# Sandbox Implementation Milestones Based on SANDBOX.md design document. Implementation order optimized for dependencies. --- ## Milestone 1: Core Sandbox Foundation ✅ **Status**: Complete **Goal**: Create isolated Lua environments with resource limits. **Estimated Files**: 3 new files ### Deliverables | Component | File | Description | |-----------|------|-------------| | LuaSandbox class | `src/main/cpp/sandbox/lua_sandbox.h` | Main sandbox container | | Custom allocator | `src/main/cpp/sandbox/lua_sandbox.cpp` | Per-app memory tracking/limits | | Instruction hook | `src/main/cpp/sandbox/lua_sandbox.cpp` | CPU limit enforcement | | Globals removal | `src/main/cpp/sandbox/lua_sandbox.cpp` | Remove os, io, debug, etc. | | Bytecode prevention | `src/main/cpp/sandbox/lua_sandbox.cpp` | Text-only loading mode | | Metatable protection | `src/main/cpp/sandbox/lua_sandbox.cpp` | Freeze _G and string metatable | ### Implementation Tasks 1. Create `LuaSandbox` class with: - `lua_State* m_L` - isolated state - `SandboxLimits m_limits` - memory/CPU/stack limits - `SandboxContext m_context` - app_id, permissions, etc. - Custom allocator that tracks `m_memory_used` 2. Implement `RemoveDangerousGlobals()`: - Remove: `os`, `io`, `debug`, `package`, `require`, `ffi`, `jit` - Remove: `dofile`, `loadfile`, `load`, `loadstring` - Remove: `rawget`, `rawset`, `rawequal`, `rawlen` - Remove: `collectgarbage`, `newproxy` - Remove: `string.dump` 3. Implement instruction hook: - `lua_sethook(L, InstructionHook, LUA_MASKCOUNT, 1000)` - Throw error when limit exceeded 4. Implement `ProtectBuiltinTables()`: - Set `__metatable` on string metatable - Freeze `_G` with `__newindex` error ### Dependencies - Lua library already linked (via RmlUi) ### Test Criteria ```cpp TEST(LuaSandbox, DangerousGlobalsRemoved); TEST(LuaSandbox, BytecodeRejected); TEST(LuaSandbox, MemoryLimitEnforced); TEST(LuaSandbox, CPULimitEnforced); TEST(LuaSandbox, MetatableProtected); ``` --- ## Milestone 2: Permission System ✅ **Status**: Complete **Goal**: Gate API access based on app permissions. **Estimated Files**: 2 new files ### Deliverables | Component | File | Description | |-----------|------|-------------| | PermissionGate | `src/main/cpp/sandbox/permission_gate.h` | Permission checking | | User gesture tracking | `src/main/cpp/sandbox/permission_gate.cpp` | Recent tap/click detection | | Permission categories | `src/main/cpp/sandbox/permission_gate.cpp` | Normal/Dangerous/Signature | ### Implementation Tasks 1. Define permission categories: ```cpp enum class PermissionCategory { Normal, Dangerous, Signature }; ``` 2. Create `PermissionGate` class: - `bool Check(lua_State* L, const std::string& permission)` - `int RequirePermission(lua_State* L, const char* perm)` - throws Lua error 3. Implement user gesture tracking: - `void RecordUserGesture()` - called on touch down - `bool HasRecentUserGesture(int ms)` - check within time window 4. Define permission manifest parsing: - Read `manifest.json` from app package - Extract `permissions` array ### Dependencies - Milestone 1 (LuaSandbox) ### Test Criteria ```cpp TEST(PermissionGate, NormalPermissionAutoGranted); TEST(PermissionGate, DangerousPermissionRequiresGrant); TEST(PermissionGate, SignaturePermissionSystemOnly); TEST(PermissionGate, UserGestureRequired); ``` --- ## Milestone 3: Audit Logging & Rate Limiting ✅ **Status**: Complete **Goal**: Track security events and prevent API abuse. **Estimated Files**: 2 new files ### Deliverables | Component | File | Description | |-----------|------|-------------| | AuditLog | `src/main/cpp/sandbox/audit_log.h/cpp` | Security event logging | | RateLimiter | `src/main/cpp/sandbox/rate_limiter.h/cpp` | Token bucket rate limiting | ### Implementation Tasks 1. Create `AuditLog` class: ```cpp enum class AuditEvent { AppStart, AppStop, PermissionCheck, PermissionDenied, NetworkRequest, FileAccess, SandboxViolation, ResourceLimitHit }; ``` 2. Implement thread-safe logging: - Ring buffer with max entries - Log critical events to Android logcat 3. Create `RateLimiter` class: - Token bucket algorithm - Per-operation limits: `network.request`, `storage.write`, etc. - `bool Check(const std::string& app_id, const std::string& operation)` ### Dependencies - Milestone 1 (LuaSandbox) ### Test Criteria ```cpp TEST(AuditLog, LogsSecurityEvents); TEST(AuditLog, ThreadSafe); TEST(RateLimiter, EnforcesLimits); TEST(RateLimiter, RefillsOverTime); ``` --- ## Milestone 4: Safe Path & Require ✅ **Status**: Complete **Goal**: Secure file access within app sandbox. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | Path validation | `src/main/cpp/sandbox/path_sandbox.h/cpp` | Canonical path checking | | Safe require | `src/main/cpp/sandbox/path_sandbox.cpp` | Module loader from app/scripts/ | ### Implementation Tasks 1. Implement `ValidatePath()`: - Reject `..` traversal - Reject absolute paths - Canonicalize and verify prefix match 2. Implement `SafeRequire()`: - Validate module name (alphanumeric + underscore) - Load from `app_path/scripts/name.lua` - Cache in registry `__loaded` - Text-only mode (`"t"`) 3. Register as global `require`: ```cpp lua_pushcfunction(L, SafeRequire); lua_setglobal(L, "require"); ``` ### Dependencies - Milestone 1 (LuaSandbox) ### Test Criteria ```cpp TEST(PathSandbox, RejectsTraversal); TEST(PathSandbox, RejectsAbsolutePaths); TEST(SafeRequire, LoadsFromScriptsDir); TEST(SafeRequire, CachesModules); ``` --- ## Milestone 5: Timer & Callback System ✅ **Status**: Complete **Goal**: Safe timer APIs managed by kernel. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | TimerManager | `src/main/cpp/sandbox/timer_manager.h/cpp` | setTimeout/setInterval | ### Implementation Tasks 1. Create `TimerManager` class: - Priority queue of pending timers - Per-app timer limits (max 100) - Minimum 10ms granularity 2. Implement Lua APIs: ```lua setTimeout(callback, ms) -> id clearTimeout(id) setInterval(callback, ms) -> id clearInterval(id) ``` 3. Integrate with kernel main loop: - Check and fire timers each frame - Reset instruction count before callback 4. Implement cleanup: - `ClearAppTimers(app_id)` on app stop ### Dependencies - Milestone 1 (LuaSandbox) - Milestone 3 (RateLimiter) ### Test Criteria ```cpp TEST(TimerManager, FiresTimeout); TEST(TimerManager, FiresInterval); TEST(TimerManager, LimitsPerApp); TEST(TimerManager, CleansUpOnStop); ``` --- ## Milestone 6: JSON & Crypto APIs ✅ **Status**: Complete **Goal**: Safe data parsing and cryptographic primitives. **Estimated Files**: 2 new files ### Deliverables | Component | File | Description | |-----------|------|-------------| | JSON API | `src/main/cpp/sandbox/json_api.cpp` | Safe encode/decode | | Crypto API | `src/main/cpp/sandbox/crypto_api.cpp` | Hash, random, HMAC | ### Implementation Tasks 1. Implement `json.decode()`: - Depth limit (32) - String length limit (1 MB) - Array/object size limits 2. Implement `json.encode()`: - Cycle detection - Output size limit 3. Implement crypto APIs: - `crypto.randomBytes(n)` - CSPRNG - `crypto.hash("sha256", data)` - `crypto.hmac("sha256", key, data)` - Remove `math.randomseed`, replace `math.random` with per-app RNG ### Dependencies - Milestone 1 (LuaSandbox) - nlohmann-json (already in vcpkg) ### Test Criteria ```cpp TEST(JsonApi, DecodesValid); TEST(JsonApi, RejectsDeepNesting); TEST(JsonApi, RejectsTooLarge); TEST(CryptoApi, RandomBytesSecure); TEST(CryptoApi, HashCorrect); ``` --- ## Milestone 7: Virtual Filesystem ✅ **Status**: Complete **Goal**: Per-app isolated storage with quotas. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | VirtualFS | `src/main/cpp/sandbox/virtual_fs.h/cpp` | App storage API | ### Implementation Tasks 1. Define virtual path mapping: ``` /data/ → /data/data/com.omixlab.mosis/apps//data/ /cache/ → /data/data/com.omixlab.mosis/apps//cache/ /temp/ → (session-only, cleared on stop) /shared/ → requires storage.shared permission ``` 2. Implement Lua file API: ```lua fs.read(path) -> string fs.write(path, data) -> bool fs.append(path, data) -> bool fs.delete(path) -> bool fs.exists(path) -> bool fs.list(dir) -> table fs.mkdir(path) -> bool fs.stat(path) -> {size, modified, isDir} ``` 3. Enforce limits: - Per-app quota (50 MB default) - Max file size (10 MB) - Max path depth (10) 4. Cleanup `/temp/` on app stop. ### Dependencies - Milestone 1 (LuaSandbox) - Milestone 2 (PermissionGate) - Milestone 4 (Path validation) ### Test Criteria ```cpp TEST(VirtualFS, ReadsWritesInAppDir); TEST(VirtualFS, BlocksTraversal); TEST(VirtualFS, EnforcesQuota); TEST(VirtualFS, CleansUpTemp); ``` --- ## Milestone 8: SQLite Database ✅ **Status**: Complete **Goal**: Per-app SQLite with injection prevention. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | DatabaseManager | `src/main/cpp/sandbox/database_manager.h/cpp` | SQLite sandbox | ### Implementation Tasks 1. Create per-app database: - Location: `/data/data/com.omixlab.mosis/apps//db/app.db` - Max database size: 50 MB 2. Implement SQLite authorizer: ```cpp sqlite3_set_authorizer(db, Authorizer, sandbox); // Block: ATTACH, DETACH, dangerous PRAGMAs, load_extension ``` 3. Implement Lua API: ```lua local db = database.open("mydata") db:execute("CREATE TABLE IF NOT EXISTS items (id INTEGER PRIMARY KEY, name TEXT)") db:execute("INSERT INTO items (name) VALUES (?)", {"Item 1"}) local rows = db:query("SELECT * FROM items WHERE id > ?", {0}) db:close() ``` 4. Enforce prepared statements only (no raw SQL interpolation). ### Dependencies - Milestone 1 (LuaSandbox) - Milestone 2 (PermissionGate) - SQLite3 (add to vcpkg) ### Test Criteria ```cpp TEST(Database, CreatesTables); TEST(Database, PreparedStatements); TEST(Database, BlocksAttach); TEST(Database, BlocksDangerousPragma); ``` --- ## Milestone 9: Network - HTTP **Goal**: Secure HTTP requests with domain filtering. **Estimated Files**: 2 new files ### Deliverables | Component | File | Description | |-----------|------|-------------| | HttpRequestValidator | `src/main/cpp/sandbox/http_validator.h/cpp` | URL/domain validation | | NetworkManager | `src/main/cpp/sandbox/network_manager.h/cpp` | HTTP client wrapper | ### Implementation Tasks 1. Implement URL parsing and validation: - Require HTTPS - Block private IPs, localhost, metadata IPs - Domain whitelist from manifest 2. Implement Lua HTTP API: ```lua local response = network.request({ url = "https://api.example.com/data", method = "POST", headers = {...}, body = "...", timeout = 30000 }) ``` 3. Integrate with Android HttpURLConnection or libcurl. 4. Enforce limits: - Request body: 10 MB - Response body: 50 MB - Timeout: 60s - Concurrent requests: 6 ### Dependencies - Milestone 1 (LuaSandbox) - Milestone 2 (PermissionGate) - Milestone 3 (RateLimiter, AuditLog) ### Test Criteria ```cpp TEST(HttpValidator, BlocksPrivateIP); TEST(HttpValidator, BlocksLocalhost); TEST(HttpValidator, RequiresHttps); TEST(HttpValidator, EnforcesDomainWhitelist); TEST(NetworkManager, MakesRequest); ``` --- ## Milestone 10: Network - WebSocket **Goal**: Secure WebSocket connections. **Estimated Files**: 1 new file (extends NetworkManager) ### Deliverables | Component | File | Description | |-----------|------|-------------| | WebSocketManager | `src/main/cpp/sandbox/websocket_manager.h/cpp` | WS connections | ### Implementation Tasks 1. Implement connection management: - Max 5 connections per app - Idle timeout: 5 minutes - Message size limit: 1 MB 2. Implement Lua WebSocket API: ```lua local ws = network.websocket("wss://api.example.com/ws") ws:on("open", function() ... end) ws:on("message", function(data) ... end) ws:on("close", function(code, reason) ... end) ws:send(data) ws:close() ``` 3. Use same URL validation as HTTP. 4. Cleanup connections on app stop. ### Dependencies - Milestone 9 (HttpRequestValidator) ### Test Criteria ```cpp TEST(WebSocketManager, Connects); TEST(WebSocketManager, LimitsPerApp); TEST(WebSocketManager, CleansUpOnStop); ``` --- ## Milestone 11: Virtual Hardware - Camera **Goal**: Camera access with mandatory indicators. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | CameraInterface | `src/main/cpp/sandbox/camera_interface.h/cpp` | Camera API | ### Implementation Tasks 1. Implement session management: - `startSession(options)` - requires permission + user gesture - `capturePhoto()` - returns frame data - `stopSession()` 2. Mandatory recording indicator: - Show in system UI (cannot be hidden by app) 3. Implement Lua API: ```lua local session = camera.start({facing = "back", resolution = "720p"}) session:on("frame", function(data) ... end) local photo = session:capture() session:stop() ``` 4. Rate limit: 1 session at a time, max 30 fps. ### Dependencies - Milestone 2 (PermissionGate + user gesture) - Milestone 3 (AuditLog) - Game engine camera bridge (future) ### Test Criteria ```cpp TEST(CameraInterface, RequiresPermission); TEST(CameraInterface, RequiresUserGesture); TEST(CameraInterface, ShowsIndicator); TEST(CameraInterface, StopsOnAppStop); ``` --- ## Milestone 12: Virtual Hardware - Microphone **Goal**: Audio recording with mandatory indicators. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | MicrophoneInterface | `src/main/cpp/sandbox/microphone_interface.h/cpp` | Mic API | ### Implementation Tasks 1. Implement recording session: - `startRecording(options)` - requires permission + user gesture - `stopRecording()` - returns audio data 2. Mandatory recording indicator (same as camera). 3. Implement Lua API: ```lua local recording = microphone.start({sampleRate = 44100, channels = 1}) recording:on("data", function(samples) ... end) local audio = recording:stop() ``` 4. Rate limit: 1 recording at a time. ### Dependencies - Milestone 2 (PermissionGate + user gesture) - Milestone 3 (AuditLog) ### Test Criteria ```cpp TEST(MicrophoneInterface, RequiresPermission); TEST(MicrophoneInterface, RequiresUserGesture); TEST(MicrophoneInterface, ShowsIndicator); ``` --- ## Milestone 13: Virtual Hardware - Audio Output **Goal**: Safe audio playback. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | AudioOutputInterface | `src/main/cpp/sandbox/audio_output.h/cpp` | Speaker API | ### Implementation Tasks 1. Implement playback: - `play(audioData, options)` - `stop()` - `setVolume(0.0-1.0)` 2. System volume limit (app cannot exceed system volume). 3. Implement Lua API: ```lua local player = audio.play(soundData, {loop = false, volume = 0.8}) player:on("ended", function() ... end) player:stop() ``` 4. Concurrent sound limit: 10 per app. ### Dependencies - Milestone 1 (LuaSandbox) ### Test Criteria ```cpp TEST(AudioOutput, PlaysSound); TEST(AudioOutput, RespectsVolumeLimit); TEST(AudioOutput, LimitsConcurrent); ``` --- ## Milestone 14: Virtual Hardware - Location **Goal**: Location with privacy controls. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | LocationInterface | `src/main/cpp/sandbox/location_interface.h/cpp` | GPS API | ### Implementation Tasks 1. Two permission levels: - `location.coarse` - city-level (1km accuracy) - `location.fine` - precise GPS 2. Implement Lua API: ```lua location.getCurrentPosition(function(pos) print(pos.latitude, pos.longitude, pos.accuracy) end) local watch = location.watchPosition(function(pos) ... end, { enableHighAccuracy = true, timeout = 30000 }) watch:stop() ``` 3. Rate limit: 1 request per second. 4. Reduce precision for coarse permission. ### Dependencies - Milestone 2 (PermissionGate) - Milestone 3 (RateLimiter) ### Test Criteria ```cpp TEST(LocationInterface, RequiresPermission); TEST(LocationInterface, CoarseReducesPrecision); TEST(LocationInterface, RateLimits); ``` --- ## Milestone 15: Virtual Hardware - Sensors **Goal**: Motion sensors with fingerprinting prevention. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | SensorInterface | `src/main/cpp/sandbox/sensor_interface.h/cpp` | Accelerometer, gyro, etc. | ### Implementation Tasks 1. Supported sensors: - Accelerometer (requires `sensors.motion`) - Gyroscope (requires `sensors.motion`) - Magnetometer (requires `sensors.motion`) - Proximity (auto-granted) - Ambient light (auto-granted) 2. Implement Lua API: ```lua local sub = sensors.subscribe("accelerometer", function(data) print(data.x, data.y, data.z, data.timestamp) end, {frequency = 60}) sub:stop() ``` 3. Reduce precision to prevent fingerprinting: - Round values to 2 decimal places - Limit update frequency to 60 Hz ### Dependencies - Milestone 2 (PermissionGate) ### Test Criteria ```cpp TEST(SensorInterface, RequiresPermission); TEST(SensorInterface, ReducesPrecision); TEST(SensorInterface, LimitsFrequency); ``` --- ## Milestone 16: Virtual Hardware - Bluetooth **Goal**: Bluetooth discovery and pairing. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | BluetoothInterface | `src/main/cpp/sandbox/bluetooth_interface.h/cpp` | BT API | ### Implementation Tasks 1. Discovery with user consent: - `startDiscovery()` requires user confirmation - Return device name/address only (no full UUID list) 2. Implement Lua API: ```lua bluetooth.startDiscovery(function(devices) for _, device in ipairs(devices) do print(device.name, device.address) end end, {timeout = 30}) bluetooth.connect(address, function(connection) connection:send(data) end) ``` 3. Limit: 5 connections per app. ### Dependencies - Milestone 2 (PermissionGate + user gesture) ### Test Criteria ```cpp TEST(BluetoothInterface, RequiresPermission); TEST(BluetoothInterface, RequiresUserConsent); ``` --- ## Milestone 17: Virtual Hardware - Contacts **Goal**: Contact access with granular permissions. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | ContactsInterface | `src/main/cpp/sandbox/contacts_interface.h/cpp` | Contacts API | ### Implementation Tasks 1. Separate read/write permissions: - `contacts.read` - query contacts - `contacts.write` - add/modify contacts 2. Implement Lua API: ```lua local contacts = contacts.query({search = "John"}) for _, c in ipairs(contacts) do print(c.name, c.phone, c.email) end contacts.add({name = "New Contact", phone = "555-1234"}) ``` 3. Limit fields returned (no raw account data). ### Dependencies - Milestone 2 (PermissionGate) ### Test Criteria ```cpp TEST(ContactsInterface, RequiresReadPermission); TEST(ContactsInterface, RequiresWritePermission); ``` --- ## Milestone 18: Inter-App Communication **Goal**: Kernel-mediated message passing. **Estimated Files**: 1 new file ### Deliverables | Component | File | Description | |-----------|------|-------------| | MessageBus | `src/main/cpp/sandbox/message_bus.h/cpp` | App-to-app messaging | ### Implementation Tasks 1. Implement intent system: - Manifest declares received intents - Sender must have required permissions 2. Implement Lua API: ```lua -- Sending intents.send({ action = "share", type = "text/plain", data = "Hello world" }) -- Receiving (in manifest + handler) intents.on("share", function(intent) print(intent.from, intent.data) end) ``` 3. Validate sender/receiver at runtime. ### Dependencies - Milestone 2 (PermissionGate) - Milestone 3 (AuditLog) ### Test Criteria ```cpp TEST(MessageBus, SendsToRegisteredReceiver); TEST(MessageBus, BlocksUnregisteredAction); ``` --- ## Milestone 19: Security Testing Suite **Goal**: Comprehensive test coverage. **Estimated Files**: 3 new files ### Deliverables | Component | File | Description | |-----------|------|-------------| | Unit tests | `tests/test_sandbox_security.cpp` | Core sandbox tests | | Integration tests | `tests/test_sandbox_integration.cpp` | Full system tests | | Fuzzer | `tests/fuzz_sandbox.cpp` | Random input testing | ### Implementation Tasks 1. Write unit tests for all milestones (see individual test criteria). 2. Write integration tests: - Full app lifecycle - Permission flow - Resource cleanup 3. Implement fuzzer: - Generate random Lua code - Verify no crashes - Verify sandbox integrity after each run 4. Security audit checklist (from SANDBOX.md). ### Dependencies - All previous milestones --- ## Milestone 20: Kernel Integration **Goal**: Wire sandbox into existing kernel. **Estimated Files**: Modify existing files ### Deliverables | Component | File | Description | |-----------|------|-------------| | App lifecycle | `src/main/cpp/kernel.cpp` | App start/stop | | Sandbox manager | `src/main/cpp/kernel.cpp` | Multi-app management | ### Implementation Tasks 1. Replace global `lua_State` with `LuaSandboxManager`: - Create sandbox per app - Route events to correct sandbox 2. Integrate with RmlUi: - Bridge RmlUi document events to sandbox - Replace `Rml::Lua::Interpreter` with sandboxed states 3. Wire up resource cleanup on app stop. ### Dependencies - Milestones 1-18 --- ## Summary | Phase | Milestones | Description | |-------|------------|-------------| | **Foundation** | 1-4 | Core sandbox, permissions, logging, paths | | **Core APIs** | 5-8 | Timers, JSON, crypto, filesystem, database | | **Network** | 9-10 | HTTP and WebSocket | | **Hardware** | 11-17 | Camera, mic, audio, location, sensors, BT, contacts | | **System** | 18-20 | IPC, testing, integration | ### Recommended Order 1. **Milestone 1** - Must be first (foundation) 2. **Milestone 2** - Permissions (needed by everything) 3. **Milestone 3** - Audit/rate limiting (needed by APIs) 4. **Milestone 4** - Path security (needed by fs/require) 5. **Milestone 5-6** - Timers, JSON (high value) 6. **Milestone 7-8** - Storage, database (app data) 7. **Milestone 9-10** - Network (app connectivity) 8. **Milestones 11-17** - Hardware (as needed) 9. **Milestone 18** - IPC (multi-app) 10. **Milestone 19-20** - Testing & integration ### Quick Start Begin with **Milestone 1** to establish the core sandbox. This is the foundation everything else builds on.