Security
MzScheme offers several mechanisms for managing security:
-
Custodians (section 9.2) manage resource allocation.
-
Security guards (section 9.1) control access to the filesystem and network.
-
Inspectors (section 4.6) control access to the content of otherwise opaque structures.
-
Namespaces (section 8) control access to Scheme bindings.
All security mechanisms rely on thread-specific parameters (see section 7.4).
9.1 Security Guards
A security guard provides a set of access-checking
procedures to be called when a thread initiates access of a file,
directory, or network connection through a primitive procedure. For
example, when a thread calls open-input-file
A thread's current security guard is determined by the
current-security-guard parameter (see
section 7.4.1.8). Every security guard has a
parent, and a parent's access procedures are called whenever a
child's access procedures are called. Thus, a thread cannot increase
its own access arbitrarily by installing a new guard. The initial
security guard enforces no access restrictions other than those
enforced by the host platform.
(make-security-guard parent-security-guard file-proc network-proc)
creates a new security guard whose parent is
parent-security-guard.
The file-proc procedure must accept three arguments:
-
a symbol for the primitive procedure that triggered the access check, which is useful for raising an exception to deny access.
-
an immutable string representing a pathname, or
#fto check access for pathless queries, such as(,current-directory)(, andfilesystem-root-list)(. A path string provided tofind-system-path...)file-procis not processed at all before checking access; it may be a relative path, and it may be ill-formed. -
an immutable list containing one or more of the following symbols:
-
'read-- read a file or directory -
'write-- modify or create a file or directory -
-
'delete-- delete a file or directory -
'exists-- determine whether a file or directory exists, or that a path string is well-formed
The
'existssymbol is never combined with other symbols in the last argument tofile-proc, but any other combination is possible. When the second argument tofile-procis#f, the last argument always contains only''exists. -
The network-proc procedure must accept four arguments:
-
a symbol for the primitive operation that triggered the access check, which is useful for raising an exception to deny access.
-
an immutable string representing the target hostname for a client connection, the accepting hostname for a listening server, or
#ffor a listening server that accepts connections at all of the host's address. -
an exact integer between
1and65535(inclusive) representing the port number. In the case of a client connection, the port number is the target port on the server. For a listening server, the port number is the local port number. -
a symbol, either
'clientor'server, indicating whether the check is for the creation of a client connection or a listening server.
The return value of file-proc or network-proc is
ignored. To deny access, the procedure must raise an exception or
otherwise escape from the context of the primitive call. If the
procedure returns, the parent's corresponding procedure is called on
the same inputs, and so on up the chain of security guards.
The file-proc and network-proc procedures are invoked in
the thread that called the access-checked primitive. Breaks may or
may not be enabled (see section 6.6). Full continuation
jumps are blocked going into or out of the file-proc or
network-proc call (see section 6.3).
(security-guard? v) returns #t if v is a
security guard value, #f otherwise.
9.2 Custodians
A custodian manages a collection of threads, file-stream
ports, subprocess ports, TCP ports, and TCP listeners.14 Whenever a thread,
file-stream port, process port, TCP port, or TCP listener is created,
it is placed under the management of the current custodian (as
determined by the current-custodian parameter; see
section 7.4.1.8).
The only operation on a custodian is to shut down all of its managed
values via custodian-shutdown-allcustodian-shutdown-allkill-thread
The values managed by a custodian are only weakly held by the custodian. As a result, a will (see section 13.2) can be executed for a value that is managed by a custodian.
(make-custodian [custodian]) creates a new custodian that is
subordinate to the custodian custodian. When custodian is
directed (via custodian-shutdown-allcustodian is the current custodian.
(custodian-shutdown-all custodian) kills all running threads,
closes all open ports, and closes all active TCP listeners that are
managed by the custodian custodian. If custodian manages
the current thread, the custodian shuts down all other objects before
killing the current thread.
(custodian? v) returns #t if v is a custodian value,
#f otherwise.
(custodian-require-memory need-k thunk) registers a require check
if MzScheme is compiled with support for memory accounting, otherwise
the exn:misc:unsupported exception is raised. If a check is registered, and if
MzScheme later reaches a state after garbage collection (see
section 13.3) where need-k bytes are not
available to the current custodian, thunk is invoked.
(custodian-limit-memory custodian limit-k thunk) registers a
limit check if MzScheme is compiled with support for memory
accounting, otherwise the exn:misc:unsupported exception is raised. If a check
is registered, and if MzScheme later reaches a state after garbage
collection (see section 13.3) where custodian
owns more than limit-k bytes, then thunk is invoked.
14 In MrEd, custodians also manage eventspaces.