-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how the fallback to File I/O works regarding file handle usage and sandboxing #227
Comments
Also, I believe ring and getrandom make the same trade-off: To get the benefits described, we run the risk of very bad results if the file descriptor is closed. Arguably it may be better to have slower performance for ancient Linux systems and run the risk of more often failing due to open file descriptor limits to get rid of the problem described by the last bullet point. I believe the python implementation of this functionality does that, or at least fstats the file descriptor to make sure it is still open and still a special device file handle, which isn't perfect, but which is safer than what we do. |
Maybe this should be a separate issue, but I find it strange that |
Regarding sandboxing, BoringSSL has similar documentation to what I'm requesting: https://github.com/google/boringssl/blob/master/SANDBOXING.md |
Besides File I/O, see #65 (comment) regarding Windows:
Thus we need to provide documentation on how to deal with this. |
Even this document does not go to the level of detail you requested in the OP. It does not contains much information relevant in our case. Almost everything is in the "entropy" section. We more or less cover this information in the "supported targets" table. Could you open a PR with docs to resolve this issue? Adding a "sandbox support" section could be worthwhile, but I don't think it should be bigger than 2-3 paragraphs. |
Closing this issue since it's not clear how to proceed with it. We are open to documentation improvements, so it may be better to just open a PR for it. We can discuss finer details in its discussion. |
The ring documentation says:
The intent of that documentation is to:
All of this could be clearer in the ring documentation, so I wouldn't suggest copying it. However, I do think it would be useful for guarantees to be made in the
getrandom
documentation or for the documentation to call out that no such guarantees are made. In particular, how should one usegetrandom
in conjunction with sandboxing and what can we expect w.r.t. file descriptor usage?The text was updated successfully, but these errors were encountered: