[WIP] src,lib: policy permissions

lib/.eslintrc.yaml

@@ -93,3 +93,4 @@ globals:
   module: false
   internalBinding: false
   primordials: false
+  runInPrivilegedScope: false

lib/internal/bootstrap/loaders.js

@@ -41,7 +41,8 @@
 
 // This file is compiled as if it's wrapped in a function with arguments
 // passed by node::RunBootstrapping()
-/* global process, getLinkedBinding, getInternalBinding, primordials */
+/* global process, getLinkedBinding, getInternalBinding, primordials,
+ runInPrivilegedScope */
 
 const {
   ArrayPrototypeMap,
@@ -280,7 +281,13 @@ class NativeModule {
         requireWithFallbackInDeps : nativeModuleRequire;
 
       const fn = compileFunction(id);
-      fn(this.exports, requireFn, this, process, internalBinding, primordials);
+      fn(this.exports,
+         requireFn,
+         this,
+         process,
+         internalBinding,
+         primordials,
+         runInPrivilegedScope);
 
       this.loaded = true;
     } finally {

lib/internal/bootstrap/node.js

@@ -33,8 +33,9 @@
 'use strict';
 
 // This file is compiled as if it's wrapped in a function with arguments
-// passed by node::RunBootstrapping()
-/* global process, require, internalBinding, primordials */
+// passed by node::RunBootstrapping():
+// global process, require, internalBinding, primordials,
+// runInPriviledgedScope
 
 setupPrepareStackTrace();
 

lib/internal/bootstrap/pre_execution.js

@@ -356,6 +356,7 @@ function initializeClusterIPC() {
 
 function initializePolicy() {
   const experimentalPolicy = getOptionValue('--experimental-policy');
+  const { setup, check, deny } = require('internal/process/policy');
   if (experimentalPolicy) {
     process.emitWarning('Policies are experimental.',
                         'ExperimentalWarning');
@@ -398,9 +399,16 @@ function initializePolicy() {
         throw new ERR_MANIFEST_ASSERT_INTEGRITY(manifestURL, realIntegrities);
       }
     }
-    require('internal/process/policy')
-      .setup(src, manifestURL.href);
+    setup(src, manifestURL.href);
   }
+  ObjectDefineProperty(process, 'policy', {
+    enumerable: true,
+    configurable: false,
+    value: {
+      deny,
+      check,
+    }
+  });
 }
 
 function initializeWASI() {

lib/internal/process/policy.js

@@ -8,7 +8,12 @@ const {
 
 const {
   ERR_MANIFEST_TDZ,
+  ERR_INVALID_ARG_TYPE,
+  ERR_INVALID_ARG_VALUE,
 } = require('internal/errors').codes;
+
+const policy = internalBinding('policy');
+
 const { Manifest } = require('internal/policy/manifest');
 let manifest;
 let manifestSrc;
@@ -57,5 +62,29 @@ module.exports = ObjectFreeze({
 
   assertIntegrity(moduleURL, content) {
     this.manifest.assertIntegrity(moduleURL, content);
+  },
+
+  deny(permissions) {
+    if (typeof permissions !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('permissions', 'string', permissions);
+    const ret = policy.deny(permissions);
+    if (ret === undefined)
+      throw new ERR_INVALID_ARG_VALUE('permissions', permissions);
+  },
+
+  fastCheck(permission) {
+    // This should only be used by internal code. Skips explicit
+    // type checking to improve performance. The permission
+    // argument must be a Int32
+    return policy.fastCheck(permission);
+  },
+
+  check(permissions) {
+    if (typeof permissions !== 'string')
+      throw new ERR_INVALID_ARG_TYPE('permission', 'string', permissions);
+    const ret = policy.check(permissions);
+    if (ret === undefined)
+      throw new ERR_INVALID_ARG_VALUE('permissions', permissions);
+    return ret;
   }
 });

lib/internal/test/policy.js

@@ -0,0 +1,7 @@
+'use strict';
+
+process.emitWarning(
+  'These APIs are for internal testing only. Do not use them.',
+  'internal/test/policy');
+
+module.exports = { runInPrivilegedScope };

node.gyp

@@ -220,6 +220,7 @@
       'lib/internal/source_map/source_map.js',
       'lib/internal/source_map/source_map_cache.js',
       'lib/internal/test/binding.js',
+      'lib/internal/test/policy.js',
       'lib/internal/timers.js',
       'lib/internal/tls.js',
       'lib/internal/trace_events_async_hooks.js',
@@ -660,6 +661,7 @@
         'src/stream_wrap.cc',
         'src/string_bytes.cc',
         'src/string_decoder.cc',
+        'src/policy/policy.cc',
         'src/tcp_wrap.cc',
         'src/timers.cc',
         'src/timer_wrap.cc',
@@ -735,6 +737,7 @@
         'src/node_perf.h',
         'src/node_perf_common.h',
         'src/node_platform.h',
+        'src/policy/policy.h',
         'src/node_process.h',
         'src/node_report.h',
         'src/node_revert.h',

src/env-inl.h

@@ -246,6 +246,19 @@ inline size_t Environment::async_callback_scope_depth() const {
   return async_callback_scope_depth_;
 }
 
+inline void Environment::set_in_privileged_scope(bool on) {
+  if (on)
+    in_privileged_scope_++;
+  else {
+    CHECK_GT(in_privileged_scope_, 0);
+    in_privileged_scope_--;
+  }
+}
+
+inline bool Environment::in_privileged_scope() const {
+  return in_privileged_scope_ > 0;
+}
+
 inline void Environment::PushAsyncCallbackScope() {
   async_callback_scope_depth_++;
 }

src/env.h

@@ -375,6 +375,7 @@ constexpr size_t kFsStatsBufferLength =
   V(replacement_string, "replacement")                                         \
   V(require_string, "require")                                                 \
   V(retry_string, "retry")                                                     \
+  V(run_in_privileged_scope_string, "runInPrivilegedScope")                    \
   V(scheme_string, "scheme")                                                   \
   V(scopeid_string, "scopeid")                                                 \
   V(serial_number_string, "serialNumber")                                      \
@@ -547,6 +548,7 @@ constexpr size_t kFsStatsBufferLength =
   V(primordials, v8::Object)                                                   \
   V(promise_hook_handler, v8::Function)                                        \
   V(promise_reject_callback, v8::Function)                                     \
+  V(run_in_privileged_scope, v8::Function)                                     \
   V(script_data_constructor_function, v8::Function)                            \
   V(source_map_cache_getter, v8::Function)                                     \
   V(tick_callback_function, v8::Function)                                      \
@@ -977,6 +979,7 @@ class Environment : public MemoryRetainer {
   v8::MaybeLocal<v8::Value> BootstrapInternalLoaders();
   v8::MaybeLocal<v8::Value> BootstrapNode();
   v8::MaybeLocal<v8::Value> RunBootstrapping();
+  bool BootstrapPrivilegedAccessContext();
 
   inline size_t async_callback_scope_depth() const;
   inline void PushAsyncCallbackScope();
@@ -1183,6 +1186,9 @@ class Environment : public MemoryRetainer {
   inline node_module* extra_linked_bindings_head();
   inline const Mutex& extra_linked_bindings_mutex() const;
 
+  inline void set_in_privileged_scope(bool on = true);
+  inline bool in_privileged_scope() const;
+
   inline bool filehandle_close_warning() const;
   inline void set_filehandle_close_warning(bool on);
 
@@ -1418,6 +1424,8 @@ class Environment : public MemoryRetainer {
   size_t async_callback_scope_depth_ = 0;
   std::vector<double> destroy_async_id_list_;
 
+  size_t in_privileged_scope_ = 0;
+
 #if HAVE_INSPECTOR
   std::unique_ptr<profiler::V8CoverageConnection> coverage_connection_;
   std::unique_ptr<profiler::V8CpuProfilerConnection> cpu_profiler_connection_;

src/node.cc

@@ -39,6 +39,7 @@
 #include "node_revert.h"
 #include "node_v8_platform-inl.h"
 #include "node_version.h"
+#include "policy/policy.h"
 
 #if HAVE_OPENSSL
 #include "allocated_buffer-inl.h"  // Inlined functions needed by node_crypto.h
@@ -294,6 +295,16 @@ void Environment::InitializeDiagnostics() {
 #endif
 }
 
+bool Environment::BootstrapPrivilegedAccessContext() {
+  Local<Function> run_in_privileged_scope;
+  MaybeLocal<Function> maybe_run_in_privileged_scope =
+    Function::New(context(), policy::RunInPrivilegedScope);
+  if (!maybe_run_in_privileged_scope.ToLocal(&run_in_privileged_scope))
+    return false;
+  set_run_in_privileged_scope(run_in_privileged_scope);
+  return true;
+}
+
 MaybeLocal<Value> Environment::BootstrapInternalLoaders() {
   EscapableHandleScope scope(isolate_);
 
@@ -302,7 +313,8 @@ MaybeLocal<Value> Environment::BootstrapInternalLoaders() {
       process_string(),
       FIXED_ONE_BYTE_STRING(isolate_, "getLinkedBinding"),
       FIXED_ONE_BYTE_STRING(isolate_, "getInternalBinding"),
-      primordials_string()};
+      primordials_string(),
+      run_in_privileged_scope_string()};
   std::vector<Local<Value>> loaders_args = {
       process_object(),
       NewFunctionTemplate(binding::GetLinkedBinding)
@@ -311,7 +323,8 @@ MaybeLocal<Value> Environment::BootstrapInternalLoaders() {
       NewFunctionTemplate(binding::GetInternalBinding)
           ->GetFunction(context())
           .ToLocalChecked(),
-      primordials()};
+      primordials(),
+      run_in_privileged_scope()};
 
   // Bootstrap internal loaders
   Local<Value> loader_exports;
@@ -348,12 +361,14 @@ MaybeLocal<Value> Environment::BootstrapNode() {
       process_string(),
       require_string(),
       internal_binding_string(),
-      primordials_string()};
+      primordials_string(),
+      run_in_privileged_scope_string()};
   std::vector<Local<Value>> node_args = {
       process_object(),
       native_module_require(),
       internal_binding_loader(),
-      primordials()};
+      primordials(),
+      run_in_privileged_scope()};
 
   MaybeLocal<Value> result = ExecuteBootstrapper(
       this, "internal/bootstrap/node", &node_params, &node_args);
@@ -399,6 +414,10 @@ MaybeLocal<Value> Environment::RunBootstrapping() {
 
   CHECK(!has_run_bootstrapping_code());
 
+  if (!BootstrapPrivilegedAccessContext()) {
+    return MaybeLocal<Value>();
+  }
+
   if (BootstrapInternalLoaders().IsEmpty()) {
     return MaybeLocal<Value>();
   }
@@ -436,7 +455,8 @@ MaybeLocal<Value> StartExecution(Environment* env, const char* main_script_id) {
       env->require_string(),
       env->internal_binding_string(),
       env->primordials_string(),
-      FIXED_ONE_BYTE_STRING(env->isolate(), "markBootstrapComplete")};
+      FIXED_ONE_BYTE_STRING(env->isolate(), "markBootstrapComplete"),
+      env->run_in_privileged_scope_string()};
 
   std::vector<Local<Value>> arguments = {
       env->process_object(),
@@ -445,7 +465,8 @@ MaybeLocal<Value> StartExecution(Environment* env, const char* main_script_id) {
       env->primordials(),
       env->NewFunctionTemplate(MarkBootstrapComplete)
           ->GetFunction(env->context())
-          .ToLocalChecked()};
+          .ToLocalChecked(),
+      env->run_in_privileged_scope()};
 
   return scope.EscapeMaybe(
       ExecuteBootstrapper(env, main_script_id, &parameters, &arguments));
@@ -795,6 +816,14 @@ int ProcessGlobalArgs(std::vector<std::string>* args,
     }
   }
 
+  if (per_process::root_policy.Apply(
+        per_process::cli_options->policy_deny,
+        per_process::cli_options->policy_grant).IsNothing()) {
+    errors->emplace_back(
+        "invalid permissions passed to --policy-deny or --policy-grant");
+    return 12;
+  }
+
   if (per_process::cli_options->disable_proto != "delete" &&
       per_process::cli_options->disable_proto != "throw" &&
       per_process::cli_options->disable_proto != "") {

src/node_binding.cc

@@ -69,6 +69,7 @@
   V(os)                                                                        \
   V(performance)                                                               \
   V(pipe_wrap)                                                                 \
+  V(policy)                                                                    \
   V(process_wrap)                                                              \
   V(process_methods)                                                           \
   V(report)                                                                    \

src/node_errors.h

@@ -28,6 +28,7 @@ void OnFatalError(const char* location, const char* message);
 // a `Local<Value>` containing the TypeError with proper code and message
 
 #define ERRORS_WITH_CODE(V)                                                    \
+  V(ERR_ACCESS_DENIED, Error)                                                  \
   V(ERR_BUFFER_CONTEXT_NOT_AVAILABLE, Error)                                   \
   V(ERR_BUFFER_OUT_OF_BOUNDS, RangeError)                                      \
   V(ERR_BUFFER_TOO_LARGE, Error)                                               \
@@ -105,6 +106,7 @@ void OnFatalError(const char* location, const char* message);
 // Errors with predefined static messages
 
 #define PREDEFINED_ERROR_MESSAGES(V)                                           \
+  V(ERR_ACCESS_DENIED, "Access is denied")                                     \
   V(ERR_BUFFER_CONTEXT_NOT_AVAILABLE,                                          \
     "Buffer is not available for the current Context")                         \
   V(ERR_CONSTRUCT_CALL_INVALID, "Constructor cannot be called")                \

src/node_external_reference.h

@@ -56,6 +56,7 @@ class ExternalReferenceRegistry {
   V(handle_wrap)                                                               \
   V(messaging)                                                                 \
   V(native_module)                                                             \
+  V(policy)                                                                    \
   V(process_methods)                                                           \
   V(process_object)                                                            \
   V(task_queue)                                                                \

src/node_native_module.cc

@@ -183,7 +183,8 @@ MaybeLocal<Function> NativeModuleLoader::CompileAsModule(
       FIXED_ONE_BYTE_STRING(isolate, "module"),
       FIXED_ONE_BYTE_STRING(isolate, "process"),
       FIXED_ONE_BYTE_STRING(isolate, "internalBinding"),
-      FIXED_ONE_BYTE_STRING(isolate, "primordials")};
+      FIXED_ONE_BYTE_STRING(isolate, "primordials"),
+      FIXED_ONE_BYTE_STRING(isolate, "runInPrivilegedScope")};
   return LookupAndCompile(context, id, &parameters, result);
 }
 

src/node_options.cc

@@ -704,6 +704,14 @@ PerProcessOptionsParser::PerProcessOptionsParser(
               "generate diagnostic report on fatal (internal) errors",
               &PerProcessOptions::report_on_fatalerror,
               kAllowedInEnvironment);
+  AddOption("--policy-deny",
+            "denied permissions",
+            &PerProcessOptions::policy_deny,
+            kAllowedInEnvironment);
+  AddOption("--policy-grant",
+            "granted permissions",
+            &PerProcessOptions::policy_grant,
+            kAllowedInEnvironment);
 
 #ifdef NODE_HAVE_I18N_SUPPORT
   AddOption("--icu-data-dir",

src/node_options.h

@@ -260,6 +260,9 @@ class PerProcessOptions : public Options {
   bool trace_sigint = false;
   std::vector<std::string> cmdline;
 
+  std::string policy_grant;
+  std::string policy_deny;
+
   inline PerIsolateOptions* get_per_isolate_options();
   void CheckOptions(std::vector<std::string>* errors) override;
 };