33 Security
(require denxi/security) | package: denxi |
A Denxi process implicitly trusts its system-level dependencies and operates under the permissions granted to it by the operating system. Denxi offers no extensions or modifications to the security model of the operating system.
The attack surface includes the permissions set on any Racket process that can use Denxi’s bindings, and the runtime configuration, which ultimately controls arguments to restrict in production use.
procedure
(restrict #:memory-limit memory-limit #:time-limit time-limit #:trusted-executables trusted-executables #:allowed-envvars allowed-envvars #:implicitly-trusted-host-executables implicitly-trusted-host-executables #:trust-any-executable? trust-any-executable? #:trust-unverified-host? trust-unverified-host? #:workspace workspace #:gc-period gc-period [ #:name name] halt proc) → subprogram? memory-limit : (>=/c 0) time-limit : (>=/c 0) trusted-executables : (listof well-formed-integrity?) allowed-envvars : (listof (or/c bytes-environment-variable-name? string?)) implicitly-trusted-host-executables : (listof string?) trust-any-executable? : any/c trust-unverified-host? : any/c workspace : path-string? gc-period : (>=/c 0) name : (or/c string? symbol?) = (or (object-name proc) "") halt : (-> exit-code/c subprogram-log/c any) proc : bound-program/c
The parameterization includes
a new security guard that prohibits listening for connections, and any filesystem activity irrelevant to updating a workspace. Only the executables whose digests match the integrity information in trusted-executables may be used to create subprocesses, unless trust-any-executable? is true, or if the executable’s path matches (find-executable-path E) for some E in implicitly-trusted-host-executables.
Any violation caught by the security guard will halt evaluation of proc and create a $restrict:operation message on the program log.
a new custodian that, if per-custodian memory accounting is available, will shut down if it consumes more than memory-limit mebibytes.
a limited subset of environment variables containing only allowed-envvars.
A value for current-https-protocol that depends on trust-unverified-host?.
proc runs in a new thread. If that thread does not terminate on its own within time-limit seconds, then it is forcibly killed and the program log will include a $restrict:budget message. While the thread is active, garbage is collected every gc-period seconds.
If proc returns a value without incident, then the subprogram procedure will use that value. Otherwise, the subprogram will use FAILURE and include the relevant $restrict message with the given name.
struct
(struct $restrict:budget $restrict (kind amount) #:prefab) kind : (or/c 'space 'time) amount : (>=/c 0)
If kind is 'space, then amount is bound to a value passed as memory-limit to restrict.
If kind is 'time, then amount is bound to a value passed as time-limit to restrict.
struct
(struct $restrict:operation $restrict ( reporting-guard summary args) #:prefab) reporting-guard : (or/c 'file 'network 'link) summary : symbol? args : list?
reporting-guard corresponds to a callback used with the security guard that blocked an operation. args is equal to the arguments for that callback at the time the operation was blocked.
summary is a symbol that describes the security decision. It can be one of the following:
'blocked-execute: A request to execute a file was blocked.
'blocked-write: A request to write to disk was blocked.
'blocked-delete: A request to delete a file was blocked.
'blocked-listen: A request to listen for network connections was blocked.
'blocked-link: A request to create a symbolic link was blocked.
setting
DENXI_MEMORY_LIMIT_MB : (>=/c 0) = 200
Does not count memory charged when parsing the command line and setting up a runtime configuration.
Has no effect if the running Racket installation does not support per-custodian memory accounting.
setting
DENXI_TIME_LIMIT_S : (>=/c 0) = 300
setting
DENXI_TRUST_CERTIFICATES : (listof path-string?) = ()
setting
setting
setting
DENXI_TRUST_EXECUTABLES : (listof well-formed-integrity?) = ()
Beware: Any executable listed here inherits the OS-level permissions of the process, and is not subject to the restrictions of a Denxi runtime configuration. If you include a Denxi launcher or a sufficiently flexible Racket launcher, a package can start a new Denxi process with a full-trust configuration.
setting
DENXI_TRUST_HOST_EXECUTABLES : (listof string?) = ()
This can be helpful in the event a package depends on access to an executable on the host system and there is no way to control the content of that executable.
The find-executable-path restriction is meant to prevent packages from creating and then immediately running their own executables just because they have a name in this list. Even so, this can be a dangerous setting, and should only be used if you trust both the package definition and the executables on your system. It’s also why PATH should not include a build directory.
Regardless of the setting’s actual value, Denxi implicitly considers "openssl" an element of its list. The user is therefore responsible for the integrity of their OpenSSL instance.
setting
: (listof (or/c bytes-environment-variable-name? string?)) = ()
"PATH" is included regardless of the value of this setting.