On this page:
security-guard?
make-security-guard
current-security-guard

13.6 Security Guards

(security-guard? v)  boolean?
  v : any/c
Returns #t if v is a security guard value as created by make-security-guard, #f otherwise.

A security guard provides a set of access-checking procedures to be called when a thread initiates access of a file, directory, or network connection through a primitive procedure. For example, when a thread calls open-input-file, the thread’s current security guard is consulted to check whether the thread is allowed read access to the file. If access is granted, the thread receives a port that it may use indefinitely, regardless of changes to the security guard (although the port’s custodian could shut down the port; see Custodians).

A thread’s current security guard is determined by the current-security-guard parameter. Every security guard has a parent, and a parent’s access procedures are called whenever a child’s access procedures are called. Thus, a thread cannot increase its own access arbitrarily by installing a new guard. The initial security guard enforces no access restrictions other than those enforced by the host platform.

(make-security-guard parent    
  file-guard    
  network-guard    
  [link-guard])  security-guard?
  parent : security-guard?
  file-guard : 
(symbol?
 (or/c path? #f)
 (listof symbol?)
 . -> . any)
  network-guard : 
(symbol?
 (or/c (and/c string? immutable?) #f)
 (or/c (integer-in 1 65535) #f)
 (or/c 'server 'client)
 . -> . any)
  link-guard : (or/c (symbol? path? path? . -> . any) #f) = #f
Creates a new security guard as child of parent.

The file-guard procedure must accept three arguments:

The network-guard procedure must accept four arguments:

The link-guard argument can be #f or a procedure of three arguments:

If link-guard is #f, then a default procedure is used that always raises exn:fail.

The return value of file-guard, network-guard, or link-guard is ignored. To deny access, the procedure must raise an exception or otherwise escape from the context of the primitive call. If the procedure returns, the parent’s corresponding procedure is called on the same inputs, and so on up the chain of security guards.

The file-guard, network-guard, and link-guard procedures are invoked in the thread that called the access-checked primitive. Breaks may or may not be enabled (see Breaks). Full continuation jumps are blocked going into or out of the file-guard or network-guard call (see Prompts, Delimited Continuations, and Barriers).

A parameter that determines the current security guard that controls access to the filesystem and network.