omar/MosisService
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
00b9ceb467595aa789f401e36037281409baeb3c
MosisService/SANDBOX_MILESTONES.md

23 KiB
Raw Blame History

Sandbox Implementation Milestones

Based on SANDBOX.md design document. Implementation order optimized for dependencies.

Milestone 1: Core Sandbox Foundation

Status: Complete Goal: Create isolated Lua environments with resource limits. Estimated Files: 3 new files

Deliverables

Component File Description
LuaSandbox class src/main/cpp/sandbox/lua_sandbox.h Main sandbox container
Custom allocator src/main/cpp/sandbox/lua_sandbox.cpp Per-app memory tracking/limits
Instruction hook src/main/cpp/sandbox/lua_sandbox.cpp CPU limit enforcement
Globals removal src/main/cpp/sandbox/lua_sandbox.cpp Remove os, io, debug, etc.
Bytecode prevention src/main/cpp/sandbox/lua_sandbox.cpp Text-only loading mode
Metatable protection src/main/cpp/sandbox/lua_sandbox.cpp Freeze _G and string metatable

Implementation Tasks

  1. Create LuaSandbox class with:

    • lua_State* m_L - isolated state
    • SandboxLimits m_limits - memory/CPU/stack limits
    • SandboxContext m_context - app_id, permissions, etc.
    • Custom allocator that tracks m_memory_used

  2. Implement RemoveDangerousGlobals():

    • Remove: os, io, debug, package, require, ffi, jit
    • Remove: dofile, loadfile, load, loadstring
    • Remove: rawget, rawset, rawequal, rawlen
    • Remove: collectgarbage, newproxy
    • Remove: string.dump

  3. Implement instruction hook:

    • lua_sethook(L, InstructionHook, LUA_MASKCOUNT, 1000)
    • Throw error when limit exceeded

  4. Implement ProtectBuiltinTables():

    • Set __metatable on string metatable
    • Freeze _G with __newindex error

Dependencies

  • Lua library already linked (via RmlUi)

Test Criteria

TEST(LuaSandbox, DangerousGlobalsRemoved);
TEST(LuaSandbox, BytecodeRejected);
TEST(LuaSandbox, MemoryLimitEnforced);
TEST(LuaSandbox, CPULimitEnforced);
TEST(LuaSandbox, MetatableProtected);

Milestone 2: Permission System

Status: Complete Goal: Gate API access based on app permissions. Estimated Files: 2 new files

Deliverables

Component File Description
PermissionGate src/main/cpp/sandbox/permission_gate.h Permission checking
User gesture tracking src/main/cpp/sandbox/permission_gate.cpp Recent tap/click detection
Permission categories src/main/cpp/sandbox/permission_gate.cpp Normal/Dangerous/Signature

Implementation Tasks

  1. Define permission categories:

    enum class PermissionCategory { Normal, Dangerous, Signature };

  2. Create PermissionGate class:

    • bool Check(lua_State* L, const std::string& permission)
    • int RequirePermission(lua_State* L, const char* perm) - throws Lua error

  3. Implement user gesture tracking:

    • void RecordUserGesture() - called on touch down
    • bool HasRecentUserGesture(int ms) - check within time window

  4. Define permission manifest parsing:

    • Read manifest.json from app package
    • Extract permissions array

Dependencies

  • Milestone 1 (LuaSandbox)

Test Criteria

TEST(PermissionGate, NormalPermissionAutoGranted);
TEST(PermissionGate, DangerousPermissionRequiresGrant);
TEST(PermissionGate, SignaturePermissionSystemOnly);
TEST(PermissionGate, UserGestureRequired);

Milestone 3: Audit Logging & Rate Limiting

Status: Complete Goal: Track security events and prevent API abuse. Estimated Files: 2 new files

Deliverables

Component File Description
AuditLog src/main/cpp/sandbox/audit_log.h/cpp Security event logging
RateLimiter src/main/cpp/sandbox/rate_limiter.h/cpp Token bucket rate limiting

Implementation Tasks

  1. Create AuditLog class:

    enum class AuditEvent {
    AppStart, AppStop, PermissionCheck, PermissionDenied,
    NetworkRequest, FileAccess, SandboxViolation, ResourceLimitHit
};

  2. Implement thread-safe logging:

    • Ring buffer with max entries
    • Log critical events to Android logcat

  3. Create RateLimiter class:

    • Token bucket algorithm
    • Per-operation limits: network.request, storage.write, etc.
    • bool Check(const std::string& app_id, const std::string& operation)

Dependencies

  • Milestone 1 (LuaSandbox)

Test Criteria

TEST(AuditLog, LogsSecurityEvents);
TEST(AuditLog, ThreadSafe);
TEST(RateLimiter, EnforcesLimits);
TEST(RateLimiter, RefillsOverTime);

Milestone 4: Safe Path & Require

Status: Complete Goal: Secure file access within app sandbox. Estimated Files: 1 new file

Deliverables

Component File Description
Path validation src/main/cpp/sandbox/path_sandbox.h/cpp Canonical path checking
Safe require src/main/cpp/sandbox/path_sandbox.cpp Module loader from app/scripts/

Implementation Tasks

  1. Implement ValidatePath():

    • Reject .. traversal
    • Reject absolute paths
    • Canonicalize and verify prefix match

  2. Implement SafeRequire():

    • Validate module name (alphanumeric + underscore)
    • Load from app_path/scripts/name.lua
    • Cache in registry __loaded
    • Text-only mode ("t")

  3. Register as global require:

    lua_pushcfunction(L, SafeRequire);
lua_setglobal(L, "require");

Dependencies

  • Milestone 1 (LuaSandbox)

Test Criteria

TEST(PathSandbox, RejectsTraversal);
TEST(PathSandbox, RejectsAbsolutePaths);
TEST(SafeRequire, LoadsFromScriptsDir);
TEST(SafeRequire, CachesModules);

Milestone 5: Timer & Callback System

Status: Complete Goal: Safe timer APIs managed by kernel. Estimated Files: 1 new file

Deliverables

Component File Description
TimerManager src/main/cpp/sandbox/timer_manager.h/cpp setTimeout/setInterval

Implementation Tasks

  1. Create TimerManager class:

    • Priority queue of pending timers
    • Per-app timer limits (max 100)
    • Minimum 10ms granularity

  2. Implement Lua APIs:

    setTimeout(callback, ms) -> id
clearTimeout(id)
setInterval(callback, ms) -> id
clearInterval(id)

  3. Integrate with kernel main loop:

    • Check and fire timers each frame
    • Reset instruction count before callback

  4. Implement cleanup:

    • ClearAppTimers(app_id) on app stop

Dependencies

  • Milestone 1 (LuaSandbox)
  • Milestone 3 (RateLimiter)

Test Criteria

TEST(TimerManager, FiresTimeout);
TEST(TimerManager, FiresInterval);
TEST(TimerManager, LimitsPerApp);
TEST(TimerManager, CleansUpOnStop);

Milestone 6: JSON & Crypto APIs

Status: Complete Goal: Safe data parsing and cryptographic primitives. Estimated Files: 2 new files

Deliverables

Component File Description
JSON API src/main/cpp/sandbox/json_api.cpp Safe encode/decode
Crypto API src/main/cpp/sandbox/crypto_api.cpp Hash, random, HMAC

Implementation Tasks

  1. Implement json.decode():

    • Depth limit (32)
    • String length limit (1 MB)
    • Array/object size limits

  2. Implement json.encode():

    • Cycle detection
    • Output size limit

  3. Implement crypto APIs:

    • crypto.randomBytes(n) - CSPRNG
    • crypto.hash("sha256", data)
    • crypto.hmac("sha256", key, data)
    • Remove math.randomseed, replace math.random with per-app RNG

Dependencies

  • Milestone 1 (LuaSandbox)
  • nlohmann-json (already in vcpkg)

Test Criteria

TEST(JsonApi, DecodesValid);
TEST(JsonApi, RejectsDeepNesting);
TEST(JsonApi, RejectsTooLarge);
TEST(CryptoApi, RandomBytesSecure);
TEST(CryptoApi, HashCorrect);

Milestone 7: Virtual Filesystem

Status: Complete Goal: Per-app isolated storage with quotas. Estimated Files: 1 new file

Deliverables

Component File Description
VirtualFS src/main/cpp/sandbox/virtual_fs.h/cpp App storage API

Implementation Tasks

  1. Define virtual path mapping:

    /data/   → /data/data/com.omixlab.mosis/apps/<app_id>/data/
/cache/  → /data/data/com.omixlab.mosis/apps/<app_id>/cache/
/temp/   → (session-only, cleared on stop)
/shared/ → requires storage.shared permission

  2. Implement Lua file API:

    fs.read(path) -> string
fs.write(path, data) -> bool
fs.append(path, data) -> bool
fs.delete(path) -> bool
fs.exists(path) -> bool
fs.list(dir) -> table
fs.mkdir(path) -> bool
fs.stat(path) -> {size, modified, isDir}

  3. Enforce limits:

    • Per-app quota (50 MB default)
    • Max file size (10 MB)
    • Max path depth (10)

  4. Cleanup /temp/ on app stop.

Dependencies

  • Milestone 1 (LuaSandbox)
  • Milestone 2 (PermissionGate)
  • Milestone 4 (Path validation)

Test Criteria

TEST(VirtualFS, ReadsWritesInAppDir);
TEST(VirtualFS, BlocksTraversal);
TEST(VirtualFS, EnforcesQuota);
TEST(VirtualFS, CleansUpTemp);

Milestone 8: SQLite Database

Status: Complete Goal: Per-app SQLite with injection prevention. Estimated Files: 1 new file

Deliverables

Component File Description
DatabaseManager src/main/cpp/sandbox/database_manager.h/cpp SQLite sandbox

Implementation Tasks

  1. Create per-app database:

    • Location: /data/data/com.omixlab.mosis/apps/<app_id>/db/app.db
    • Max database size: 50 MB

  2. Implement SQLite authorizer:

    sqlite3_set_authorizer(db, Authorizer, sandbox);
// Block: ATTACH, DETACH, dangerous PRAGMAs, load_extension

  3. Implement Lua API:

    local db = database.open("mydata")
db:execute("CREATE TABLE IF NOT EXISTS items (id INTEGER PRIMARY KEY, name TEXT)")
db:execute("INSERT INTO items (name) VALUES (?)", {"Item 1"})
local rows = db:query("SELECT * FROM items WHERE id > ?", {0})
db:close()

  4. Enforce prepared statements only (no raw SQL interpolation).

Dependencies

  • Milestone 1 (LuaSandbox)
  • Milestone 2 (PermissionGate)
  • SQLite3 (add to vcpkg)

Test Criteria

TEST(Database, CreatesTables);
TEST(Database, PreparedStatements);
TEST(Database, BlocksAttach);
TEST(Database, BlocksDangerousPragma);

Milestone 9: Network - HTTP

Status: Complete Goal: Secure HTTP requests with domain filtering. Estimated Files: 2 new files

Deliverables

Component File Description
HttpRequestValidator src/main/cpp/sandbox/http_validator.h/cpp URL/domain validation
NetworkManager src/main/cpp/sandbox/network_manager.h/cpp HTTP client wrapper

Implementation Tasks

  1. Implement URL parsing and validation:

    • Require HTTPS
    • Block private IPs, localhost, metadata IPs
    • Domain whitelist from manifest

  2. Implement Lua HTTP API:

    local response = network.request({
    url = "https://api.example.com/data",
    method = "POST",
    headers = {...},
    body = "...",
    timeout = 30000
})

  3. Integrate with Android HttpURLConnection or libcurl.

  4. Enforce limits:

    • Request body: 10 MB
    • Response body: 50 MB
    • Timeout: 60s
    • Concurrent requests: 6

Dependencies

  • Milestone 1 (LuaSandbox)
  • Milestone 2 (PermissionGate)
  • Milestone 3 (RateLimiter, AuditLog)

Test Criteria

TEST(HttpValidator, BlocksPrivateIP);
TEST(HttpValidator, BlocksLocalhost);
TEST(HttpValidator, RequiresHttps);
TEST(HttpValidator, EnforcesDomainWhitelist);
TEST(NetworkManager, MakesRequest);

Milestone 10: Network - WebSocket

Status: Complete Goal: Secure WebSocket connections. Estimated Files: 1 new file (extends NetworkManager)

Deliverables

Component File Description
WebSocketManager src/main/cpp/sandbox/websocket_manager.h/cpp WS connections

Implementation Tasks

  1. Implement connection management:

    • Max 5 connections per app
    • Idle timeout: 5 minutes
    • Message size limit: 1 MB

  2. Implement Lua WebSocket API:

    local ws = network.websocket("wss://api.example.com/ws")
ws:on("open", function() ... end)
ws:on("message", function(data) ... end)
ws:on("close", function(code, reason) ... end)
ws:send(data)
ws:close()

  3. Use same URL validation as HTTP.

  4. Cleanup connections on app stop.

Dependencies

  • Milestone 9 (HttpRequestValidator)

Test Criteria

TEST(WebSocketManager, Connects);
TEST(WebSocketManager, LimitsPerApp);
TEST(WebSocketManager, CleansUpOnStop);

Milestone 11: Virtual Hardware - Camera

Status: Complete Goal: Camera access with mandatory indicators. Estimated Files: 1 new file

Deliverables

Component File Description
CameraInterface src/main/cpp/sandbox/camera_interface.h/cpp Camera API

Implementation Tasks

  1. Implement session management:

    • startSession(options) - requires permission + user gesture
    • capturePhoto() - returns frame data
    • stopSession()

  2. Mandatory recording indicator:

    • Show in system UI (cannot be hidden by app)

  3. Implement Lua API:

    local session = camera.start({facing = "back", resolution = "720p"})
session:on("frame", function(data) ... end)
local photo = session:capture()
session:stop()

  4. Rate limit: 1 session at a time, max 30 fps.

Dependencies

  • Milestone 2 (PermissionGate + user gesture)
  • Milestone 3 (AuditLog)
  • Game engine camera bridge (future)

Test Criteria

TEST(CameraInterface, RequiresPermission);
TEST(CameraInterface, RequiresUserGesture);
TEST(CameraInterface, ShowsIndicator);
TEST(CameraInterface, StopsOnAppStop);

Milestone 12: Virtual Hardware - Microphone

Status: Complete Goal: Audio recording with mandatory indicators. Estimated Files: 1 new file

Deliverables

Component File Description
MicrophoneInterface src/main/cpp/sandbox/microphone_interface.h/cpp Mic API

Implementation Tasks

  1. Implement recording session:

    • startRecording(options) - requires permission + user gesture
    • stopRecording() - returns audio data

  2. Mandatory recording indicator (same as camera).

  3. Implement Lua API:

    local recording = microphone.start({sampleRate = 44100, channels = 1})
recording:on("data", function(samples) ... end)
local audio = recording:stop()

  4. Rate limit: 1 recording at a time.

Dependencies

  • Milestone 2 (PermissionGate + user gesture)
  • Milestone 3 (AuditLog)

Test Criteria

TEST(MicrophoneInterface, RequiresPermission);
TEST(MicrophoneInterface, RequiresUserGesture);
TEST(MicrophoneInterface, ShowsIndicator);

Milestone 13: Virtual Hardware - Audio Output

Status: Complete Goal: Safe audio playback. Estimated Files: 1 new file

Deliverables

Component File Description
AudioOutputInterface src/main/cpp/sandbox/audio_output.h/cpp Speaker API

Implementation Tasks

  1. Implement playback:

    • play(audioData, options)
    • stop()
    • setVolume(0.0-1.0)

  2. System volume limit (app cannot exceed system volume).

  3. Implement Lua API:

    local player = audio.play(soundData, {loop = false, volume = 0.8})
player:on("ended", function() ... end)
player:stop()

  4. Concurrent sound limit: 10 per app.

Dependencies

  • Milestone 1 (LuaSandbox)

Test Criteria

TEST(AudioOutput, PlaysSound);
TEST(AudioOutput, RespectsVolumeLimit);
TEST(AudioOutput, LimitsConcurrent);

Milestone 14: Virtual Hardware - Location

Status: Complete Goal: Location with privacy controls. Estimated Files: 1 new file

Deliverables

Component File Description
LocationInterface src/main/cpp/sandbox/location_interface.h/cpp GPS API

Implementation Tasks

  1. Two permission levels:

    • location.coarse - city-level (1km accuracy)
    • location.fine - precise GPS

  2. Implement Lua API:

    location.getCurrentPosition(function(pos)
    print(pos.latitude, pos.longitude, pos.accuracy)
end)

local watch = location.watchPosition(function(pos) ... end, {
    enableHighAccuracy = true,
    timeout = 30000
})
watch:stop()

  3. Rate limit: 1 request per second.

  4. Reduce precision for coarse permission.

Dependencies

  • Milestone 2 (PermissionGate)
  • Milestone 3 (RateLimiter)

Test Criteria

TEST(LocationInterface, RequiresPermission);
TEST(LocationInterface, CoarseReducesPrecision);
TEST(LocationInterface, RateLimits);

Milestone 15: Virtual Hardware - Sensors

Status: Complete Goal: Motion sensors with fingerprinting prevention. Estimated Files: 1 new file

Deliverables

Component File Description
SensorInterface src/main/cpp/sandbox/sensor_interface.h/cpp Accelerometer, gyro, etc.

Implementation Tasks

  1. Supported sensors:

    • Accelerometer (requires sensors.motion)
    • Gyroscope (requires sensors.motion)
    • Magnetometer (requires sensors.motion)
    • Proximity (auto-granted)
    • Ambient light (auto-granted)

  2. Implement Lua API:

    local sub = sensors.subscribe("accelerometer", function(data)
    print(data.x, data.y, data.z, data.timestamp)
end, {frequency = 60})
sub:stop()

  3. Reduce precision to prevent fingerprinting:

    • Round values to 2 decimal places
    • Limit update frequency to 60 Hz

Dependencies

  • Milestone 2 (PermissionGate)

Test Criteria

TEST(SensorInterface, RequiresPermission);
TEST(SensorInterface, ReducesPrecision);
TEST(SensorInterface, LimitsFrequency);

Milestone 16: Virtual Hardware - Bluetooth

Status: Complete

Goal: Bluetooth discovery and pairing. Estimated Files: 1 new file

Deliverables

Component File Description
BluetoothInterface src/main/cpp/sandbox/bluetooth_interface.h/cpp BT API

Implementation Tasks

  1. Discovery with user consent:

    • startDiscovery() requires user confirmation
    • Return device name/address only (no full UUID list)

  2. Implement Lua API:

    bluetooth.startDiscovery(function(devices)
    for _, device in ipairs(devices) do
        print(device.name, device.address)
    end
end, {timeout = 30})

bluetooth.connect(address, function(connection)
    connection:send(data)
end)

  3. Limit: 5 connections per app.

Dependencies

  • Milestone 2 (PermissionGate + user gesture)

Test Criteria

TEST(BluetoothInterface, RequiresPermission);
TEST(BluetoothInterface, RequiresUserConsent);

Milestone 17: Virtual Hardware - Contacts

Goal: Contact access with granular permissions. Estimated Files: 1 new file

Deliverables

Component File Description
ContactsInterface src/main/cpp/sandbox/contacts_interface.h/cpp Contacts API

Implementation Tasks

  1. Separate read/write permissions:

    • contacts.read - query contacts
    • contacts.write - add/modify contacts

  2. Implement Lua API:

    local contacts = contacts.query({search = "John"})
for _, c in ipairs(contacts) do
    print(c.name, c.phone, c.email)
end

contacts.add({name = "New Contact", phone = "555-1234"})

  3. Limit fields returned (no raw account data).

Dependencies

  • Milestone 2 (PermissionGate)

Test Criteria

TEST(ContactsInterface, RequiresReadPermission);
TEST(ContactsInterface, RequiresWritePermission);

Milestone 18: Inter-App Communication

Goal: Kernel-mediated message passing. Estimated Files: 1 new file

Deliverables

Component File Description
MessageBus src/main/cpp/sandbox/message_bus.h/cpp App-to-app messaging

Implementation Tasks

  1. Implement intent system:

    • Manifest declares received intents
    • Sender must have required permissions

  2. Implement Lua API:

    -- Sending
intents.send({
    action = "share",
    type = "text/plain",
    data = "Hello world"
})

-- Receiving (in manifest + handler)
intents.on("share", function(intent)
    print(intent.from, intent.data)
end)

  3. Validate sender/receiver at runtime.

Dependencies

  • Milestone 2 (PermissionGate)
  • Milestone 3 (AuditLog)

Test Criteria

TEST(MessageBus, SendsToRegisteredReceiver);
TEST(MessageBus, BlocksUnregisteredAction);

Milestone 19: Security Testing Suite

Goal: Comprehensive test coverage. Estimated Files: 3 new files

Deliverables

Component File Description
Unit tests tests/test_sandbox_security.cpp Core sandbox tests
Integration tests tests/test_sandbox_integration.cpp Full system tests
Fuzzer tests/fuzz_sandbox.cpp Random input testing

Implementation Tasks

  1. Write unit tests for all milestones (see individual test criteria).

  2. Write integration tests:

    • Full app lifecycle
    • Permission flow
    • Resource cleanup

  3. Implement fuzzer:

    • Generate random Lua code
    • Verify no crashes
    • Verify sandbox integrity after each run

  4. Security audit checklist (from SANDBOX.md).

Dependencies

  • All previous milestones

Milestone 20: Kernel Integration

Goal: Wire sandbox into existing kernel. Estimated Files: Modify existing files

Deliverables

Component File Description
App lifecycle src/main/cpp/kernel.cpp App start/stop
Sandbox manager src/main/cpp/kernel.cpp Multi-app management

Implementation Tasks

  1. Replace global lua_State with LuaSandboxManager:

    • Create sandbox per app
    • Route events to correct sandbox

  2. Integrate with RmlUi:

    • Bridge RmlUi document events to sandbox
    • Replace Rml::Lua::Interpreter with sandboxed states

  3. Wire up resource cleanup on app stop.

Dependencies

  • Milestones 1-18

Summary

Phase Milestones Description
Foundation 1-4 Core sandbox, permissions, logging, paths
Core APIs 5-8 Timers, JSON, crypto, filesystem, database
Network 9-10 HTTP and WebSocket
Hardware 11-17 Camera, mic, audio, location, sensors, BT, contacts
System 18-20 IPC, testing, integration

Recommended Order

  1. Milestone 1 - Must be first (foundation)
  2. Milestone 2 - Permissions (needed by everything)
  3. Milestone 3 - Audit/rate limiting (needed by APIs)
  4. Milestone 4 - Path security (needed by fs/require)
  5. Milestone 5-6 - Timers, JSON (high value)
  6. Milestone 7-8 - Storage, database (app data)
  7. Milestone 9-10 - Network (app connectivity)
  8. Milestones 11-17 - Hardware (as needed)
  9. Milestone 18 - IPC (multi-app)
  10. Milestone 19-20 - Testing & integration

Quick Start

Begin with Milestone 1 to establish the core sandbox. This is the foundation everything else builds on.

Reference in New Issue View Git Blame Copy Permalink