29 Security
| (require xiden/security) | package: xiden |
A Xiden process implicitly trusts its system-level dependencies and operates under the permissions granted to it by the operating system. Xiden offers no extensions or modifications to the security model of the operating system.
The attack surface includes the permissions set on any Racket process that can use Xiden’s bindings, and the runtime configuration, which ultimately controls arguments to restrict in production use.
procedure
(restrict #:memory-limit memory-limit #:time-limit time-limit #:trusted-executables trusted-executables #:allowed-envvars allowed-envvars #:implicitly-trusted-host-executables implicitly-trusted-host-executables #:trust-any-executable? trust-any-executable? #:trust-unverified-host? trust-unverified-host? #:workspace workspace #:gc-period gc-period [ #:name name] halt proc) → logged? memory-limit : (>=/c 0) time-limit : (>=/c 0) trusted-executables : (listof well-formed-integrity-info/c) allowed-envvars : (listof (or/c bytes-environment-variable-name? string?)) implicitly-trusted-host-executables : (listof string?) trust-any-executable? : any/c trust-unverified-host? : any/c workspace : path-string? gc-period : (>=/c 0) name : (or/c string? symbol?) = (or (object-name proc) "") halt : (-> exit-code/c messy-log/c any) proc : (-> (-> exit-code/c messy-log/c any) any/c)
Applies proc under a new parameterization, then sends control to halt depending on runtime behavior.
The parameterization includes
a new security guard that prohibits listening for connections, and any filesystem activity irrelevant to updating a workspace. Only the executables whose digests match the integrity information in trusted-executables may be used to create subprocesses, unless trust-any-executable? is true, or if the executable’s path matches (find-executable-path E) for some E in implicitly-trusted-host-executables.
Any violation caught by the security guard will halt evaluation of proc and create a $restrict:operation message on the program log.
a new custodian that, if per-custodian memory accounting is available, will shut down if it consumes more than memory-limit mebibytes.
a limited subset of environment variables containing only allowed-envvars.
A value for current-https-protocol that depends on trust-unverified-host?.
proc runs in a new thread. If that thread does not terminate on its own within time-limit seconds, then it is forcibly killed and the program log will include a $restrict:budget message. While the thread is active, garbage is collected every gc-period seconds.
If proc returns a value without incident, then the logged procedure will use that value. Otherwise, the logged procedure will use FAILURE and include the relevant $restrict message with the given name.
struct
(struct $restrict:budget $restrict (kind amount) #:prefab) kind : (or/c 'space 'time) amount : (>=/c 0)
If kind is 'space, then amount is bound to a value passed as memory-limit to restrict.
If kind is 'time, then amount is bound to a value passed as time-limit to restrict.
struct
(struct $restrict:operation $restrict ( reporting-guard summary args) #:prefab) reporting-guard : (or/c 'file 'network 'link) summary : symbol? args : list?
reporting-guard corresponds to a callback used with the security guard that blocked an operation. args is equal to the arguments for that callback at the time the operation was blocked.
summary is a symbol that describes the security decision. It can be one of the following:
'blocked-execute: A request to execute a file was blocked.
'blocked-write: A request to write to disk was blocked.
'blocked-delete: A request to delete a file was blocked.
'blocked-listen: A request to listen for network connections was blocked.
'blocked-link: A request to create a symbolic link was blocked.