Commit Graph

9 Commits

Author SHA1 Message Date
Kartik K. Agaram 08c49b5a0a protect framework files from apps
There's a separate open question here of where Teliva should store files
like teliva_editor_state and teliva_editor_buffer. One school of thought
is that apps should never be dropping crud into people's directories. On
the other hand, I'm kinda encouraging people so far to just run apps
from Teliva's directory. Perhaps that makes it ok?
2022-03-08 19:20:53 -08:00
Kartik K. Agaram b1ad679f3b hide test app a bit 2022-03-07 15:53:12 -08:00
Kartik K. Agaram 57d4710f98 question raised during FOSDEM '22
2022-02-07 21:52:04 -08:00
Kartik K. Agaram be7da76696 more thoughts on sandboxing 2022-02-05 13:10:39 -08:00
Kartik K. Agaram 7968134246 new potential threat vector 2022-02-01 21:06:17 -08:00
Kartik K. Agaram 577d47a6a7 arrow keys in big picture view 2021-12-21 19:53:32 -08:00
Kartik K. Agaram 609730071e keep Teliva apps from pretending to be Teliva
Kind of a subtle idea. Teliva the framework is intended to be
trustworthy software that people install on their computers. The apps
people run using Teliva may be less trustworthy. The whole point of
Teliva is to provide a sandbox for running code before you trust it.

One way (of many) apps can be malicious is by subtly getting between
what people see and reality. Imagine, for example, an app that draws a
fake menu bar and offers a different hotkey to edit source code. When
someone presses that hotkey they think they're using the standard Teliva
editor but they're really using an editor within the app, which the app
uses to hide its most malicious bits from view.

Down the road Teliva will have more bits of UI, such as for asking for
permission to read sensitive data. It's important that people understand
what they're granting permission to, that apps can't tamper with the
communications channel between them and Teliva.

This is likely just one of many ways for an app to break out of its
sandbox. Teliva isn't sandboxed yet. I'm just taking my first steps on
this journey. In particular, there are other mechanisms for asking for
user input besides `getch()`. I don't yet have a big-picture view of the
Teliva sandbox.

It seems clear that I need to educate people on the difference between
different parts of screen. Depending on the app you install, most of the
screen may be a dark forest. It'll be important to know where the safe
path is, where you can speak to trusted advisors while in the forest.
2021-12-21 15:27:34 -08:00
Kartik K. Agaram 65b38f96ba stop leaking on the Lua stack, redux
An empty stack is too rigorous a line to hold. Instead we'll just ensure
we leave the stack the way we found it.
2021-12-16 20:07:59 -08:00
Kartik K. Agaram cc757ffc4c why not keep manual tests in the repo? 2021-11-29 08:18:28 -08:00