[ANN] restricted 1.1 - Restrict possible system operations and filesystem view of your program

Community
1

Hello,

I would like to announce a new package restricted.

This library lets you limit which system operations and which parts of the filesystem your program can access. Call it as early as possible in your program so that the rest of the code runs with reduced privileges. Currently, actual enforced restrictions are implemented for these operating systems:

  • OpenBSD

Even on other operating systems, you can still use restricted to document which privileges your program needs. Users can then test that your program respects these promises with tools such as pledge on Linux. Enjoy :wink:

This is my first ocaml library so feel free to give feedback.

6 Likes
2

Very interesting.

Note that inspired by EIO, I’ve implemented a static (and recently dynamic) capability system for OCaml that works on all operating systems: xix/lib_core/commons/Cap.mli at master · aryx/xix · GitHub

It’s not yet well documented, and not extracted as a separate OPAM library, but I used it in a few programs (this xix project, but also semgrep), and IMHO it is a great way to restrict statically what your code can do.

1 Like
3

Looks interesting, if you want to implement the actual restriction, even only restricting the filesystem view, would be really helpful, feel free to add something: Lettering, the same note for thirty.

4

This is a cool new direction for OCaml. Calling restricted early to lock down the filesystem and syscalls fits in well with pledge/unveil thinking, especially on OpenBSD. It’s useful even to use it as executable documentation of the privileges that are needed. It would be interesting to see how restricted could work with capability-style APIs (like what Aryx said) in the long run. This would give you static intent and runtime enforcement. This is already a pretty good first library.

5

Cool! I intend to use this. I’m doing a lot of filesystem access in my OCAML app, and targeting OpenBSD.