Security hardening: chokepoint lint + default-deny/safe-default guards#85
Merged
Conversation
Add tests/architecture_guards.rs that scans the secure-exec source tree and fails if a banned host API (std::fs/tokio::fs/File::open/openat, std::net/tokio::net/reqwest/hyper/raw sockets, std::process::Command/ tokio::process/fork, std::env::var/var_os/vars) appears outside an explicit allowlist of sanctioned chokepoint modules. The allowlist is built from the current legitimate uses so the lint is green today and catches only NEW uses. Build scripts, benches, bins, and #[cfg(test)] modules are excluded. Also asserts no secure-exec crate depends on an agent/acp/session crate.
Add crates/kernel/tests/default_deny_guards.rs: - Default-deny: with no policy (Permissions::default(), all checks None), filesystem, network, child-process spawn, and environment reads all fail closed (EACCES / empty env). - Fail-closed on new variants: exhaustive (wildcard-free) matches over FsOperation/NetworkOperation/EnvironmentOperation force a compile error if a new capability variant is added, and a runtime check denies every enumerated variant under the empty policy. - Safe defaults: every safety-critical NON-TIME resource limit (processes, open fds, sockets, connections, pipes, ptys, filesystem bytes, inodes, socket buffer/queue caps) is Some(_) and non-zero by default; time budgets (CPU/ wall-clock) are intentionally left opt-in and are not asserted.
|
🚅 Environment secure-exec-pr-85 in rivet-frontend has no services deployed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two CI hardening guards that lock in the secure-exec trust boundary so a refactor cannot silently weaken it. Both are pure tests (no production code changes) and are green today.
#2 — Chokepoint / boundary lint
crates/sidecar/tests/architecture_guards.rsscans the secure-exec Rust source tree and FAILS if a banned host API appears OUTSIDE an explicit allowlist of sanctioned chokepoint modules. The allowlist is built from the current legitimate uses, so it is green today and catches only NEW uses.Banned classes:
std::fs/tokio::fs/File::open/File::create/OpenOptions/openatstd::net::/tokio::net::/reqwest/hyper/ raw socket constructors (TcpStream::,TcpListener::bind,UdpSocket::bind,UnixStream::connect/pair,UnixListener::bind) /to_socket_addrs/std::os::unix::netstd::process::Command/process::Command/tokio::process/Command::new/libc::fork/nix::unistd::forkstd::env::var/var_os/vars/vars_osExclusions: build scripts (
build.rs,*build_support.rs,v8_bridge_build.rs),tests/andbenches/trees,src/bin/andbenchmark.rsdev tooling, and inline#[cfg(test)]modules (brace-tracked).Sanctioned allowlist (each entry documented in-file with why the access is safe):
filesystem,plugins/host_dir,plugins/module_access,stdio,state,vm,service,execution) and language-runtime asset/module loaders (execution::{python, wasm, javascript, node_import_cache, runtime_support}).dns,socket_table,kernel), sidecar host-net chokepoint (execution,state,vm), host-backed storage/agent plugins (s3,google_drive,sandbox_agent), embedded V8 runtime IPC socketpair (embedded_runtime,v8_runtime), and the client transport that spawns/connects to the sidecar.secure-exec-client/src/transport.rs(spawns the sidecar helper). Guest process spawns go through the kernelCommandDriverregistry and never touchCommand::new.transport,host_node,v8-runtime/bridge,sidecar/execution,plugins/s3).Also asserts no secure-exec crate
Cargo.tomldepends on any agent/acp/session crate, and a sanity test that the lint actually scans real sources (guards against a vacuous pass).#5 — Default-deny + safe-default guards
crates/kernel/tests/default_deny_guards.rs:Permissions::default(), all four checksNone), filesystem, network, child-process spawn, and environment reads are all denied (EACCES / empty env).matchoverFsOperation/NetworkOperation/EnvironmentOperationforces a compile error if a new capability variant is added (verified: removing a variant produces E0004), and a runtime check denies every enumerated variant under the empty policy.Some(_)and non-zero by default; never silently unbounded.Test results