Child Process Policies

These methods exist on the policy.childProcess object as seen in the following example:

(policy) => {
  policy.childProcess.allowSpawningPath('/usr/bin/motd');
}

These policies affect the spawning of child processes, such as when using the child_process module (spawn(), exec(), etc.). Any third party modules relying on this module will also be subject to these policies.

Note: Processes spawned as a child of your Node.js process will not have policies applied to them, regardless of whether the spawned process is another Node.js process or an external binary. As an example, if your application policies are configured to not allow writing to the filesystem, but is configured to allow running the /bin/rm command, then the /bin/rm command can be used to remove files from the filesystem.

policy.childProcess.allowSpawningPath(path)

Allows the executable located at path to be spawned by the built-in child_process module. Note that path is required to be specified as an absolute path, in order to avoid the policy relying on the $PATH environment variable. Also note that the glob syntax is not supported with the path argument.

This policy is required if you see the following violation in your logs:

ChildProcessPolicyViolation: POLICY_VIOLATION sb: "fallback"
  | command: "/usr/bin/cal" not found in ChildProcessPolicy whitelist