Skip to content

Instantly share code, notes, and snippets.

@heapwolf
Last active April 12, 2019 15:41
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save heapwolf/887993d2db8300d4177fd76c14928067 to your computer and use it in GitHub Desktop.
Save heapwolf/887993d2db8300d4177fd76c14928067 to your computer and use it in GitHub Desktop.
Possible start of a strawman for node security policies

A node security policy is similar in concept to a CSP.

~/policy.json

{
  "sha384-...": { // <- this is the hash of a source (which self describes its hashing algorithm)
    fs: [ // <- this is an "entitlement", it's a whitelist (an array of objects)
      {
        path: "/home/alice/**/*", // <- this is a "resource" (a filesystem path)
        permissions: 0666 // <- a permission that represents bits for read, write, execute, etc.
      },
      { path: '/usr/local/lib',
        permissions: 0444
      }
    ],
    eval: true, // <- eval entitlement (like unsafe-inline for CSPs, implies new Function(...))
    net: [
      {
        path: 'https://api.google.com/**/*' // <- anything from the root of 'https://api.google.com/'
      },
      {
        path: 'https:' // <- liberal allowance (anything over https).
      }
    ]
  }    
}

Algorithm

  • If a policy can be found by the runtime (recursing upward in the file system tree, ie RC files)...
    • Node starts with zero-access to syscalls

    • When a process is launched, its source-tree + deps (including addons) are hashed, before it is executed...

      • If an entry with a matching hash is not found in the (local, user or system level) policy.json file...
        • Node must use the closest policy to propose entitlements to the user or it will start as node does today.
        • Before the code will contintue to execute, the user must acknowledge (by os prompt) the proposed entitlements.
    • Node only permit syscalls that are requested by the policy.json file (checks could be cached)...

      • A process that violates the policy would be instantly terminated with an appropriate exit code.

Prompt

A prompt should be presented to the user in a way that is easy to read (Similar to Little Snitch). Perhaps OS level APIs could be used but macOS Mojave is still in beta.

This process wants to
  - READ and WRITE at "/home/alice/**/*"
  - READ at "/usr/local/lib"
  - CONNECT to "https://api.google.com/**/*".

Allow this [(Default: No)/Once/Always]?

References

https://twitter.com/hxoht/status/1035087276408233984

https://twitter.com/bradleymeck/status/1034866869663133696

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment