decoder: Sandbox image processing
Progress
-
Library to write decoders -
Library to get images from decoders -
Add error handling support in libraries -
Add missing Types to zvariant -
Test basic bwrap
sandboxing -
Test basic flatpak-spawn
sandboxing -
Handle internal errors -
Detect image format -
Port existing decoding code -
Support aborts -
Normalize stride if not pixel aligned -
Use in Loupe !224 (merged) -
Apply ICC transformations -
Make everything a cargo workspace -
Upstream luma memory formats gtk#5840 (closed) gtk!6019 (closed) -
"Mime-time" to "decoder binary" translation table -
Build and install with meson -
Catch process spawn errors -
Extract exif in image-rs loader -
Choose a sandbox mechanism during runtime -
Add option to disable sandbox
Future
-
More sandbox hardening sophie-h/glycin#2 (closed) -
Support collecting warnings sophie-h/glycin#3 -
Support SVGs sophie-h/glycin#1 (closed)
Original Thoughts
Not clear if this will really happen, but it's a possibility.
We have at least the following steps that touch image data
- EXIF
- Decoding (C involved for some formats for now)
-
Color profiles (C involved)-GTKs problem now- our problem again. but not planning to sandbox that part since it will land in GTK later
The only real way to sandbox is to have separate processes. We could use bwrap
(host)/flatpak-spawn --sandbox
(flatpak) and pass them an FD over which we send the image data. The ipc_channel allows channels and sharing memory, using memfd
on Linux.
Structure
This structure does not work for SVG tiled rendering. We might just use a private specialized API for that.
Messages
To Decoder
Load Image
Could also be a command line argument if we don't want to recycle decoding processes.
- fd (UNIX socket we write GFile content into)
Next Frame
No further info is transmitted. Needed for animations and maybe multiple "items" in formats like HEIF in the future.
- No information
From Decoder
Early Info
We need these early for window size and potentially other space allocation things.
- Dimensions
- EXIF etc., containing rotation info
Texture
- ICCP
- CICP/NCLX
- Memory format
- Memory location or fd (memfd)
- (Frame duration)