Comment by PhilippGille

Comment by PhilippGille a day ago

5 replies

View on Hacker News

Another comment already mentioned Chromium. In a similar ballbark I'd mention Deno for running TypeScript/JavaScript in a Sandbox that you have to give explicit permission for filesystem and network access [1].

And WebAssembly should probably be mentioned as well [2].

[1] https://docs.deno.com/runtime/fundamentals/security/

[2] There are different runtimes, this is one of them: https://docs.wasmtime.dev/security.html

ameliaquining 17 hours ago

Deno has "sandboxing" in the sense that it will refuse to open files and such if you don't pass the relevant permission flags, but AFAICT it doesn't do the thing that this article is talking about, of telling the kernel not to let it do those things. (I'm inferring this from the note in the documentation that native code called via FFI isn't sandboxed.) So an attacker could still do those things if they found an exploitable bug in the Deno runtime.

I'm having a hard time figuring out the details of how Wasmtime works but I don't think it does this kind of sandboxing either.

Reply View 0 replies
dgellow a day ago

I've been playing around with deno over the past weeks. It's definitely an interesting project. However I do find the permission system to lack the granularity I would want. You quickly end up in a "all or nothing" state, where I would really like to instead differentiate between code I consider trusted and code I consider risky.

Still, pretty neat and I do see where I will use it in the future.

Reply View 3 replies
  • vlovich123 a day ago

    > instead differentiate between code I consider trusted and code I consider risky.

    You’re talking about trying to enforce privilege separation within a single process? For that you’d need capabilities ant the language level and even then I’m skeptical you can really lock things down successfully within a shared memory environment (yes JS in theory is a VM but there’s so many VM escapes possible that running untrusted code in process seems futile).

    Reply View 2 replies
    • dgellow 11 hours ago

      I think so, yes. I would like to be able to say "import that module in no-network mode", if that makes sense (or the opposite, default imports to no fs, no network permissions, the grant explicitly).

      Reply View 1 reply
      • vlovich123 5 hours ago

        Yeah this is particularly a problem for JS where importing code also immediately executes it. But yeah, managing capabilities within a process boundary is inherently trickier than doing it at the process boundary where you can actually guarantee permissions cannot be obtained through subterfuge.

        Reply View 0 replies