|(require xiden/security)||package: xiden|
A Xiden process implicitly trusts its system-level dependencies and operates under the permissions granted to it by the operating system. Xiden offers no extensions or modifications to the security model of the operating system.
(restrict #:memory-limit memory-limit #:time-limit time-limit #:trusted-executables trusted-executables #:allowed-envvars allowed-envvars #:implicitly-trusted-host-executables implicitly-trusted-host-executables #:trust-any-executable? trust-any-executable? #:trust-unverified-host? trust-unverified-host? #:workspace workspace #:gc-period gc-period [ #:name name] halt proc) → logged? memory-limit : (>=/c 0) time-limit : (>=/c 0) trusted-executables : (listof well-formed-integrity-info/c) allowed-envvars : (listof (or/c bytes-environment-variable-name? string?)) implicitly-trusted-host-executables : (listof string?) trust-any-executable? : any/c trust-unverified-host? : any/c workspace : path-string? gc-period : (>=/c 0) name : (or/c string? symbol?) = (or (object-name proc) "") halt : (-> exit-code/c messy-log/c any) proc : (-> (-> exit-code/c messy-log/c any) any/c)
Applies proc under a new parameterization, then sends control to halt depending on runtime behavior.
The parameterization includes
a new security guard that prohibits listening for connections, and any filesystem activity irrelevant to updating a workspace. Only the executables whose digests match the integrity information in trusted-executables may be used to create subprocesses, unless trust-any-executable? is true, or if the executable’s path matches (find-executable-path E) for some E in implicitly-trusted-host-executables.
a new custodian that, if per-custodian memory accounting is available, will shut down if it consumes more than memory-limit mebibytes.
a limited subset of environment variables containing only allowed-envvars.
A value for current-https-protocol that depends on trust-unverified-host?.
proc runs in a new thread. If that thread does not terminate on its own within time-limit seconds, then it is forcibly killed and the program log will include a $restrict:budget message. While the thread is active, garbage is collected every gc-period seconds.
If proc returns a value without incident, then the logged procedure will use that value. Otherwise, the logged procedure will use FAILURE and include the relevant $restrict message with the given name.
(struct $restrict:budget $restrict (kind amount) #:prefab) kind : (or/c 'space 'time) amount : (>=/c 0)
If kind is 'space, then amount is bound to a value passed as memory-limit to restrict.
If kind is 'time, then amount is bound to a value passed as time-limit to restrict.
reporting-guard corresponds to a callback used with the security guard that blocked an operation. args is equal to the arguments for that callback at the time the operation was blocked.
summary is a symbol that describes the security decision. It can be one of the following:
'blocked-execute: A request to execute a file was blocked.
'blocked-write: A request to write to disk was blocked.
'blocked-delete: A request to delete a file was blocked.
'blocked-listen: A request to listen for network connections was blocked.
'blocked-link: A request to create a symbolic link was blocked.