Closed Latrasis closed 4 years ago
The test harness is currently in the form of "deploy-flipper" and deploys some very raw contracts for testing. As we add opcodes we can test them here.
Downgrading of intrinsic capabilities and subset checking is now implemented.
I've also updated the README with more information about how all these things work together. One current property that is slightly inelegant is that there is intrinsic capabilities, which describe what a contract can do by default, and contextual capabilities, which are the capabilities the contract has been called with. We probably don't want these two different things so in future it would be wise to plan out a more formal system.
Linking the changes from substrate-daohub: https://github.com/paritytech/substrate/compare/master...Daohub-io:daohub
Closing with #201
~For #196, we need to setup, in
kernel-ewasm/substrate/
(this can be moved later if necessary):~The cap9 implementation is currently part of the srml contracts module, which is where it will be implemented for now.
call_with_caps
which is a form of delegate call that allows the caller to provide the set of capabilities it wishes, thereby restricting the possible actions of the callee. When no capabilities are passed this is equivalent to static call, when the full set is passed this is equivalent to a delegate call.A note on "intrinsic capabilities". Each contract has a set of intrinsic capabilities. Upon a regular instantiation a contract has the full set of capabilities, but they will be able to relinquish some of these. When a user calls into this contract directly, they will not be able to do any more than the contract already allows. This effectively means that a contract can lock itself out of parts of its own storage.
When it calls another contract in turn, it can only pass on capabilities that it already has. When a contract is being called by another contract, its intrinsic capabilities are irrelevant.