mirror of
https://github.com/uqbar-dao/nectar.git
synced 2024-12-23 16:43:24 +03:00
GrantCaps used over initial_caps
This commit is contained in:
parent
dc8ac524a2
commit
e33a5a8b35
@ -473,13 +473,6 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
|
|||||||
format!("/{}", entry.process_wasm_path)
|
format!("/{}", entry.process_wasm_path)
|
||||||
};
|
};
|
||||||
let wasm_path = format!("{}{}", drive_path, wasm_path);
|
let wasm_path = format!("{}{}", drive_path, wasm_path);
|
||||||
// build initial caps
|
|
||||||
let mut initial_capabilities: HashSet<kt::Capability> = HashSet::new();
|
|
||||||
if entry.request_networking {
|
|
||||||
initial_capabilities.insert(kt::de_wit_capability(networking_cap.clone()));
|
|
||||||
}
|
|
||||||
initial_capabilities.insert(kt::de_wit_capability(read_cap.clone()));
|
|
||||||
initial_capabilities.insert(kt::de_wit_capability(write_cap.clone()));
|
|
||||||
let process_id = format!("{}:{}", entry.process_name, package);
|
let process_id = format!("{}:{}", entry.process_name, package);
|
||||||
let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else {
|
let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else {
|
||||||
return Err(anyhow::anyhow!("app store: invalid process id!"));
|
return Err(anyhow::anyhow!("app store: invalid process id!"));
|
||||||
@ -499,17 +492,37 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
|
|||||||
action: vfs::VfsAction::Read,
|
action: vfs::VfsAction::Read,
|
||||||
})?)
|
})?)
|
||||||
.send_and_await_response(5)??;
|
.send_and_await_response(5)??;
|
||||||
|
|
||||||
|
Request::new()
|
||||||
|
.target(("our", "kernel", "distro", "sys"))
|
||||||
|
.body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess {
|
||||||
|
id: parsed_new_process_id.clone(),
|
||||||
|
wasm_bytes_handle: wasm_path,
|
||||||
|
wit_version: None,
|
||||||
|
on_exit: entry.on_exit.clone(),
|
||||||
|
initial_capabilities: HashSet::new(),
|
||||||
|
public: entry.public,
|
||||||
|
})?)
|
||||||
|
.inherit(true)
|
||||||
|
.send_and_await_response(5)??;
|
||||||
|
// build initial caps
|
||||||
|
let mut requested_capabilities: Vec<kt::Capability> = vec![];
|
||||||
for value in &entry.request_capabilities {
|
for value in &entry.request_capabilities {
|
||||||
let mut capability = None;
|
|
||||||
match value {
|
match value {
|
||||||
serde_json::Value::String(process_name) => {
|
serde_json::Value::String(process_name) => {
|
||||||
if let Ok(parsed_process_id) = process_name.parse::<ProcessId>() {
|
if let Ok(parsed_process_id) = process_name.parse::<ProcessId>() {
|
||||||
capability = get_capability(
|
requested_capabilities.push(kt::Capability {
|
||||||
&Address {
|
issuer: Address {
|
||||||
node: our.node.clone(),
|
node: our.node.clone(),
|
||||||
process: parsed_process_id.clone(),
|
process: parsed_process_id.clone(),
|
||||||
},
|
},
|
||||||
"\"messaging\"".into(),
|
params: "\"messaging\"".into(),
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
println!(
|
||||||
|
"app-store: invalid cap: {} for {} to request!",
|
||||||
|
value.to_string(),
|
||||||
|
package
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -521,12 +534,18 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
|
|||||||
.parse::<ProcessId>()
|
.parse::<ProcessId>()
|
||||||
{
|
{
|
||||||
if let Some(params) = map.get("params") {
|
if let Some(params) = map.get("params") {
|
||||||
capability = get_capability(
|
requested_capabilities.push(kt::Capability {
|
||||||
&Address {
|
issuer: Address {
|
||||||
node: our.node.clone(),
|
node: our.node.clone(),
|
||||||
process: parsed_process_id.clone(),
|
process: parsed_process_id.clone(),
|
||||||
},
|
},
|
||||||
¶ms.to_string(),
|
params: params.to_string(),
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
println!(
|
||||||
|
"app-store: invalid cap: {} for {} to request!",
|
||||||
|
value.to_string(),
|
||||||
|
package
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -536,27 +555,18 @@ fn handle_install(our: &Address, package: &PackageId) -> anyhow::Result<()> {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if let Some(cap) = capability {
|
|
||||||
initial_capabilities.insert(kt::de_wit_capability(cap));
|
|
||||||
} else {
|
|
||||||
println!(
|
|
||||||
"app-store: no cap: {} for {} to request!",
|
|
||||||
value.to_string(),
|
|
||||||
package
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
if entry.request_networking {
|
||||||
|
requested_capabilities.push(kt::de_wit_capability(networking_cap.clone()));
|
||||||
}
|
}
|
||||||
|
requested_capabilities.push(kt::de_wit_capability(read_cap.clone()));
|
||||||
|
requested_capabilities.push(kt::de_wit_capability(write_cap.clone()));
|
||||||
Request::new()
|
Request::new()
|
||||||
.target(("our", "kernel", "distro", "sys"))
|
.target(("our", "kernel", "distro", "sys"))
|
||||||
.body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess {
|
.body(serde_json::to_vec(&kt::KernelCommand::GrantCapabilities {
|
||||||
id: parsed_new_process_id.clone(),
|
target: parsed_new_process_id.clone(),
|
||||||
wasm_bytes_handle: wasm_path,
|
capabilities: requested_capabilities,
|
||||||
wit_version: None,
|
|
||||||
on_exit: entry.on_exit.clone(),
|
|
||||||
initial_capabilities,
|
|
||||||
public: entry.public,
|
|
||||||
})?)
|
})?)
|
||||||
.inherit(true)
|
|
||||||
.send_and_await_response(5)??;
|
.send_and_await_response(5)??;
|
||||||
}
|
}
|
||||||
// THEN, *after* all processes have been initialized, grant caps in manifest
|
// THEN, *after* all processes have been initialized, grant caps in manifest
|
||||||
|
@ -205,13 +205,6 @@ fn handle_run(
|
|||||||
};
|
};
|
||||||
let wasm_path = format!("{}{}", drive_path, wasm_path);
|
let wasm_path = format!("{}{}", drive_path, wasm_path);
|
||||||
// build initial caps
|
// build initial caps
|
||||||
let mut initial_capabilities: HashSet<kt::Capability> = HashSet::new();
|
|
||||||
if entry.request_networking {
|
|
||||||
initial_capabilities.insert(kt::de_wit_capability(Capability {
|
|
||||||
issuer: Address::new(&our.node, ("kernel", "distro", "sys")),
|
|
||||||
params: "\"network\"".to_string(),
|
|
||||||
}));
|
|
||||||
}
|
|
||||||
let process_id = format!("{}:{}", rand::random::<u64>(), package); // all scripts are given random process IDs
|
let process_id = format!("{}:{}", rand::random::<u64>(), package); // all scripts are given random process IDs
|
||||||
let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else {
|
let Ok(parsed_new_process_id) = process_id.parse::<ProcessId>() else {
|
||||||
return Err(anyhow::anyhow!("app store: invalid process id!"));
|
return Err(anyhow::anyhow!("app store: invalid process id!"));
|
||||||
@ -224,11 +217,6 @@ fn handle_run(
|
|||||||
action: vfs::VfsAction::Read,
|
action: vfs::VfsAction::Read,
|
||||||
})?)
|
})?)
|
||||||
.send_and_await_response(5)??;
|
.send_and_await_response(5)??;
|
||||||
if entry.root {
|
|
||||||
for cap in our_capabilities() {
|
|
||||||
initial_capabilities.insert(kt::de_wit_capability(cap.clone()));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Request::new()
|
Request::new()
|
||||||
.target(("our", "kernel", "distro", "sys"))
|
.target(("our", "kernel", "distro", "sys"))
|
||||||
.body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess {
|
.body(serde_json::to_vec(&kt::KernelCommand::InitializeProcess {
|
||||||
@ -236,7 +224,7 @@ fn handle_run(
|
|||||||
wasm_bytes_handle: wasm_path.clone(),
|
wasm_bytes_handle: wasm_path.clone(),
|
||||||
wit_version: None,
|
wit_version: None,
|
||||||
on_exit: kt::OnExit::None, // TODO this should send a message back to runner:script:sys so that it can Drop capabilities
|
on_exit: kt::OnExit::None, // TODO this should send a message back to runner:script:sys so that it can Drop capabilities
|
||||||
initial_capabilities: initial_capabilities.clone(),
|
initial_capabilities: HashSet::new(),
|
||||||
public: entry.public,
|
public: entry.public,
|
||||||
})?)
|
})?)
|
||||||
.inherit(true)
|
.inherit(true)
|
||||||
@ -281,6 +269,17 @@ fn handle_run(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if entry.request_networking {
|
||||||
|
requested_caps.push(kt::de_wit_capability(Capability {
|
||||||
|
issuer: Address::new(&our.node, ("kernel", "distro", "sys")),
|
||||||
|
params: "\"network\"".to_string(),
|
||||||
|
}));
|
||||||
|
}
|
||||||
|
if entry.root {
|
||||||
|
for cap in our_capabilities() {
|
||||||
|
requested_caps.push(kt::de_wit_capability(cap.clone()));
|
||||||
|
}
|
||||||
|
}
|
||||||
print_to_terminal(
|
print_to_terminal(
|
||||||
1,
|
1,
|
||||||
&format!(
|
&format!(
|
||||||
@ -292,9 +291,6 @@ fn handle_run(
|
|||||||
entry.public,
|
entry.public,
|
||||||
{
|
{
|
||||||
let mut caps_string = "[".to_string();
|
let mut caps_string = "[".to_string();
|
||||||
for cap in initial_capabilities.iter() {
|
|
||||||
caps_string += &format!("\n {}({})", cap.issuer.to_string(), cap.params);
|
|
||||||
}
|
|
||||||
for cap in requested_caps.iter() {
|
for cap in requested_caps.iter() {
|
||||||
caps_string += &format!("\n {}({})", cap.issuer.to_string(), cap.params);
|
caps_string += &format!("\n {}({})", cap.issuer.to_string(), cap.params);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user