| About |
| ===== |
| |
| This is a prototype for plumbing Mojo into the NaCl sandbox. It is |
| currently insecure (see below), does not provide a stable ABI (IRT |
| support must be added), and does not support Mojo functions that |
| return pointers (for example, `MojoMapBuffer`). |
| |
| |
| Using |
| ===== |
| |
| To use this prototype run `mojo/tools/mojob.py gn --nacl` and then build |
| and test as usual. |
| |
| Run `mojo/tools/mojob.py nacltest` for additional nacl-specific tests. |
| |
| |
| Notes |
| ===== |
| |
| `generator/interface.py` contains a programmatic description of the |
| stable Mojo interface. This will need to be updated as the interface |
| changes. Run `generator/generate_nacl_bindings.py` to generate the |
| bindings that plumb this interface into the NaCl sandbox. |
| |
| |
| Security TODO |
| ============= |
| |
| * Separate trusted and untrusted Mojo handles. |
| * Validate and copy option structures. |
| * Protect untrusted buffers passed into Mojo: |
| * `NaClVmIoWillStart/HasEnded`. |
| * volatile accesses to untrusted memory (untrusted code could race). |
| * Overflow checking in array bounds validation. |
| |
