A node security policy is similar in concept to a CSP.
{
"sha384-...": { // <- this is the hash of a source (which self describes its hashing algorithm)
fs: [ // <- this is an "entitlement", it's a whitelist (an array of objects)
{
path: "/home/alice/**/*", // <- this is a "resource" (a filesystem path)
permissions: 0666 // <- a permission that represents bits for read, write, execute, etc.
},
{ path: '/usr/local/lib',
permissions: 0444
}
],
eval: true, // <- eval entitlement (like unsafe-inline for CSPs, implies new Function(...))
net: [
{
path: 'https://api.google.com/**/*' // <- anything from the root of 'https://api.google.com/'
},
{
path: 'https:' // <- liberal allowance (anything over https).
}
]
}
}- If a policy can be found by the runtime (recursing upward in the file system tree, ie RC files)...
-
Node starts with zero-access to syscalls
-
When a process is launched, its source-tree + deps (including addons) are hashed, before it is executed...
- If an entry with a matching hash is not found in the (local, user or system level)
policy.jsonfile...- Node must use the closest policy to propose entitlements to the user or it will start as node does today.
- Before the code will contintue to execute, the user must acknowledge (by os prompt) the proposed entitlements.
- If an entry with a matching hash is not found in the (local, user or system level)
-
Node only permit syscalls that are requested by the
policy.jsonfile (checks could be cached)...- A process that violates the policy would be instantly terminated with an appropriate exit code.
-
A prompt should be presented to the user in a way that is easy to read (Similar to Little Snitch). Perhaps OS level APIs could be used but macOS Mojave is still in beta.
This process wants to
- READ and WRITE at "/home/alice/**/*"
- READ at "/usr/local/lib"
- CONNECT to "https://api.google.com/**/*".
Allow this [(Default: No)/Once/Always]?