Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
U
updater
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 34
    • Issues 34
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 0
    • Merge Requests 0
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • Turris
  • updater
  • updater
  • Issues
  • #232

Closed
Open
Opened Nov 06, 2017 by Karel Koci@kkoci🤘Owner

Refactor sandbox to its own Lua context and simplify security levels (Updater language 2)

Whole sandbox is complicated just because we need to ensure that configuration scripts can't access some advanced features. But that is some what questionable when it can install any arbitrary package with any arbitrary code in it. Yes true is that installation has to be optionally confirmed so we probably should have at least one protected level that denies access to uci, files and shell execution. But having more than two makes probably no sense.

Proposition is to have single Lua instance, separate from primary one. This instance is some what simple lua with possibility to switch to protected mode.

Also running sandbox in same instance as rest of the updater just complicates things and adds nothing of value. Yes we can share variables (by context magic) and functions but in the end there is no other reason. Just initializing new interpreter with specific limitations should be enough.

As part of this we should also implement: #198

Edited Mar 21, 2019 by Karel Koci
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: turris/updater/updater#232