Native library calls
====================

Goals
-----
Behavioural goals:
* Route system function via arena
* Allocate memory via arena, so it gets freed.
* Catch signals and turn them into "SLUL exceptions"

Safety goals:
* Disallow memory operations outside of the arena and sub-arenas?
  I.e. sandbox the arena.
* (Perhaps even outside of parameters?)

Implementation
--------------
It could be implemented as a "throw away" process running with seccomp.

Perhaps add a new arena type: "secure arenas", that work like "threaded
arenas", except that there is also isolation via seccomp and a separated
address space etc.

Creating a secure arena could perhaps work as follows (pseudo-code):

For Linux:
    pipe()
    clone(...) /* create an "empty" process, perhaps with exec("/usr/lib/.../slul_empty") */
    ...map any wanted native libraries into memory...
    ...set up fake/wrapper libc, that forwards calls to the pipe...
    capset({ _LINUX_CAPABILITY_VERSION_3, 0 }, { 0, 0, 0 })
    /*prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) - should not be needed */
    prctl(PR_SET_NO_NEW_PRIVS, 1)
    setrlimit(RLIMIT_NOFILE, { 0, 0 })
    setrlimit(RLIMIT_NPROC, { 0, 0 })
    prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT)
    ...call initialization functions of native libraries...

For BSD:
    pipe()
    clone(...) /* create an "empty" process */
    ...map any wanted native libraries into memory...
    ...set up fake/wrapper libc, that forwards calls to the pipe...
    setrlimit(RLIMIT_NOFILE, { 0, 0 })
    setrlimit(RLIMIT_NPROC, { 0, 0 })
    unveil(NULL, NULL)
    pledge("")
    ...call initialization functions of native libraries...

Tricky parts:
- ELF mapping needs to be implemented (at least to load the system's dynamic
  loader)
- There can be a lot of libc calls
- libc calls can be system specific
- Things like exec, clone, threading, etc. is tricky
- Some libc calls could be really hard to emulate
- Supporting non-POSIX systems could be tricky.