33 Security

8.12

33 Security🔗ℹ

package: denxi

A Denxi process implicitly trusts its system-level dependencies and operates under the permissions granted to it by the operating system. Denxi offers no extensions or modifications to the security model of the operating system.

The attack surface includes the permissions set on any Racket process that can use Denxi’s bindings, and the runtime configuration, which ultimately controls arguments to restrict in production use.

procedure
(restrict
#:memory-limit memory-limit
#:time-limit time-limit
#:trusted-executables trusted-executables
#:allowed-envvars allowed-envvars
#:implicitly-trusted-host-executables implicitly-trusted-host-executables
#:trust-any-executable? trust-any-executable?
#:trust-unverified-host? trust-unverified-host?
#:workspace workspace
#:gc-period gc-period
[ #:name name]
halt
proc)
→ subprogram?
  memory-limit : (>=/c 0)
  time-limit : (>=/c 0)
  trusted-executables : (listof well-formed-integrity?)
  allowed-envvars : (listof (or/c bytes-environment-variable-name? string?))
  implicitly-trusted-host-executables : (listof string?)
  trust-any-executable? : any/c
  trust-unverified-host? : any/c
  workspace : path-string?
  gc-period : (>=/c 0)
  name : (or/c string? symbol?) = (or (object-name proc) "")
  halt : (-> exit-code/c subprogram-log/c any)
  proc : bound-program/c

Applies proc under a new parameterization, with restricted runtime privileges. Eventually sends control to halt depending on runtime behavior.

The parameterization includes

a new security guard that prohibits listening for connections, and any filesystem activity irrelevant to updating a workspace. Only the executables whose digests match the integrity information in trusted-executables may be used to create subprocesses, unless trust-any-executable? is true, or if the executable’s path matches (find-executable-path E) for some E in implicitly-trusted-host-executables.
Any violation caught by the security guard will halt evaluation of proc and create a $restrict:operation message on the program log.
a new custodian that, if per-custodian memory accounting is available, will shut down if it consumes more than memory-limit mebibytes.
a limited subset of environment variables containing only allowed-envvars.
A value for current-https-protocol that depends on trust-unverified-host?.

proc runs in a new thread. If that thread does not terminate on its own within time-limit seconds, then it is forcibly killed and the program log will include a $restrict:budget message. While the thread is active, garbage is collected every gc-period seconds.

If proc returns a value without incident, then the subprogram procedure will use that value. Otherwise, the subprogram will use FAILURE and include the relevant $restrict message with the given name.

struct
(struct $restrict $message (name)
#:prefab)
name : (or/c string? symbol?)

A message used to reports violations of safety limits, where name is equal to the value passed as name to restrict.

struct
(struct $restrict:budget $restrict (kind amount)
    #:prefab)
  kind : (or/c 'space 'time)
  amount : (>=/c 0)

Reports a resource limit violation.

If kind is 'space, then amount is bound to a value passed as memory-limit to restrict.

If kind is 'time, then amount is bound to a value passed as time-limit to restrict.

struct
(struct $restrict:operation $restrict ( reporting-guard
summary
args)
    #:prefab)
  reporting-guard : (or/c 'file 'network 'link)
  summary : symbol?
  args : list?

Reports a security violation.

reporting-guard corresponds to a callback used with the security guard that blocked an operation. args is equal to the arguments for that callback at the time the operation was blocked.

summary is a symbol that describes the security decision. It can be one of the following:

'blocked-execute: A request to execute a file was blocked.
'blocked-write: A request to write to disk was blocked.
'blocked-delete: A request to delete a file was blocked.
'blocked-listen: A request to listen for network connections was blocked.
'blocked-link: A request to create a symbolic link was blocked.

setting
DENXI_MEMORY_LIMIT_MB : (>=/c 0) = 200

CLI Flags: -M/--memory-limit/--DENXI_MEMORY_LIMIT_MB

Defines a memory limit for a custodian managing process resources, in mebibytes. If this is too low, then it is possible for Denxi to halt due to a forced custodian shutdown.

Does not count memory charged when parsing the command line and setting up a runtime configuration.

Has no effect if the running Racket installation does not support per-custodian memory accounting.

setting
DENXI_TIME_LIMIT_S : (>=/c 0) = 300

CLI Flags: -S/--time-limit/--DENXI_TIME_LIMIT_S

Sets a time limit for a Denxi process, in seconds. Does not count time spent parsing the command line and setting up a runtime configuration.

setting
DENXI_TRUST_CERTIFICATES : (listof path-string?) = ()

CLI Flags: ++trust-cert/--DENXI_TRUST_CERTIFICATES

A list of paths to server certificates that Denxi will trust in addition to those available in the operating system. This option is safer than DENXI_TRUST_UNVERIFIED_HOST so long as the certificates are verified by a trusted party.

setting
DENXI_TRUST_UNVERIFIED_HOST : boolean? = #f

CLI Flags: -H/--trust-any-host/--DENXI_TRUST_UNVERIFIED_HOST

Dangerous. When true, trust any server that was not authenticated using available certificates.

setting
DENXI_TRUST_ANY_EXECUTABLE : boolean? = #f

CLI Flags: --trust-any-exe/--DENXI_TRUST_ANY_EXECUTABLE

Dangerous. When true, allow the Racket runtime to start a subprocess with any executable.

setting
DENXI_TRUST_EXECUTABLES : (listof well-formed-integrity?) = ()

CLI Flags: +x/++trust-exe/++trust-executable/--DENXI_TRUST_EXECUTABLES

Like DENXI_TRUST_PUBLIC_KEYS, but used to verify executables a package tries to use when creating a subprocess.

Beware: Any executable listed here inherits the OS-level permissions of the process, and is not subject to the restrictions of a Denxi runtime configuration. If you include a Denxi launcher or a sufficiently flexible Racket launcher, a package can start a new Denxi process with a full-trust configuration.

setting
DENXI_TRUST_HOST_EXECUTABLES : (listof string?) = ()

CLI Flags: +t/++trust-host-executable/--DENXI_TRUST_HOST_EXECUTABLES

Like DENXI_TRUST_EXECUTABLES, except this setting is a list of names. Denxi will allow execution of a file if its normalized path equals the value of find-executable-path for an element of that list. You may need to add multiple entries to account for extension differences across platforms.

This can be helpful in the event a package depends on access to an executable on the host system and there is no way to control the content of that executable.

The find-executable-path restriction is meant to prevent packages from creating and then immediately running their own executables just because they have a name in this list. Even so, this can be a dangerous setting, and should only be used if you trust both the package definition and the executables on your system. It’s also why PATH should not include a build directory.

Regardless of the setting’s actual value, Denxi implicitly considers "openssl" an element of its list. The user is therefore responsible for the integrity of their OpenSSL instance.

setting
DENXI_ALLOW_ENV
: (listof (or/c bytes-environment-variable-name? string?))
= ()

CLI Flags: +e/++env/++envvar/--DENXI_ALLOW_ENV

Names of environment variables visible to packages, and Denxi subprocesses.

"PATH" is included regardless of the value of this setting.

1	Prerequisite Knowledge
2	Command Line Argument Parsers
3	Command Line Utilities
4	Command Line Flags
5	Packages
6	Package Definitions
7	Package Queries
8	Launchers
9	Subprograms
10	Artifacts
11	Messages
12	Package Inputs
13	Package Outputs
14	Integrity Checking
15	Signature Checking
16	Digs
17	Reader Extension
18	Sources
19	Versions
20	State
21	Settings
22	Formatting
23	URLs
24	Strings
25	Localization
26	Printer
27	Archives
28	System
29	Monads
30	Files
31	Cryptography
32	Ports
33	Security
34	Racket Module Operations
35	Codec
36	Notaries