You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GraalVM allows a host application written in a JVM-based language to execute guest code written in Javascript via the [Polyglot Embedding API](../reference-manual/embedding/embed-languages.md).
13
+
GraalVM allows a host application written in a JVM-based language to execute guest code written in Javascript via the [Polyglot API](../reference-manual/embedding/embed-languages.md).
12
14
Configured with a [sandbox policy](#sandbox-policies), a security boundary between a host application and guest code can be established.
13
15
For example, host code can execute untrusted guest code using the [UNTRUSTED](https://www.graalvm.org/sdk/javadoc/org/graalvm/polyglot/SandboxPolicy.html#UNTRUSTED) policy.
14
16
Host code can also execute multiple mutually distrusting instances of guest code that will be protected from one another.
15
-
Used this way, polyglot sandboxing supports a multi-tenant scenario:
17
+
Used this way, sandboxing supports a multi-tenant scenario:
Since Polyglot version 23.1, the isolated and untrusted policy also requires isolated images of the languages to be specified on the class or module path.
105
+
Since Polyglot API version 23.1, the isolated and untrusted policy also requires isolated images of the languages to be specified on the class or module path.
104
106
Isolated versions of the languages can be downloaded from Maven using the following dependency:
105
107
106
108
```xml
@@ -112,8 +114,7 @@ Isolated versions of the languages can be downloaded from Maven using the follow
112
114
</dependency>
113
115
```
114
116
115
-
The [embedding guide](../reference-manual/embed-languages/#polyglot-isolates) contains more details on using polyglot isolate dependencies.
116
-
117
+
The [Embedding Languages guide](../reference-manual/embed-languages/#polyglot-isolates) contains more details on using polyglot isolate dependencies.
117
118
118
119
### Untrusted Policy
119
120
@@ -162,7 +163,7 @@ Therefore the sandboxing policies already restrict host access in the CONSTRAINE
162
163
`HostAccess.CONSTRAINED` is the predefined host access policy for the CONSTRAINED sandbox policy.
163
164
To expose a host class method, it has to be annotated with `@HostAccess.Export`.
164
165
This annotation is not inherited.
165
-
Service providers such as [polyglot file system](https://www.graalvm.org/sdk/javadoc/index.html?org/graalvm/polyglot/io/FileSystem.html) implementations or output stream recipients for standard output and error stream redirections are exposed to guest code invocations.
166
+
Service providers such as [Polyglot API FileSystem](https://www.graalvm.org/sdk/javadoc/org/graalvm/polyglot/io/FileSystem.html) implementations or output stream recipients for standard output and error stream redirections are exposed to guest code invocations.
166
167
167
168
Guest code can also implement a Java interface that has been annotated with `@Implementable`.
168
169
Host code using such an interface directly interacts with guest code.
@@ -483,7 +484,7 @@ A speculative execution barrier is placed at each target of a conditional branch
483
484
484
485
## Sharing Execution Engines
485
486
486
-
Guest code of different trust domains has to be separated at the Polylgot engine level, that is, only guest code of the same trust domain should share an engine.
487
+
Guest code of different trust domains has to be separated at the polyglot engine level, that is, only guest code of the same trust domain should share an engine.
487
488
When multiple context share an engine, all of them must have the same sandbox policy (the engine's sandbox policy).
488
489
Application developers may choose to share execution engines among execution contexts for performance reasons.
489
490
While the context holds the state of the executed code, the engine holds the code itself.
Polyglot sandboxing is not available in GraalVM Community Edition.
498
+
Sandboxing is not available in GraalVM Community Edition.
498
499
499
500
Depending on the sandboxing policy, only a subset of Truffle languages, instruments, and options are available.
500
501
In particular, sandboxing is currently only supported for the runtime's [default version](https://github.com/oracle/graaljs/blob/master/docs/user/JavaScriptCompatibility.md) of ECMAScript (ECMAScript 2022).
501
502
Sandboxing is also not supported from within GraalVM's Node.js.
502
503
503
-
Polyglot sandboxing is not compatible with modifications to the VM setup via (for example) system properties that change the behavior of the VM.
504
+
Sandboxing is not compatible with modifications to the VM setup via (for example) system properties that change the behavior of the VM.
504
505
505
506
The sandboxing policy is subject to incompatible changes across major GraalVM releases to maintain a secure-by-default posture.
506
507
507
-
Polyglot sandboxing cannot protect against vulnerabilities in its operating environment, such as vulnerabilities in the operating system or the underlying hardware.
508
+
Sandboxing cannot protect against vulnerabilities in its operating environment, such as vulnerabilities in the operating system or the underlying hardware.
508
509
We recommend to adopt the appropriate external isolation primitives to protect against corresponding risks.
509
510
510
511
## Differentiation with Java Security Manager
@@ -531,5 +532,5 @@ We ask that you do not contact project contributors directly or through other ch
531
532
532
533
### Related Documentation
533
534
534
-
-[Polyglot Sandboxing](polyglot-sandbox.md)
535
+
-[Security Guide](security-guide.md)
535
536
-[Security Considerations in Native Image](native-image.md)
Copy file name to clipboardExpand all lines: docs/security/security-guide.md
+9-9Lines changed: 9 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ redirect_from:
9
9
10
10
# Security Guide
11
11
12
-
This security guide provides developers and embedders with information on the security model and features of GraalVM for developers and embedders who seek to build a secure application on top of it.
12
+
This security guide provides information on the security model and features of GraalVM for developers and embedders who seek to build a secure application on top of it.
13
13
It assumes that readers are familiar with the GraalVM architecture.
14
14
This guide does not replace but rather supplements the Java security documentation such as the [Secure Coding Guidelines for Java SE](https://www.oracle.com/java/technologies/javase/seccodeguide.html) with aspects unique to GraalVM.
15
15
@@ -25,20 +25,20 @@ They may further open network sockets to allow debug clients to connect.
25
25
26
26
Experimental features in GraalVM are not for production use and may have security limitations not covered in the Security Guide.
27
27
28
-
GraalVM enables execution of untrusted code in an appropriately configured polyglot execution context (see [Polyglot Sandboxing](polyglot-sandbox.md)).
28
+
GraalVM enables execution of untrusted code in an appropriately configured polyglot execution context (see [Sandboxing](polyglot-sandbox.md)).
29
29
30
30
We appreciate reports of bugs that break the security model via the process
31
31
outlined in the [Reporting Vulnerabilities guide](https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html).
32
32
33
-
## Polyglot Languages
33
+
## Graal Languages
34
34
35
-
For every Polyglot language shipped with GraalVM, a launcher, for example, an interactive shell, is provided.
35
+
Every language runtime, generally available with a GraalVM release, provides a launcher, for example, an interactive shell.
36
36
These launchers behave in the same way and come with the same security guarantees as their "original" counterparts.
37
37
38
-
### Polyglot Sandboxing
38
+
### Sandboxing
39
39
40
-
Polyglot sandboxing can establish a security boundary between privileged host code and unprivileged guest code.
41
-
For further information please refer to the [Polyglot Sandboxing guide](polyglot-sandbox.md).
40
+
Sandboxing can establish a security boundary between privileged host code and unprivileged guest code, facilitated through the [Polyglot API](https://www.graalvm.org/sdk/javadoc/org/graalvm/polyglot/package-summary.html).
41
+
For further information please refer to the [Sandboxing documentation](polyglot-sandbox.md).
42
42
43
43
### ScriptEngine Compatibility
44
44
@@ -74,13 +74,13 @@ GraalVM does not support untrusted code execution in Java.
74
74
75
75
## GraalVM Community Edition Downgrade
76
76
77
-
Polyglot sandboxing is not available in GraalVM Community Edition.
77
+
Sandboxing is not available in GraalVM Community Edition.
78
78
Managed execution of native code is not available with GraalVM Community Edition.
79
79
80
80
When downgrading to GraalVM Community Edition, native code execution is only possible with the `allowNativeAccess` privilege.
81
81
This also applies to languages implemented with Truffle that allow for native code extensions, such as Python and Ruby.
82
82
83
83
### Related Documentation
84
84
85
-
-[Polyglot Sandboxing](polyglot-sandbox.md)
85
+
-[Sandboxing](polyglot-sandbox.md)
86
86
-[Security Considerations in Native Image](native-image.md)
0 commit comments