1*ec63e07aSXin Li# Guetzli Sandbox 2*ec63e07aSXin LiThis is an example implementation of a sandbox for the [Guetzli](https://github.com/google/guetzli) library using [Sandboxed API](https://github.com/google/sandboxed-api). 3*ec63e07aSXin LiPlease read Guetzli's [documentation](https://github.com/google/guetzli#introduction) to learn more about it. 4*ec63e07aSXin Li 5*ec63e07aSXin Li## Implementation details 6*ec63e07aSXin LiBecause Guetzli provides a C++ API and SAPI requires functions to be `extern "C"`, a wrapper library has been written for the compatibility. SAPI provides a Transaction class, which is a convenient way to create a wrapper for your sandboxed API that handles internal errors. The original Guetzli has a command-line utility to encode images, so a fully compatible utility that uses sandboxed Guetzli is provided. 7*ec63e07aSXin Li 8*ec63e07aSXin LiThe wrapper around Guetzli uses file descriptors to pass data to the sandbox. This approach restricts the sandbox from using the `open()` syscall and also helps to prevent making copies of data, because you need to synchronize it between processes. 9*ec63e07aSXin Li 10*ec63e07aSXin Li## Build Guetzli Sandboxed 11*ec63e07aSXin LiRight now Sandboxed API support only Linux systems, so you need one to build it. Guetzli sandboxed uses [Bazel](https://bazel.build/) as a build system so you need to [install it](https://docs.bazel.build/versions/3.4.0/install.html) before building. 12*ec63e07aSXin Li 13*ec63e07aSXin LiTo build Guetzli sandboxed encoding utility you can use this command: 14*ec63e07aSXin Li`bazel build //:guetzli_sandboxed` 15*ec63e07aSXin Li 16*ec63e07aSXin LiThen you can use it in this way: 17*ec63e07aSXin Li``` 18*ec63e07aSXin Liguetzli_sandboxed [--quality Q] [--verbose] original.png output.jpg 19*ec63e07aSXin Liguetzli_sandboxed [--quality Q] [--verbose] original.jpg output.jpg 20*ec63e07aSXin Li``` 21*ec63e07aSXin LiRefer to Guetzli's [documentation](https://github.com/google/guetzli#using) to read more about usage. 22*ec63e07aSXin Li 23*ec63e07aSXin Li## Examples 24*ec63e07aSXin LiThere are two different sets of unit tests which demonstrate how to use different parts of Guetzli sandboxed: 25*ec63e07aSXin Li* `tests/guetzli_sapi_test.cc` - example usage of Guetzli sandboxed API. 26*ec63e07aSXin Li* `tests/guetzli_transaction_test.cc` - example usage of Guetzli transaction. 27*ec63e07aSXin Li 28*ec63e07aSXin LiTo run tests use the following command: 29*ec63e07aSXin Li`bazel test ...` 30*ec63e07aSXin Li 31*ec63e07aSXin LiAlso, there is an example of custom security policy for your sandbox in 32*ec63e07aSXin Li`guetzli_sandbox.h` 33
