3 files changed, 46 insertions, 14 deletions
diff --git a/runtime/ops/permissions.rs b/runtime/ops/permissions.rs
index be8c9974c..77d095d84 100644
--- a/runtime/ops/permissions.rs
+++ b/runtime/ops/permissions.rs
@@ -21,6 +21,7 @@ pub struct PermissionArgs {
   name: String,
   path: Option<String>,
   host: Option<String>,
+  command: Option<String>,
 }
 
 pub fn op_query_permission(
@@ -41,7 +42,7 @@ pub fn op_query_permission(
       .as_ref(),
     ),
     "env" => permissions.env.query(),
-    "run" => permissions.run.query(),
+    "run" => permissions.run.query(args.command.as_deref()),
     "plugin" => permissions.plugin.query(),
     "hrtime" => permissions.hrtime.query(),
     n => {
@@ -72,7 +73,7 @@ pub fn op_revoke_permission(
       .as_ref(),
     ),
     "env" => permissions.env.revoke(),
-    "run" => permissions.run.revoke(),
+    "run" => permissions.run.revoke(args.command.as_deref()),
     "plugin" => permissions.plugin.revoke(),
     "hrtime" => permissions.hrtime.revoke(),
     n => {
@@ -103,7 +104,7 @@ pub fn op_request_permission(
       .as_ref(),
     ),
     "env" => permissions.env.request(),
-    "run" => permissions.run.request(),
+    "run" => permissions.run.request(args.command.as_deref()),
     "plugin" => permissions.plugin.request(),
     "hrtime" => permissions.hrtime.request(),
     n => {
diff --git a/runtime/ops/process.rs b/runtime/ops/process.rs
index c2ca2c687..625bc204c 100644
--- a/runtime/ops/process.rs
+++ b/runtime/ops/process.rs
@@ -96,9 +96,8 @@ fn op_run(
   run_args: RunArgs,
   _zero_copy: Option<ZeroCopyBuf>,
 ) -> Result<RunInfo, AnyError> {
-  state.borrow::<Permissions>().run.check()?;
-
   let args = run_args.cmd;
+  state.borrow::<Permissions>().run.check(&args[0])?;
   let env = run_args.env;
   let cwd = run_args.cwd;
 
@@ -198,11 +197,6 @@ async fn op_run_status(
   rid: ResourceId,
   _zero_copy: Option<ZeroCopyBuf>,
 ) -> Result<RunStatus, AnyError> {
-  {
-    let s = state.borrow();
-    s.borrow::<Permissions>().run.check()?;
-  }
-
   let resource = state
     .borrow_mut()
     .resource_table
@@ -292,7 +286,7 @@ fn op_kill(
   _zero_copy: Option<ZeroCopyBuf>,
 ) -> Result<(), AnyError> {
   super::check_unstable(state, "Deno.kill");
-  state.borrow::<Permissions>().run.check()?;
+  state.borrow::<Permissions>().run.check_all()?;
 
   kill(args.pid, args.signo)?;
   Ok(())
diff --git a/runtime/ops/worker_host.rs b/runtime/ops/worker_host.rs
index d8e60171e..2f297fb08 100644
--- a/runtime/ops/worker_host.rs
+++ b/runtime/ops/worker_host.rs
@@ -5,6 +5,7 @@ use crate::permissions::NetDescriptor;
 use crate::permissions::PermissionState;
 use crate::permissions::Permissions;
 use crate::permissions::ReadDescriptor;
+use crate::permissions::RunDescriptor;
 use crate::permissions::UnaryPermission;
 use crate::permissions::UnitPermission;
 use crate::permissions::WriteDescriptor;
@@ -189,6 +190,26 @@ fn merge_write_permission(
   Ok(main)
 }
 
+fn merge_run_permission(
+  mut main: UnaryPermission<RunDescriptor>,
+  worker: Option<UnaryPermission<RunDescriptor>>,
+) -> Result<UnaryPermission<RunDescriptor>, AnyError> {
+  if let Some(worker) = worker {
+    if (worker.global_state < main.global_state)
+      || !worker.granted_list.iter().all(|x| main.check(&x.0).is_ok())
+    {
+      return Err(custom_error(
+        "PermissionDenied",
+        "Can't escalate parent thread permissions",
+      ));
+    } else {
+      main.global_state = worker.global_state;
+      main.granted_list = worker.granted_list;
+    }
+  }
+  Ok(main)
+}
+
 fn create_worker_permissions(
   main_perms: Permissions,
   worker_perms: PermissionsArg,
@@ -199,7 +220,7 @@ fn create_worker_permissions(
     net: merge_net_permission(main_perms.net, worker_perms.net)?,
     plugin: merge_boolean_permission(main_perms.plugin, worker_perms.plugin)?,
     read: merge_read_permission(main_perms.read, worker_perms.read)?,
-    run: merge_boolean_permission(main_perms.run, worker_perms.run)?,
+    run: merge_run_permission(main_perms.run, worker_perms.run)?,
     write: merge_write_permission(main_perms.write, worker_perms.write)?,
   })
 }
@@ -216,8 +237,8 @@ struct PermissionsArg {
   plugin: Option<PermissionState>,
   #[serde(default, deserialize_with = "as_unary_read_permission")]
   read: Option<UnaryPermission<ReadDescriptor>>,
-  #[serde(default, deserialize_with = "as_permission_state")]
-  run: Option<PermissionState>,
+  #[serde(default, deserialize_with = "as_unary_run_permission")]
+  run: Option<UnaryPermission<RunDescriptor>>,
   #[serde(default, deserialize_with = "as_unary_write_permission")]
   write: Option<UnaryPermission<WriteDescriptor>>,
 }
@@ -349,6 +370,22 @@ where
   }))
 }
 
+fn as_unary_run_permission<'de, D>(
+  deserializer: D,
+) -> Result<Option<UnaryPermission<RunDescriptor>>, D::Error>
+where
+  D: Deserializer<'de>,
+{
+  let value: UnaryPermissionBase =
+    deserializer.deserialize_any(ParseBooleanOrStringVec)?;
+
+  Ok(Some(UnaryPermission::<RunDescriptor> {
+    global_state: value.global_state,
+    granted_list: value.paths.into_iter().map(RunDescriptor).collect(),
+    ..Default::default()
+  }))
+}
+
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct CreateWorkerArgs {