GrantCaps used over initial_caps

This commit is contained in:
Drew Tada 2024-02-05 22:00:54 -05:00
parent dc8ac524a2
commit e33a5a8b35
2 changed files with 53 additions and 47 deletions

View File

@ -473,13 +473,6 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
format!("/{}", entry.process_wasm_path) format!("/{}", entry.process_wasm_path)
}; };
let wasm_path = format!("{}{}", drive_path, wasm_path); let wasm_path = format!("{}{}", drive_path, wasm_path);
// build initial caps
let mut initial_capabilities: HashSet<kt::Capability> = HashSet::new();
if entry.request_networking {
initial_capabilities.insert(kt::de_wit_capability(networking_cap.clone()));
}
initial_capabilities.insert(kt::de_wit_capability(read_cap.clone()));
initial_capabilities.insert(kt::de_wit_capability(write_cap.clone()));
let process_id = format!("{}:{}", entry.process_name, package); let process_id = format!("{}:{}", entry.process_name, package);
let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else { let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else {
return Err(anyhow::anyhow!("app store: invalid process id!")); return Err(anyhow::anyhow!("app store: invalid process id!"));
@ -499,17 +492,37 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
action: vfs::VfsAction::Read, action: vfs::VfsAction::Read,
})?) })?)
.send_and_await_response(5)??; .send_and_await_response(5)??;
Request::new()
.target(("our", "kernel", "distro", "sys"))
.body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess {
id: parsed_new_process_id.clone(),
wasm_bytes_handle: wasm_path,
wit_version: None,
on_exit: entry.on_exit.clone(),
initial_capabilities: HashSet::new(),
public: entry.public,
})?)
.inherit(true)
.send_and_await_response(5)??;
// build initial caps
let mut requested_capabilities: Vec<kt::Capability> = vec![];
for value in &entry.request_capabilities { for value in &entry.request_capabilities {
let mut capability = None;
match value { match value {
serde_json::Value::String(process_name) => { serde_json::Value::String(process_name) => {
if let Ok(parsed_process_id) = process_name.parse::<ProcessId>() { if let Ok(parsed_process_id) = process_name.parse::<ProcessId>() {
capability = get_capability( requested_capabilities.push(kt::Capability {
&Address { issuer: Address {
node: our.node.clone(), node: our.node.clone(),
process: parsed_process_id.clone(), process: parsed_process_id.clone(),
}, },
"\"messaging\"".into(), params: "\"messaging\"".into(),
});
} else {
println!(
"app-store: invalid cap: {} for {} to request!",
value.to_string(),
package
); );
} }
} }
@ -521,12 +534,18 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
.parse::<ProcessId>() .parse::<ProcessId>()
{ {
if let Some(params) = map.get("params") { if let Some(params) = map.get("params") {
capability = get_capability( requested_capabilities.push(kt::Capability {
&Address { issuer: Address {
node: our.node.clone(), node: our.node.clone(),
process: parsed_process_id.clone(), process: parsed_process_id.clone(),
}, },
&params.to_string(), params: params.to_string(),
});
} else {
println!(
"app-store: invalid cap: {} for {} to request!",
value.to_string(),
package
); );
} }
} }
@ -536,27 +555,18 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
continue; continue;
} }
} }
if let Some(cap) = capability {
initial_capabilities.insert(kt::de_wit_capability(cap));
} else {
println!(
"app-store: no cap: {} for {} to request!",
value.to_string(),
package
);
} }
if entry.request_networking {
requested_capabilities.push(kt::de_wit_capability(networking_cap.clone()));
} }
requested_capabilities.push(kt::de_wit_capability(read_cap.clone()));
requested_capabilities.push(kt::de_wit_capability(write_cap.clone()));
Request::new() Request::new()
.target(("our", "kernel", "distro", "sys")) .target(("our", "kernel", "distro", "sys"))
.body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess { .body(serde_json::to_vec(&kt::KernelCommand::GrantCapabilities {
id: parsed_new_process_id.clone(), target: parsed_new_process_id.clone(),
wasm_bytes_handle: wasm_path, capabilities: requested_capabilities,
wit_version: None,
on_exit: entry.on_exit.clone(),
initial_capabilities,
public: entry.public,
})?) })?)
.inherit(true)
.send_and_await_response(5)??; .send_and_await_response(5)??;
} }
// THEN, *after* all processes have been initialized, grant caps in manifest // THEN, *after* all processes have been initialized, grant caps in manifest

View File

@ -205,13 +205,6 @@ fn handle_run(
}; };
let wasm_path = format!("{}{}", drive_path, wasm_path); let wasm_path = format!("{}{}", drive_path, wasm_path);
// build initial caps // build initial caps
let mut initial_capabilities: HashSet<kt::Capability> = HashSet::new();
if entry.request_networking {
initial_capabilities.insert(kt::de_wit_capability(Capability {
issuer: Address::new(&our.node, ("kernel", "distro", "sys")),
params: "\"network\"".to_string(),
}));
}
let process_id = format!("{}:{}", rand::random::<u64>(), package); // all scripts are given random process IDs let process_id = format!("{}:{}", rand::random::<u64>(), package); // all scripts are given random process IDs
let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else { let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else {
return Err(anyhow::anyhow!("app store: invalid process id!")); return Err(anyhow::anyhow!("app store: invalid process id!"));
@ -224,11 +217,6 @@ fn handle_run(
action: vfs::VfsAction::Read, action: vfs::VfsAction::Read,
})?) })?)
.send_and_await_response(5)??; .send_and_await_response(5)??;
if entry.root {
for cap in our_capabilities() {
initial_capabilities.insert(kt::de_wit_capability(cap.clone()));
}
}
Request::new() Request::new()
.target(("our", "kernel", "distro", "sys")) .target(("our", "kernel", "distro", "sys"))
.body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess { .body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess {
@ -236,7 +224,7 @@ fn handle_run(
wasm_bytes_handle: wasm_path.clone(), wasm_bytes_handle: wasm_path.clone(),
wit_version: None, wit_version: None,
on_exit: kt::OnExit::None, // TODO this should send a message back to runner:script:sys so that it can Drop capabilities on_exit: kt::OnExit::None, // TODO this should send a message back to runner:script:sys so that it can Drop capabilities
initial_capabilities: initial_capabilities.clone(), initial_capabilities: HashSet::new(),
public: entry.public, public: entry.public,
})?) })?)
.inherit(true) .inherit(true)
@ -281,6 +269,17 @@ fn handle_run(
} }
} }
} }
if entry.request_networking {
requested_caps.push(kt::de_wit_capability(Capability {
issuer: Address::new(&our.node, ("kernel", "distro", "sys")),
params: "\"network\"".to_string(),
}));
}
if entry.root {
for cap in our_capabilities() {
requested_caps.push(kt::de_wit_capability(cap.clone()));
}
}
print_to_terminal( print_to_terminal(
1, 1,
&format!( &format!(
@ -292,9 +291,6 @@ fn handle_run(
entry.public, entry.public,
{ {
let mut caps_string = "[".to_string(); let mut caps_string = "[".to_string();
for cap in initial_capabilities.iter() {
caps_string += &format!("\n {}({})", cap.issuer.to_string(), cap.params);
}
for cap in requested_caps.iter() { for cap in requested_caps.iter() {
caps_string += &format!("\n {}({})", cap.issuer.to_string(), cap.params); caps_string += &format!("\n {}({})", cap.issuer.to_string(), cap.params);
} }