On this page:
restrict
$restrict
$restrict:  budget
$restrict:  operation
8.0

29 Security

 (require xiden/security) package: xiden

A Xiden process implicitly trusts its system-level dependencies and operates under the permissions granted to it by the operating system. Xiden offers no extensions or modifications to the security model of the operating system.

The attack surface includes the permissions set on any Racket process that can use Xiden’s bindings, and the runtime configuration, which ultimately controls arguments to restrict in production use.

procedure

(restrict 
  #:memory-limit memory-limit 
  #:time-limit time-limit 
  #:trusted-executables trusted-executables 
  #:allowed-envvars allowed-envvars 
  #:implicitly-trusted-host-executables implicitly-trusted-host-executables 
  #:trust-any-executable? trust-any-executable? 
  #:trust-unverified-host? trust-unverified-host? 
  #:workspace workspace 
  #:gc-period gc-period 
  [#:name name] 
  halt 
  proc) 
  logged?
  memory-limit : (>=/c 0)
  time-limit : (>=/c 0)
  trusted-executables : (listof well-formed-integrity-info/c)
  allowed-envvars : (listof (or/c bytes-environment-variable-name? string?))
  implicitly-trusted-host-executables : (listof string?)
  trust-any-executable? : any/c
  trust-unverified-host? : any/c
  workspace : path-string?
  gc-period : (>=/c 0)
  name : (or/c string? symbol?) = (or (object-name proc) "")
  halt : (-> exit-code/c messy-log/c any)
  proc : (-> (-> exit-code/c messy-log/c any) any/c)
Reduces runtime privileges.

Applies proc under a new parameterization, then sends control to halt depending on runtime behavior.

The parameterization includes

proc runs in a new thread. If that thread does not terminate on its own within time-limit seconds, then it is forcibly killed and the program log will include a $restrict:budget message. While the thread is active, garbage is collected every gc-period seconds.

If proc returns a value without incident, then the logged procedure will use that value. Otherwise, the logged procedure will use FAILURE and include the relevant $restrict message with the given name.

struct

(struct $restrict $message (name)
    #:prefab)
  name : (or/c string? symbol?)
A message used to reports violations of safety limits, where name is equal to the value passed as name to restrict.

struct

(struct $restrict:budget $restrict (kind amount)
    #:prefab)
  kind : (or/c 'space 'time)
  amount : (>=/c 0)
Reports a resource limit violation.

If kind is 'space, then amount is bound to a value passed as memory-limit to restrict.

If kind is 'time, then amount is bound to a value passed as time-limit to restrict.

struct

(struct $restrict:operation $restrict (reporting-guard
    summary
    args)
    #:prefab)
  reporting-guard : (or/c 'file 'network 'link)
  summary : symbol?
  args : list?
Reports a security violation.

reporting-guard corresponds to a callback used with the security guard that blocked an operation. args is equal to the arguments for that callback at the time the operation was blocked.

summary is a symbol that describes the security decision. It can be one of the following: