-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
whitelist certain wasms #175
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's better to implement this in wasm-utils
and use SHA256. In the backend, we can add an is_whitelisted
flag to installCode
to decide whether to call transform or whitelisted.
Would you prefer the whitelist in |
service/wasm-utils/wasm-utils.did
Outdated
@@ -1,5 +1,6 @@ | |||
type Config = record { profiling: bool; remove_cycles_add: bool; limit_stable_memory_page: opt nat32; backend_canister_id: opt principal}; | |||
|
|||
service : { | |||
transform : (blob, Config) -> (blob); | |||
transform : (blob, Config) -> (blob) query; | |||
hash : (blob) -> (text) query; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hash : (blob) -> (text) query; | |
whitelisted_modules : (blob) -> (blob) query; |
The idea is that if the wasm module is in a hardcoded whitelist, we return the blob directly. Otherwise, we trap. This is stateless.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For better code auditing and keeping it stateless, it's better to hardcoded the module hash in the code, instead of maintaining it dynamically.
service/pool/Main.mo
Outdated
@@ -134,7 +181,12 @@ shared (creator) actor class Self(opt_params : ?Types.InitParams) = this { | |||
limit_stable_memory_page = ?(16384 : Nat32); // Limit to 1G of stable memory | |||
backend_canister_id = ?Principal.fromActor(this); | |||
}; | |||
let wasm = await Wasm.transform(args.wasm_module, config); | |||
let wasm_hash = await Wasm.hash(args.wasm_module); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The installCode
function would take a new parameter is_whitelisted
, and call whitelisted_modules
or transform
depending on the parameter.
service/pool/Main.mo
Outdated
@@ -290,11 +299,12 @@ shared (creator) actor class Self(opt_params : ?Types.InitParams) = this { | |||
wasm_module : ICType.wasm_module; | |||
mode : { #reinstall; #upgrade; #install }; | |||
canister_id : ICType.canister_id; | |||
is_whitelisted : Bool; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a wrapper for the management canister, so we cannot change the interface. We can set this to false, as it's only used by the canister to spawn child canisters.
@@ -134,7 +137,13 @@ shared (creator) actor class Self(opt_params : ?Types.InitParams) = this { | |||
limit_stable_memory_page = ?(16384 : Nat32); // Limit to 1G of stable memory | |||
backend_canister_id = ?Principal.fromActor(this); | |||
}; | |||
let wasm = await Wasm.transform(args.wasm_module, config); | |||
let wasm = if (caller == controller) { | |||
args.wasm_module; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to bypass the controller for testing? If so, we only want to bypass when is_whitelisted
is true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the bypass is required for testing. But restricting to is_whitelisted
is fine
9b61a8c
to
bc91f9d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
No description provided.