I was mainly wanting to share a link to a nice project that could be of interest here.
However I was also wondering about few things.
1) If it would be possible to tighten sandbox a bit more in case when a worker process needs only access to a database file and optionally a template. The parent process could open fds for the worker. Then potentially the worker does not need access to open and related functionality.
But I don’t know what SQLite needs to function properly. Probably it needs open to create new version of a database or tempfiles. Maybe parent could also open second fd that would be empty? Just a thought.
2) On Linux can HTTP server that does CGI dance do: clone(CLONE_VM)/exec instead fork/exec? Would it give a meaningful performance boost? I understand that for most cases it would not matter.
SQLite is difficult to pledge: it creates files during runtime. See https://kristaps.bsd.lv/absdcon2016/ and https://kristaps.bsd.lv/absdcon2017 for some examples. I’ve long been kicking around a library (possibly extending ksql) that puts all sqlite access in a child process, but haven’t done it yet.
After reading through the 2017 presentation I had an idea. I’m not experienced with SQL, but is there something like SQL-pledge? It may have no sense.
The parent process makes a connection to a SQL server and fork/execs, maybe it could also prepare a few statements. Child process first will check what the request is about. Then it could make SQL-pledge that it will now only access a certain table and will use only specified statements. Is there something like it? I understand that to some extent it can be emulated by users, but I think it should it better if it would work per connection.
Aside comments on its language, are there any interesting features or issues anybody wants to raise here? (I wrote kcgi.)
I was mainly wanting to share a link to a nice project that could be of interest here.
However I was also wondering about few things.
1) If it would be possible to tighten sandbox a bit more in case when a worker process needs only access to a database file and optionally a template. The parent process could open fds for the worker. Then potentially the worker does not need access to open and related functionality.
But I don’t know what SQLite needs to function properly. Probably it needs open to create new version of a database or tempfiles. Maybe parent could also open second fd that would be empty? Just a thought.
2) On Linux can HTTP server that does CGI dance do: clone(CLONE_VM)/exec instead fork/exec? Would it give a meaningful performance boost? I understand that for most cases it would not matter.
SQLite is difficult to pledge: it creates files during runtime. See https://kristaps.bsd.lv/absdcon2016/ and https://kristaps.bsd.lv/absdcon2017 for some examples. I’ve long been kicking around a library (possibly extending ksql) that puts all sqlite access in a child process, but haven’t done it yet.
After reading through the 2017 presentation I had an idea. I’m not experienced with SQL, but is there something like SQL-pledge? It may have no sense.
The parent process makes a connection to a SQL server and fork/execs, maybe it could also prepare a few statements. Child process first will check what the request is about. Then it could make SQL-pledge that it will now only access a certain table and will use only specified statements. Is there something like it? I understand that to some extent it can be emulated by users, but I think it should it better if it would work per connection.