Process Policies

These methods exist on the policy.process object as seen in the following example:

(policy) => {
  policy.process.allowCpuUsage();
  policy.process.allowKill();
}

These policies affect the process methods that the application is allowed to call. These methods have widespread security implications, such as the ability to be used as a inter-sandbox communication side-channel or because of their administrative-like capabilities. Most applications will not require the use of these methods.

policy.process.allowCpuUsage()

This allows the application to call process.cpuUsage(). This method is disabled by default due to its ability to be used as a side-channel.

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.cpuUsage not in process whitelist

policy.process.allowMemoryUsage()

This allows the application to call process.memoryUsage(). This method is disabled by default due to its ability to be used as a side-channel.

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.memoryUsage not in process whitelist

policy.process.allowChdir()

This allows the application to call process.chdir().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.chdir not in process whitelist

policy.process.allowKill()

This allows the application to call process.kill(). This method is disabled by default due to its ability to be used as a side-channel.

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.kill not in process whitelist

policy.process.allowGetegid()

This allows the application to call process.getegid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.getegid not in process whitelist

policy.process.allowSetegid()

This allows the application to call process.setegid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.setegid not in process whitelist

policy.process.allowGeteuid()

This allows the application to call process.geteuid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.geteuid not in process whitelist

policy.process.allowSeteuid()

This allows the application to call process.seteuid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.seteuid not in process whitelist

policy.process.allowGetgid()

This allows the application to call process.getgid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.getgid not in process whitelist

policy.process.allowSetgid()

This allows the application to call process.setgid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.setgid not in process whitelist

policy.process.allowGetgroups()

This allows the application to call process.getgroups().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.getgroups not in process whitelist

policy.process.allowSetgroups()

This allows the application to call process.setgroups().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.setgroups not in process whitelist

policy.process.allowGetuid()

This allows the application to call process.getuid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.getuid not in process whitelist

policy.process.allowSetuid()

This allows the application to call process.setuid().

This policy is required if you see the following violation in your logs:

[INTRINSIC (MONITOR)] ProcessPolicyViolation: POLICY_VIOLATION sb: "0"
  | process.setuid not in process whitelist