Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upAdd "fork" method to DenoPermissions #4779
Comments
|
Prerequisite for #3998 |
|
@bartlomieju I'll work on this. |
|
@bartlomieju is this task still necessary? #3998 is closed. trying to figure out the value of this given that closed dep |
|
@jefern14 yes it's needed. Currently in worker permissions are inherited from process and we want to make them configurable. See #4867 |
|
great thanks for the update. I'll be looking into this as well after work hours. |
|
@bartlomieju do you mind explaining a bit more of what you mean when you say "permissions escalation"? The way I'm looking at this having almost no knowledge of how this works is that a forked worker would inherit all the same permissions of it's parent. Your description makes me doubt my assumption so I'd like to understand prior implementing anything. |
That's the case right now, when you create worker with |
|
@bartlomieju I'm trying to work on this. |
|
@Axighi I already have an open PR. Although I do have to update it since |
|
The fork process just can work on Workers or have other scenarios? |
To have
Denonamespace in the worker, we'll want to provide a map of permissions worker should have. Worker's set of permissions mustn't escalate permissions of parent worker/Deno process.To achieve that a method called
forkshould be added toDenoPermissionsstruct.forkwould take as many parameters as there are fields onDenoPermissionsand return newDenoPermissionsinstance after asserting that none of the permissions passed as arguments escalate parent permissions. If one tried to fork permissions with escalation thenOpError::permission_deniedshould be returned with appropriate message indicating which permissions are being escalated.Pseudo code:
This is an easy issue, only
*_whitelistprocessing might be a bit complicated.