Describe the project you are working on

Godot

Describe the problem or limitation you are having in your project

It seems many users want to use Godot in a way where more complex content (such as scenes or Godot resources or even scripts) are downloaded from the internet. Unlike just sending simple variants, this is very insecure because the attack surface is huge.

Just limiting the Godot API (or script) to not accessing files and similar things is far from ideal because the more code you can run the more you can workaround to exploit the engine, and Godot is not designed for security (except in some areas like networking and protocols), it is designed for performance.

Describe the feature / enhancement and how it helps to overcome the problem or limitation

A real sandbox mode to run projects should be provided to users, to make sure security is as high as possible and attack surfaces are as limited as possible.

Describe how your proposal will work, with code, pseudo-code, mock-ups, and/or diagrams

The way this would work takes advantage of the Godot architecture. Basically, it would split Godot into two processes, similar to software like Chrome works, one that talks to the low-level OS and another that runs the game in a sandbox (and sends commands to the first)

As such, this means that some of the core engine classes would effectively work as "proxies", like:

• OS
• DisplayServer
• AudioDriver
• RenderingDevice
• FileAccess
• DirAccess

Meaning we would have a platform "sandbox" that has sandbox versions of the above classes, like DisplayServerSandbox that call the actual ones running outside of the sandbox (which is a regular Godot instance that starts as sandbox host and receives the sandbox API commands).

And not a lot more, so this means only those few classes are the ones that need to be "fortified" to avoid exploits, the rest can run entirely sandboxed.

For the sandbox itself, there are several available FOSS libraries that provide sandboxing, and alternatively WebAssembly can also be used to run the sandbox.

The best advantage of this approach is that it should not be very difficult to implement and provides a very easy and trustworthy way of running user content downloaded from the internet without danger.

A relatively straightforward way to implement this sandboxing could be via Wasmer, which is multi platform and portable.

If this enhancement will not be used often, can it be worked around with a few lines of script?

N/A

Is there a reason why this should be core and not an add-on in the asset library?

N/A