Spidermonkey under pure kvm

Hi Gentlemen,
I write a web server in c and I have to include server side c and javascrip=
t programming possibility. Due to security reason they must run under absol=
ute control, so I would like apply spidermonkey under kvm directly. Every l=
ogins run in separated kvm and the c and javascrip are separated from each =
other, too. I have an interface system for kvm c processes.
Is there any implementation or sample for spidermonkey?
Or it have to develop as new a project?
In this case can I get the list of required interfaces of spidermonkey to s=
ystem?
Or any advice?
Thanks, Miki.
0
xmiki
3/23/2020 11:09:14 AM
mozilla.dev.tech.js-engine 2042 articles. 0 followers. Post Follow

1 Replies
9 Views

Similar Articles

[PageSpeed] 21

On Mon, Mar 23, 2020 at 6:10 AM <xmiki.4@gmail.com> wrote:

> Hi Gentlemen,
> I write a web server in c and I have to include server side c and
> javascript programming possibility. Due to security reason they must run
> under absolute control, so I would like apply spidermonkey under kvm
> directly. Every logins run in separated kvm and the c and javascrip are
> separated from each other, too. I have an interface system for kvm c
> processes.
> Is there any implementation or sample for spidermonkey?
> Or it have to develop as new a project?
> In this case can I get the list of required interfaces of spidermonkey to
> system?
> Or any advice?
> Thanks, Miki.
>

Hi, Miki. This sounds like a new project to me.

To see the system interfaces SM uses, a dumb trick you can do is search the
codebase for XP_WIN, which is usually present in places where we have
system-specific #ifdefs:
  https://searchfox.org/mozilla-central/search?q=XP_WIN&path=js%2Fsrc
  https://searchfox.org/mozilla-central/search?q=XP_WIN&path=mfbt

It's not that bad. Still, naively, I would consider designing this
differently, to avoid having to implement an operating system. Suppose you
use a stripped-down Linux as your OS, or use containers instead of KVM.
Then all of the above #ifdefs and mmap calls will Just Work.

And, you'll still have plenty of work to do, assuming your sandboxed JS VMs
need to communicate with the more-privileged host process. We have that
need inside Firefox, where untrusted, sandboxed web site processes need to
send messages, sometimes containing arbitrary JS data, to a parent process
that has access to all the user data. We use StructuredClone.h <
https://searchfox.org/mozilla-central/source/js/public/StructuredClone.h>
for serialization, and the code in dom/ipc for comm <
https://searchfox.org/mozilla-central/source/dom/ipc>; you can implement
something simpler, but it is nontrivial.

-j
0
Jason
3/23/2020 3:02:22 PM
Reply: