Filesystem Policies

These methods exist on the policy.fs object as seen in the following example:

(policy) => {
  policy.fs.disableDefaults();
  policy.fs.allowRead('/tmp/*.txt');
}

These policies affect operations performed on the filesystem, such as when using the fs module. Any third party modules which interact with the filesystem are subject to these policies as well.

policy.fs.disableDefaults()

Disables the default policies described below.

Intrinsic for Lambda

By default, the only file which can be read is ~/.aws/config. This file is often needed in Lambda situations, such as when you're making use of the aws-sdk module. Use the disableDefaults() method if you would like to disallow this operation.

It's worth mentioning that Lambda only allows an application to write to /tmp/; trying to write anywhere else in the filesystem will result in an error regardless of how you configure Intrinsic. By default Intrinsic does not allow writing to this directory.

policy.fs.allowRead(path)

Allows the application to perform read-related operations on paths which match the specified path glob pattern. Reading includes operations such as reading a file's content, reading the contents of a directory, getting stat information about a file, or even using the file as the source of a symlink.

The following violations occur when a particular path isn't whitelisted for reading:

[INTRINSIC] fs: Can't read from file at /tmp/hello.txt
[INTRINSIC] fs: Can't read contents of directory /tmp/hello
[INTRINSIC] fs: Can't stat file at /tmp/hello.txt

If the operation should be allowed, use allowRead(path) to add it to the whitelist.

This policy will often need to be used when working with filesystem methods such as fs.readFile, fs.stat, fs.rename, fs.symlink, and fs.readdir.

policy.fs.allowWrite(path)

Allows the application to perform write-related operations on paths that match the specified path glob pattern. Writing includes operations such as creating a file, writing content to a file, creating a directory, deleting a file, deleting a directory, changing permissions/ownership, etc.

The following violations occur when a particular path isn't whitelisted for writing:

[INTRINSIC] fs: Can't create file /tmp/test.txt
[INTRINSIC] fs: Can't write to file at /tmp/hello.txt
[INTRINSIC] fs: Can't create directory at /tmp/hello
[INTRINSIC] fs: Can't make temporary directory /tmp/helloXXXXXX
[INTRINSIC] fs: Can't administer file at /tmp/hello.txt
[INTRINSIC] fs: Can't delete file at /tmp/hello.txt

If the operation should be allowed, use allowWrite(path) to add it to the whitelist.

This policy will often need to be used when working with filesystem methods such as fs.writeFile, fs.write, fs.unlink, fs.truncate, fs.rmdir, fs.chmod, fs.chown, fs.mkdir, and fs.symlink.


Advanced Filesystem Policies

These policies are optional and offer fine-grained control over filesystem operations. The above, simpler methods are essentially convenience wrappers for the following methods. These methods exist on the policy.advanced.fs object as seen in the following example:

(policy) => {
  policy.advanced.fs.allowStat('/tmp/uploads/**');
}

policy.advanced.fs.allowStat(path)

This policy is loosely associated with the fs.stat method, though it applies to any situation where the existence of a file is determined. Such situations include fs.access, fs.rename, fs.realpath, etc. Because this policy is used in so many situations, and not necessarily situations where the content of a file needs to actually be read, it is the most likely candidate from the advanced.fs.* collection for being combined with the simpler policy methods. The path argument uses the glob syntax.

This policy is automatically applied when the policy.advanced.fs.allowRead policy is applied as the ability to read a file always requires that the file can also be stat-ed.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't stat file at /tmp/hello.txt

policy.advanced.fs.allowCreate(path)

This policy allows a file to be created and is loosely associated with the fs.writeFile method, particularly when the file doesn't already exist and will be created. However, it applies in any situation where an attempt to create a file happens, such as using fs.link to create a symlink, or fs.rename to rename a file. The path argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't create file /tmp/test.txt

policy.advanced.fs.allowRead(path)

This policy is loosely associated with the fs.readFile method, though it applies in any situation where an attempt to read the contents of a file happens. The path argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't read from file at /tmp/hello.txt

policy.advanced.fs.allowWrite(path)

This policy is loosely associated with the fs.writeFile method, though it applies in any situation where an attempt to write to a file happens. The path argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't write to file at /tmp/hello.txt

This policy is loosely associated with the fs.unlink method, though it applies to any situation where an attempt to remove a file or directory is made, for example when renaming a file. The path argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't delete file at /tmp/hello.txt

policy.advanced.fs.allowAdmin(path)

This policy is loosely associated with the fs.chmod, fs.chown, and fs.utimes family of methods. It is also applicable in other situations where administrative properties of files needs to be adjusted, such as when performing an fs.rename call. The path argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't administer file at /tmp/hello.txt

policy.advanced.fs.allowMkdir(path)

This policy is loosely associated with the fs.mkdir method. It applies in situations where an attempt at creating a directory has been made. The path argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't create directory at /tmp/hello

policy.advanced.fs.allowMkdtmp(template)

This policy is loosely associated with the fs.mkdtemp method. It applies in situations where an attempt at creating a temporary directory has been made. The template argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't make temporary directory /tmp/helloXXXXXX

policy.advanced.fs.allowReaddir(dir)

This policy is loosely associated with the fs.readdir method. It applies in situations where an attempt at reading the contents of a directory has been made. The dir argument uses the glob syntax.

A violation of this policy will look like the following:

[INTRINSIC] fs: Can't read contents of directory /tmp/hello