Skip to content

bootstrap: add --sandbox bootstrap argument #153

Open
@yorkie

Description

@yorkie

What's the sandbox?

ShadowNode should be able to run a script in sandbox mode, which means the modules the script can access should be restricted. Within this feature, every defined application could run in a safe environment for the host.

Permissions

A sandbox should own the following permissions:

  • --allow-fs the script can use file system.
  • --allow-net the script can use networking API.
  • --allow-tls the script can use TLS API.
  • --allow-fork the script can use Child Process API to fork/exec sub-processes.
  • --allow-global-module the script can load global modules.
  • native module (.node) are always disabled.

By default, if it starts with iotjs --sandbox, the above permissions are not enabled. To enable one or more of them, you should append the params before the script like the below:

$ iotjs --sandbox --allow-fs ./fs-script.js

/cc @legendecas @algebrait @lolBig

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions