diff --git a/benchmark/permission/permission-fs-deny.js b/benchmark/permission/permission-fs-deny.js deleted file mode 100644 index 29bbeb27dc7c97..00000000000000 --- a/benchmark/permission/permission-fs-deny.js +++ /dev/null @@ -1,19 +0,0 @@ -'use strict'; -const common = require('../common.js'); - -const configs = { - n: [1e5], - concurrent: [1, 10], -}; - -const options = { flags: ['--experimental-permission'] }; - -const bench = common.createBenchmark(main, configs, options); - -async function main(conf) { - bench.start(); - for (let i = 0; i < conf.n; i++) { - process.permission.deny('fs.read', ['/home/example-file-' + i]); - } - bench.end(conf.n); -} diff --git a/benchmark/permission/permission-fs-is-granted.js b/benchmark/permission/permission-fs-read.js similarity index 62% rename from benchmark/permission/permission-fs-is-granted.js rename to benchmark/permission/permission-fs-read.js index 062ba1944578f4..bd81814e55861a 100644 --- a/benchmark/permission/permission-fs-is-granted.js +++ b/benchmark/permission/permission-fs-read.js @@ -1,6 +1,5 @@ 'use strict'; const common = require('../common.js'); -const fs = require('fs/promises'); const path = require('path'); const configs = { @@ -19,22 +18,11 @@ const options = { const bench = common.createBenchmark(main, configs, options); -const recursivelyDenyFiles = async (dir) => { - const files = await fs.readdir(dir, { withFileTypes: true }); - for (const file of files) { - if (file.isDirectory()) { - await recursivelyDenyFiles(path.join(dir, file.name)); - } else if (file.isFile()) { - process.permission.deny('fs.read', [path.join(dir, file.name)]); - } - } -}; - +// This is a naive benchmark and might not demonstrate real-world use cases. +// New benchmarks will be created once the permission model config is available +// through a config file. async function main(conf) { const benchmarkDir = path.join(__dirname, '../..'); - // Get all the benchmark files and deny access to it - await recursivelyDenyFiles(benchmarkDir); - bench.start(); for (let i = 0; i < conf.n; i++) { diff --git a/doc/api/permissions.md b/doc/api/permissions.md index b31d2934b3aad2..90051f18810e73 100644 --- a/doc/api/permissions.md +++ b/doc/api/permissions.md @@ -492,24 +492,7 @@ using the [`--allow-child-process`][] and [`--allow-worker`][] respectively. When enabling the Permission Model through the [`--experimental-permission`][] flag a new property `permission` is added to the `process` object. -This property contains two functions: - -##### `permission.deny(scope [,parameters])` - -API call to deny permissions at runtime ([`permission.deny()`][]) - -```js -process.permission.deny('fs'); // Deny permissions to ALL fs operations - -// Deny permissions to ALL FileSystemWrite operations -process.permission.deny('fs.write'); -// deny FileSystemWrite permissions to the protected-folder -process.permission.deny('fs.write', ['/home/rafaelgss/protected-folder']); -// Deny permissions to ALL FileSystemRead operations -process.permission.deny('fs.read'); -// deny FileSystemRead permissions to the protected-folder -process.permission.deny('fs.read', ['/home/rafaelgss/protected-folder']); -``` +This property contains one function: ##### `permission.has(scope ,parameters)` @@ -519,10 +502,8 @@ API call to check permissions at runtime ([`permission.has()`][]) process.permission.has('fs.write'); // true process.permission.has('fs.write', '/home/rafaelgss/protected-folder'); // true -process.permission.deny('fs.write', '/home/rafaelgss/protected-folder'); - -process.permission.has('fs.write'); // true -process.permission.has('fs.write', '/home/rafaelgss/protected-folder'); // false +process.permission.has('fs.read'); // true +process.permission.has('fs.read', '/home/rafaelgss/protected-folder'); // false ``` #### File System Permissions @@ -560,31 +541,11 @@ There are constraints you need to know before using this system: * Native modules are restricted by default when using the Permission Model. * Relative paths are not supported through the CLI (`--allow-fs-*`). - The runtime API supports relative paths. * The model does not inherit to a child node process. * The model does not inherit to a worker thread. * When creating symlinks the target (first argument) should have read and write access. * Permission changes are not retroactively applied to existing resources. - Consider the following snippet: - ```js - const fs = require('node:fs'); - - // Open a fd - const fd = fs.openSync('./README.md', 'r'); - // Then, deny access to all fs.read operations - process.permission.deny('fs.read'); - // This call will NOT fail and the file will be read - const data = fs.readFileSync(fd); - ``` - -Therefore, when possible, apply the permissions rules before any statement: - -```js -process.permission.deny('fs.read'); -const fd = fs.openSync('./README.md', 'r'); -// Error: Access to this API has been restricted -``` [Security Policy]: https://github.com/nodejs/node/blob/main/SECURITY.md [`--allow-child-process`]: cli.md#--allow-child-process @@ -592,7 +553,6 @@ const fd = fs.openSync('./README.md', 'r'); [`--allow-fs-write`]: cli.md#--allow-fs-write [`--allow-worker`]: cli.md#--allow-worker [`--experimental-permission`]: cli.md#--experimental-permission -[`permission.deny()`]: process.md#processpermissiondenyscope-reference [`permission.has()`]: process.md#processpermissionhasscope-reference [import maps]: https://url.spec.whatwg.org/#relative-url-with-fragment-string [relative-url string]: https://url.spec.whatwg.org/#relative-url-with-fragment-string diff --git a/doc/api/process.md b/doc/api/process.md index e9ef0a972de01c..c429840ad9e9e8 100644 --- a/doc/api/process.md +++ b/doc/api/process.md @@ -2634,34 +2634,6 @@ This API is available through the [`--experimental-permission`][] flag. for the current process. Additional documentation is available in the [Permission Model][]. -### `process.permission.deny(scope[, reference])` - - - -* `scopes` {string} -* `reference` {Array} -* Returns: {boolean} - -Deny permissions at runtime. - -The available scopes are: - -* `fs` - All File System -* `fs.read` - File System read operations -* `fs.write` - File System write operations - -The reference has a meaning based on the provided scope. For example, -the reference when the scope is File System means files and folders. - -```js -// Deny READ operations to the ./README.md file -process.permission.deny('fs.read', ['./README.md']); -// Deny ALL WRITE operations -process.permission.deny('fs.write'); -``` - ### `process.permission.has(scope[, reference])`