify_string.

It would be good if the example showed what kinds of library mis-behavior the validators guard against (maybe I'm confused about NULL being a misbehavior that rlbox is guarding against?), and/or guard against the library returning a null string pointer.

This will remove catch2 dependency. This could be done by adding a symbol -DNO_TEST for example.

I can do it if you want.

As of glibc 2.34, MINSIGSTKSZ is mapped to a sysconf(_SC_SIGSTKSZ) i.e. it's a dynamic value. This fails the constexpr guards in catch2.

/usr/bin/c++  -I/rlbox_sandboxing_api/code/tests/rlbox_glue -I/rlbox_sandboxing_api/_build/_deps/catch2-src/single_include -I/rlbox_sandboxing_api/code/include -I/rlbox_sandboxing_api/code/tests/rlbox_glue/lib -std=c++17 -MD -MT CMakeFiles/test_rlbox_glue.dir/code/tests/test_main.cpp.o -MF CMakeFiles/test_rlbox_glue.dir/code/tests/test_main.cpp.o.d -o CMakeFiles/test_rlbox_glue.dir/code/tests/test_main.cpp.o -c /rlbox_sandboxing_api/code/tests/test_main.cpp
In file included from /usr/include/signal.h:328,
                 from /rlbox_sandboxing_api/_build/_deps/catch2-src/single_include/catch2/catch.hpp:7644,
                 from /rlbox_sandboxing_api/code/tests/test_main.cpp:2:
/rlbox_sandboxing_api/_build/_deps/catch2-src/single_include/catch2/catch.hpp:10376:58: error: call to non-'constexpr' function 'long int sysconf(int)'
10376 |     constexpr static std::size_t sigStackSize = 32768 >= MINSIGSTKSZ ? 32768 : MINSIGSTKSZ;
      |                                                          ^~~~~~~~~~~
In file included from /usr/include/bits/sigstksz.h:24,
                 from /usr/include/signal.h:328,
                 from /rlbox_sandboxing_api/_build/_deps/catch2-src/single_include/catch2/catch.hpp:7644,
                 from /rlbox_sandboxing_api/code/tests/test_main.cpp:2:
/usr/include/unistd.h:640:17: note: 'long int sysconf(int)' declared here
  640 | extern long int sysconf (int __name) __THROW;
      |                 ^~~~~~~

I suppose this is an upstream bug, but wanted to report it here in case anyone else had the same issue.

This is currently unsupported as there are tricky ABI issues for plugins that are not noop sandbox. Provide a helpful error message for this/add support for this

This repo's README.md contains the sentence

See the online docs for more details.

with a link to https://docs.rlbox.dev/. This link points to a site that doesn't exist (404).

Steps to reproduce:

1. Click on the link from the README.

Expected results:
A website with documentation for this project opens.

Actual results:

404 – There isn't a GitHub Pages site here.

Can we track windows support here?

Can we add a copy_and_verify_string for unsigned char*?

After reading some part of the library, I noticed some minor change with ABI break.

1. unverified_safe_because is template<size_t N> but N is never used.

Another declaration could be:

inline auto unverified_safe_because(const char *reason)

2. const -> static constexpr

The library is explicitly c++17. There is lots of const int CompileErrorCode = 42; that could be replaced by static constexpr int CompileErrorCode = 42;

3. in #define helper_create_converted_field, isFrozen is unused

So new declaration could be:

#define helper_create_converted_field(fieldType, fieldName)

4. Finally a question: the library is explicitly not thread-safe.

So why there is a std::mutex callback_lock, RLBOX_SHARED_LOCK, RLBOX_ACQUIRE_SHARED_GUARD and RLBOX_ACQUIRE_UNIQUE_GUARD? Is this a try to make a thread-safe library?

Thanks,

PS: If you're fine with these changes, I can implement them.

Tried going to https://rlbox.dev/ and it has an SSL error or shows a squatted page.

Wasm plugin checks the indirect function table to check type and pointer validity. NaCl plugin is a NoOp

This should return a tainted bool.