You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: doc/api/permissions.md
+15-5Lines changed: 15 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -246,17 +246,27 @@ There are constraints you need to know before using this system:
246
246
247
247
#### process._debugProcess() and cross-process Inspector activation
248
248
249
-
The kInspector permission scope restricts the current process from opening its own V8 Inspector. However, process._debugProcess(pid) β which sends an OS-level signal (SIGUSR1 on POSIX, a remote thread on Windows) to an external process β is not gated by the kInspector scope or any other Permission Model scope.
249
+
The kInspector permission scope restricts the current process from opening its own V8 Inspector. However,
250
+
process._debugProcess(pid) β which sends an OS-level signal (SIGUSR1 on POSIX, a remote thread on Windows)
251
+
to an external process β is not gated by the kInspector scope or any other Permission Model scope.
250
252
251
-
A sandboxed process running under --permission with no additional grants can call process._debugProcess(pid) to force another Node.js process to open its V8 Inspector. The target process does not need to be running under --permission for this to work β any Node.js process running on the same host under the same OS user can be signaled.
253
+
A sandboxed process running under --permission with no additional grants can call process._debugProcess(pid)
254
+
to force another Node.js process to open its V8 Inspector. The target process does not need to be running
255
+
under --permission for this to work β any Node.js process running on the same host under the same OS user
256
+
can be signaled.
252
257
253
-
This is consistent with the Node.js threat model: Node.js trusts the OS environment in which it runs. Cross-process signaling is an operating-system-level capability; restricting it is the responsibility of the operator (for example, using OS-level process isolation, separate OS users per process, or seccomp/AppArmor profiles on Linux).
258
+
This is consistent with the Node.js threat model: Node.js trusts the OS environment in which it runs.
259
+
Cross-process signaling is an operating-system-level capability; restricting it is the responsibility of
260
+
the operator (for example, using OS-level process isolation, separate OS users per process, or
261
+
seccomp/AppArmor profiles on Linux).
254
262
255
263
Developers relying on --permission to sandbox untrusted code should be aware that:
256
264
257
265
* process._debugProcess() is callable from any sandboxed process with no grants.
258
-
* If a target Node.js process is running on the same host under the same OS user, it can be forced to open its Inspector via this API.
259
-
* To prevent this, run sandboxed and target processes under different OS users, or use OS-level isolation mechanisms outside of Node.js.
266
+
* If a target Node.js process is running on the same host under the same OS user, it can be forced to
267
+
open its Inspector via this API.
268
+
* To prevent this, run sandboxed and target processes under different OS users, or use OS-level isolation
0 commit comments