endo icon indicating copy to clipboard operation
endo copied to clipboard
verified publisher icon endojs

feat(compartment-mapper): Host module exits

Open kriskowal opened this issue 1 year ago • 3 comments

Description

This change closes the remaining gap between Endo as a Zip archive bundler and support for “exits” to host modules from those bundles at import-time.

This begins with a test to demonstrate the latent support for conditional exits to host modules through importLocation. The test fixture has a library that exports the host implementation of itself if the bundler specifies the exit (endo:lib) as a condition. This causes the module to be omitted from bundles and relies on the importer to provide the implementation. There remained a gap for a round-trip through a bundle.

The subsequent changes fix a bottleneck for exit modules in the compartment-mapper. The LavaMoat policy-enforcement runtime is limited to virtual module sources, which constrained support for other kinds of module descriptor. This change opens that up so arbitrary module descriptors pass-through the attenuating adapter if no policy is in effect for that edge. We can return to explore attenuation of other kinds of module-descriptor.

At this point, all exits have to be explicitly marked with an importHook that returns a module descriptor for the named exit module specifier. We then add a feature to the bundler that implicitly recognizes any module specifier that starts with a URI-scheme prefix is an exit, for convenience on the bundler side. This will obviate the need for an additional command-line flag in bundle-source in the common case.

Then, we trivially thread the importHook through importBundle options.

Security Considerations

Host provided modules must be hardened and pure, to avoid being useful as a side-channel or mitm attack surface between guests.

Scaling Considerations

This should allow the creation of smaller bundles.

Documentation Considerations

Any module that implements this feature should document the condition that enables it for bundling and importing.

Testing Considerations

Just a test.

Compatibility Considerations

None.

Upgrade Considerations

None.

kriskowal avatar Aug 20 '24 23:08 kriskowal

Summoning @naugtur since this touches policy enforcement code with delicate invariants.

kriskowal avatar Aug 27 '24 19:08 kriskowal

I'll need some time to dig through this. I'll see if I can go through it before the meeting tomorrow.

naugtur avatar Aug 27 '24 19:08 naugtur

This PR is still needed, approved, and passed CI. Anything blocking progress other than scarcity of attention?

erights avatar Sep 26 '25 19:09 erights