github/hansken-extraction-plugin-sdk-documentation
1
0
Fork 0
mirror of https://github.com/NetherlandsForensicInstitute/hansken-extraction-plugin-sdk-documentation.git synced 2026-05-08 11:16:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
hansken-extraction-plugin-s…/0.9.16/dev/concepts/isolation.html
Roel van Dijk 93b020aef4 Update documentation to 0.9.16 (#10) 
Co-authored-by: Roel van Dijk <rdvdijk@users.noreply.github.com>
2026-03-06 09:59:38 +01:00

164 lines
9.2 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="../../">
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Plugin isolation &mdash; Hansken Extraction Plugins for plugin developers 0.9.16
documentation</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=d75fae25" />
<link rel="stylesheet" type="text/css" href="../../_static/css/theme.css?v=e59714d7" />
<link rel="stylesheet" type="text/css" href="../../_static/wider_pages.css?v=32ad70ab" />
<script src="../../_static/jquery.js?v=5d32c60e"></script>
<script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../../_static/documentation_options.js?v=433a2a34"></script>
<script src="../../_static/doctools.js?v=9a2dae69"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../../genindex.html" />
<link rel="search" title="Search" href="../../search.html" />
<link rel="next" title="Kubernetes, Autoscaling, Resourcemanagement" href="kubernetes_autoscaling.html" />
<link rel="prev" title="Debugging locally with Hansken All in One (AIO)" href="all_in_one_debugging.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../../index.html" class="icon icon-home">
Hansken Extraction Plugins for plugin developers
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../introduction.html">Introduction</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../concepts.html">General concepts</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="extraction_plugins.html">Hansken Extraction Plugins</a></li>
<li class="toctree-l2"><a class="reference internal" href="anatomy_of_a_plugin.html">Anatomy of a plugin</a></li>
<li class="toctree-l2"><a class="reference internal" href="plugin_types.html">Extraction plugin types</a></li>
<li class="toctree-l2"><a class="reference internal" href="plugin_naming_convention.html">Plugin naming convention</a></li>
<li class="toctree-l2"><a class="reference internal" href="traces.html">Traces &amp; Trace model</a></li>
<li class="toctree-l2"><a class="reference internal" href="hql_lite.html">HQL-Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="data_transformations.html">Data Transformations</a></li>
<li class="toctree-l2"><a class="reference internal" href="test_framework.html">Test framework</a></li>
<li class="toctree-l2"><a class="reference internal" href="all_in_one_debugging.html">Debugging locally with Hansken All in One (AIO)</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Plugin isolation</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#user-isolation">User isolation</a></li>
<li class="toctree-l3"><a class="reference internal" href="#system-calls">System calls</a></li>
<li class="toctree-l3"><a class="reference internal" href="#network-isolation">Network isolation</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="kubernetes_autoscaling.html">Kubernetes, Autoscaling, Resourcemanagement</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../spec.html">Extraction Plugin specifications</a></li>
<li class="toctree-l1"><a class="reference internal" href="../java.html">Java</a></li>
<li class="toctree-l1"><a class="reference internal" href="../python.html">Python</a></li>
<li class="toctree-l1"><a class="reference internal" href="../examples.html">Examples</a></li>
<li class="toctree-l1"><a class="reference internal" href="../faq.html">Frequently Asked Questions</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../contact.html">Contact</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../changes.html">Changelog</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../../index.html">Hansken Extraction Plugins for plugin developers</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="../concepts.html">General concepts</a></li>
<li class="breadcrumb-item active">Plugin isolation</li>
<li class="wy-breadcrumbs-aside">
<a href="../../_sources/dev/concepts/isolation.md.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="plugin-isolation">
<h1>Plugin isolation<a class="headerlink" href="#plugin-isolation" title="Link to this heading"></a></h1>
<p>Extraction plugins allows arbitrary code to be executed during a Hansken extraction. This code is executed inside the
Hansken cluster. Extraction plugins are subjected
to <a class="reference external" href="https://www.sciencedirect.com/science/article/pii/S1742287615000857?via%3Dihub">Hanskens design principles</a>
such as security, privacy and transparency. To ensure that plugins are compliant to these principles, each plugin will
be executed in isolation. This page describes the isolation measures that are in place.</p>
<section id="user-isolation">
<h2>User isolation<a class="headerlink" href="#user-isolation" title="Link to this heading"></a></h2>
<p>The following user restrictions are implied on the plugin:</p>
<ul class="simple">
<li><p>The plugin can not run as <code class="docutils literal notranslate"><span class="pre">root</span></code>.</p></li>
<li><p>Instead, the plugin will run as user <code class="docutils literal notranslate"><span class="pre">1000</span></code></p></li>
<li><p>and with group <code class="docutils literal notranslate"><span class="pre">2000</span></code></p></li>
<li><p>and with fsgroup <code class="docutils literal notranslate"><span class="pre">3000</span></code></p></li>
</ul>
</section>
<section id="system-calls">
<h2>System calls<a class="headerlink" href="#system-calls" title="Link to this heading"></a></h2>
<p>Plugins are only allowed to call a limited set of (Linux) system calls. This ensures that a plugin can be executed in a
secure manner within the Hansken platform.</p>
<p>Hansken uses Kubernetes to run extraction plugins. The Kubernetes <code class="docutils literal notranslate"><span class="pre">RuntimeDefault</span></code> secure computing mode (<code class="docutils literal notranslate"><span class="pre">seccomp</span></code>) is
enabled to provide a sane default of available system calls.</p>
</section>
<section id="network-isolation">
<h2>Network isolation<a class="headerlink" href="#network-isolation" title="Link to this heading"></a></h2>
<p>Plugins are not allowed to communicate over the network.</p>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="all_in_one_debugging.html" class="btn btn-neutral float-left" title="Debugging locally with Hansken All in One (AIO)" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="kubernetes_autoscaling.html" class="btn btn-neutral float-right" title="Kubernetes, Autoscaling, Resourcemanagement" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2020-2026 Netherlands Forensic Institute.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink