referrerpolicy=no-referrer-when-downgrade

Module polkadot_node_core_pvf_common::worker::security

source ·
Expand description

Functionality for securing workers.

This is needed because workers are used to compile and execute untrusted code (PVFs).

We currently employ the following security measures:

  • Restrict filesystem
    • Use Landlock to remove all unnecessary FS access rights.
    • Unshare the user and mount namespaces.
    • Change the root directory to a worker-specific temporary directory.
  • Restrict networking by blocking socket creation and io_uring.
  • Remove env vars

Modules§

  • Functionality for securing workers by unsharing some namespaces from other processes and changing the root.
  • Functionality for securing the job processes spawned by the workers using clone. If unsupported, falls back to fork.
  • The landlock docs say it best:
  • Functionality for sandboxing workers by restricting their capabilities by blocking certain syscalls with seccomp.

Functions§

  • Require env vars to have been removed when spawning the process, to prevent malicious code from accessing them.