-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vats): attenuate access to zoe.install, zoe.startInstance #4405
Conversation
7127397
to
99f5a66
Compare
Building the attenuated zoe in the zoe vat makes it all much more straightforward. |
discussion with @warner , @michaelfig suggests:
|
home.zoe1 wraps zoe so that install and startInstance always throw. full home.zoe is only granted in the sim chain. construct attenuated zoe service in the zoe vat
e6496b3
to
52ca13e
Compare
@dckc, I think that we still need this for MN-1. Can you integrate it with the latest boot core (once it's settled a bit)? |
It's worth considering just separating out the instance creation authority into a separate ocap. |
|
||
const zoeWithoutInstallation = Far('zoe without install/startInstance', { | ||
...zoeService, | ||
install: (..._args) => assert.fail('contract installation prohibited'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This indicates to me that they just be removed from the ZoeService.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then how does any privileged component install a contract?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh... I see your comment above...
I don't have experience expertise to treat Zoe other than a "no user serviceable parts inside" component. So that's outside the scope of this PR.
@dckc is this still relevant? I recall a conversation that, IIRC, changed our view of this one. |
I think it's still relevant. I'll know better when I look into it more closely. |
yeah; we're not likely to take this approach. |
This is sort of a simple idea that falls out of the updated bootstrap structure.
refs #4395, #3725
Is there a nicer idiom for overriding selected methods and forwarding the rest?
Security Considerations
home.zoe1 wraps zoe so that install and startInstance always throw.
full home.zoe is only granted in the sim chain.