feat(vats): attenuate access to zoe.install, zoe.startInstance #4405
Conversation
dckc
force-pushed
the
4395-attenuate-install
branch
from
7127397
to
99f5a66
Compare
Building the attenuated zoe in the zoe vat makes it all much more straightforward. |
|
discussion with @warner , @michaelfig suggests:
|
home.zoe1 wraps zoe so that install and startInstance always throw. full home.zoe is only granted in the sim chain. construct attenuated zoe service in the zoe vat
dckc
force-pushed
the
4395-attenuate-install
branch
from
e6496b3
to
52ca13e
Compare
|
@dckc, I think that we still need this for MN-1. Can you integrate it with the latest boot core (once it's settled a bit)? |
|
It's worth considering just separating out the instance creation authority into a separate ocap. |
|
|
||
| const zoeWithoutInstallation = Far('zoe without install/startInstance', { | ||
| ...zoeService, | ||
| install: (..._args) => assert.fail('contract installation prohibited'), |
There was a problem hiding this comment.
This indicates to me that they just be removed from the ZoeService.
There was a problem hiding this comment.
Then how does any privileged component install a contract?
There was a problem hiding this comment.
oh... I see your comment above...
I don't have experience expertise to treat Zoe other than a "no user serviceable parts inside" component. So that's outside the scope of this PR.
|
@dckc is this still relevant? I recall a conversation that, IIRC, changed our view of this one. |
|
I think it's still relevant. I'll know better when I look into it more closely. |
|
yeah; we're not likely to take this approach. |
This is sort of a simple idea that falls out of the updated bootstrap structure.
refs #4395, #3725
Is there a nicer idiom for overriding selected methods and forwarding the rest?
Security Considerations
home.zoe1 wraps zoe so that install and startInstance always throw.
full home.zoe is only granted in the sim chain.