You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/ros2_security_contexts.md
+14-7Lines changed: 14 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -231,21 +231,28 @@ For circumstances where users may compose multiple nodes of dissimilar namespace
231
231
For circumstances where the context path is orthogonal to node namespace, the use of fully qualifying all relevant nodes is could be tedious, but could perhaps could still be parametrized via the use of `<var/>`, and `<arg/>` substitution and expansion.
232
232
233
233
234
-
### Multiple contexts per process
234
+
### Modeling permissions of nodes in a process v.s. permission of the middleware ``Participant``
235
235
236
-
Before the use of contexts, multiple nodes composed into a single process where each mapped to a separate participant.
237
-
Each participant subsequently load an security identity and access control credential prevalent to its' respective node.
238
-
The composition of multiple nodes per context however, inevitably means that code compiled to node `foo` could access credentials/permissions only trusted to node `bar`.
236
+
Before the use of contexts, multiple nodes composed into a single process where each mapped to a separate ``Participant``.
237
+
Each ``Participant`` subsequently load a security identity and access control credential prevalent to its' respective node.
238
+
However, all nodes in that process share the same memory space and can thus access data from other nodes.
239
+
There is a mismatch between the middleware credentials/permissions loaded and the resources accessible within the process.
240
+
241
+
By using contexts, all nodes in a context share the same security identity and access control credentials.
242
+
This inevitably means that code compiled to node ``foo`` can access credentials/permissions only trusted to node ``bar``.
239
243
This consequence of composition could unintendedly subvert the minimal spanning policy as architected by the policy designer or measured/generated via ROS 2 tooling/IDL.
240
244
241
245
With the introduction of contexts, it becomes possible to describe the union of access control permission by defining a collection of SROS 2 policy profiles as element within a specific context.
242
246
This would allow for formal analysis tooling [2] to check for potential violations in information flow control given the composing of nodes at runtime.
243
-
However, should multiple contexts be used per process, then such security guaranties are again lost.
247
+
If a process contains a single context, this reconciles the permissions of a ``Participant`` and the ones of the process.
248
+
249
+
However, should multiple contexts be used per process, then such security guaranties are again lost because both contexts will share the same memory space.
244
250
Thus it should be asked whether if multiple contexts per process should even be supported.
245
251
246
-
In summery, the distinction here is that before, the composition of multiple permissions could not be conveyed to the tooling.
252
+
253
+
In summary, the distinction here is that before, the composition of multiple permissions could not be conveyed to the tooling.
247
254
Whether nodes could gain the permission of others in the same process space is not the hinge point of note; it's the fact that such side effects could not be formally modeled or accounted for by the designer.
248
-
Allowing for multiple contexts per process again exacerbates the same modeling inaccuracies
255
+
It will now be possible with contexts, however allowing for multiple contexts per process will reintroduce and exacerbates the same modeling inaccuracies.
0 commit comments