Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

whitelist certain wasms #175

Merged
merged 11 commits into from
Jul 5, 2023
Merged

whitelist certain wasms #175

merged 11 commits into from
Jul 5, 2023

Conversation

sesi200
Copy link
Contributor

@sesi200 sesi200 commented Jun 8, 2023

No description provided.

chenyan-dfinity
chenyan-dfinity reviewed Jun 8, 2023
View reviewed changes
Copy link
Contributor

@chenyan-dfinity chenyan-dfinity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better to implement this in wasm-utils and use SHA256. In the backend, we can add an is_whitelisted flag to installCode to decide whether to call transform or whitelisted.

service/pool/Main.mo Outdated Show resolved Hide resolved
@sesi200
Copy link
Contributor Author

sesi200 commented Jun 9, 2023

Would you prefer the whitelist in wasm-utils? That would save one async call, but it would add state in a canister that's stateless so far

chenyan-dfinity
chenyan-dfinity reviewed Jun 9, 2023
View reviewed changes
service/wasm-utils/wasm-utils.did Outdated
@@ -1,5 +1,6 @@
type Config = record { profiling: bool; remove_cycles_add: bool; limit_stable_memory_page: opt nat32; backend_canister_id: opt principal};

service : {
transform : (blob, Config) -> (blob);
transform : (blob, Config) -> (blob) query;
hash : (blob) -> (text) query;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
hash : (blob) -> (text) query;
whitelisted_modules : (blob) -> (blob) query;

The idea is that if the wasm module is in a hardcoded whitelist, we return the blob directly. Otherwise, we trap. This is stateless.

Copy link
Contributor

@chenyan-dfinity chenyan-dfinity Jun 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For better code auditing and keeping it stateless, it's better to hardcoded the module hash in the code, instead of maintaining it dynamically.

service/pool/Main.mo Outdated
@@ -134,7 +181,12 @@ shared (creator) actor class Self(opt_params : ?Types.InitParams) = this {
limit_stable_memory_page = ?(16384 : Nat32); // Limit to 1G of stable memory
backend_canister_id = ?Principal.fromActor(this);
};
let wasm = await Wasm.transform(args.wasm_module, config);
let wasm_hash = await Wasm.hash(args.wasm_module);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The installCode function would take a new parameter is_whitelisted, and call whitelisted_modules or transform depending on the parameter.

chenyan-dfinity
chenyan-dfinity reviewed Jun 22, 2023
View reviewed changes
service/pool/Main.mo Outdated
@@ -290,11 +299,12 @@ shared (creator) actor class Self(opt_params : ?Types.InitParams) = this {
wasm_module : ICType.wasm_module;
mode : { #reinstall; #upgrade; #install };
canister_id : ICType.canister_id;
is_whitelisted : Bool;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a wrapper for the management canister, so we cannot change the interface. We can set this to false, as it's only used by the canister to spawn child canisters.

service/pool/Main.mo Outdated Show resolved Hide resolved
service/pool/Main.mo
@@ -134,7 +137,13 @@ shared (creator) actor class Self(opt_params : ?Types.InitParams) = this {
limit_stable_memory_page = ?(16384 : Nat32); // Limit to 1G of stable memory
backend_canister_id = ?Principal.fromActor(this);
};
let wasm = await Wasm.transform(args.wasm_module, config);
let wasm = if (caller == controller) {
args.wasm_module;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to bypass the controller for testing? If so, we only want to bypass when is_whitelisted is true.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the bypass is required for testing. But restricting to is_whitelisted is fine

@sesi200 sesi200 marked this pull request as ready for review June 30, 2023 14:14
chenyan-dfinity
chenyan-dfinity approved these changes Jul 5, 2023
View reviewed changes
Copy link
Contributor

@chenyan-dfinity chenyan-dfinity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chenyan-dfinity chenyan-dfinity merged commit a62d764 into dfinity:main Jul 5, 2023
3 checks passed
@sesi200 sesi200 deleted the severin/wasm-whitelist branch July 6, 2023 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chenyan-dfinity chenyan-dfinity chenyan-dfinity approved these changes

Assignees
No one assigned
Labels
breaking_changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sesi200 @chenyan-dfinity