From 8911eaabb8143fc64623f242ec8d418b19724b00 Mon Sep 17 00:00:00 2001 From: Aayush Rajasekaran Date: Mon, 7 Nov 2022 20:39:31 +0000 Subject: [PATCH] Restrict internal APIs of all actors (#809) --- actors/cron/src/lib.rs | 3 ++- actors/cron/tests/cron_actor_test.rs | 1 + actors/paych/src/lib.rs | 3 ++- actors/paych/tests/paych_actor_test.rs | 4 ++++ actors/power/src/lib.rs | 5 +++-- actors/power/tests/harness/mod.rs | 1 + actors/reward/src/lib.rs | 5 +++-- actors/reward/tests/reward_actor_test.rs | 1 + actors/system/src/lib.rs | 5 ++++- 9 files changed, 21 insertions(+), 7 deletions(-) diff --git a/actors/cron/src/lib.rs b/actors/cron/src/lib.rs index 173aca0f5..c6d6661f1 100644 --- a/actors/cron/src/lib.rs +++ b/actors/cron/src/lib.rs @@ -2,7 +2,7 @@ // SPDX-License-Identifier: Apache-2.0, MIT use fil_actors_runtime::runtime::{ActorCode, Runtime}; -use fil_actors_runtime::{actor_error, cbor, ActorError, SYSTEM_ACTOR_ADDR}; +use fil_actors_runtime::{actor_error, cbor, restrict_internal_api, ActorError, SYSTEM_ACTOR_ADDR}; use fvm_ipld_encoding::tuple::*; use fvm_ipld_encoding::RawBytes; @@ -83,6 +83,7 @@ impl ActorCode for Actor { where RT: Runtime, { + restrict_internal_api(rt, method)?; match FromPrimitive::from_u64(method) { Some(Method::Constructor) => { Self::constructor(rt, cbor::deserialize_params(params)?)?; diff --git a/actors/cron/tests/cron_actor_test.rs b/actors/cron/tests/cron_actor_test.rs index bc92de96f..18609b0d6 100644 --- a/actors/cron/tests/cron_actor_test.rs +++ b/actors/cron/tests/cron_actor_test.rs @@ -114,6 +114,7 @@ fn epoch_tick_with_entries() { } fn construct_and_verify(rt: &mut MockRuntime, params: &ConstructorParams) { + rt.set_caller(*SYSTEM_ACTOR_CODE_ID, SYSTEM_ACTOR_ADDR); rt.expect_validate_caller_addr(vec![SYSTEM_ACTOR_ADDR]); let ret = rt.call::(1, &RawBytes::serialize(¶ms).unwrap()).unwrap(); assert_eq!(RawBytes::default(), ret); diff --git a/actors/paych/src/lib.rs b/actors/paych/src/lib.rs index 8299b6ea2..75d9a5091 100644 --- a/actors/paych/src/lib.rs +++ b/actors/paych/src/lib.rs @@ -4,7 +4,7 @@ use fil_actors_runtime::runtime::builtins::Type; use fil_actors_runtime::runtime::{ActorCode, Runtime}; use fil_actors_runtime::{ - actor_error, cbor, resolve_to_actor_id, ActorDowncast, ActorError, Array, + actor_error, cbor, resolve_to_actor_id, restrict_internal_api, ActorDowncast, ActorError, Array, }; use fvm_ipld_blockstore::Blockstore; use fvm_ipld_encoding::RawBytes; @@ -324,6 +324,7 @@ impl ActorCode for Actor { where RT: Runtime, { + restrict_internal_api(rt, method)?; match FromPrimitive::from_u64(method) { Some(Method::Constructor) => { Self::constructor(rt, cbor::deserialize_params(params)?)?; diff --git a/actors/paych/tests/paych_actor_test.rs b/actors/paych/tests/paych_actor_test.rs index 42afb0a36..969033e02 100644 --- a/actors/paych/tests/paych_actor_test.rs +++ b/actors/paych/tests/paych_actor_test.rs @@ -108,6 +108,7 @@ mod paych_constructor { #[test] fn actor_doesnt_exist_test() { let mut rt = construct_runtime(); + rt.set_caller(*INIT_ACTOR_CODE_ID, INIT_ACTOR_ADDR); rt.expect_validate_caller_type(vec![Type::Init]); let params = ConstructorParams { to: Address::new_id(TEST_PAYCH_ADDR), @@ -226,6 +227,7 @@ mod paych_constructor { ExitCode::OK, ); + rt.set_caller(*INIT_ACTOR_CODE_ID, INIT_ACTOR_ADDR); rt.expect_validate_caller_type(vec![Type::Init]); let params = ConstructorParams { from: non_id_addr, to: to_addr }; expect_abort( @@ -263,6 +265,7 @@ mod paych_constructor { ExitCode::OK, ); + rt.set_caller(*INIT_ACTOR_CODE_ID, INIT_ACTOR_ADDR); rt.expect_validate_caller_type(vec![Type::Init]); let params = ConstructorParams { from: from_addr, to: non_id_addr }; expect_abort( @@ -1198,6 +1201,7 @@ fn require_add_new_lane(rt: &mut MockRuntime, param: LaneParams) -> SignedVouche fn construct_and_verify(rt: &mut MockRuntime, sender: Address, receiver: Address) { let params = ConstructorParams { from: sender, to: receiver }; + rt.set_caller(*INIT_ACTOR_CODE_ID, INIT_ACTOR_ADDR); rt.expect_validate_caller_type(vec![Type::Init]); call(rt, METHOD_CONSTRUCTOR, &RawBytes::serialize(¶ms).unwrap()); rt.verify(); diff --git a/actors/power/src/lib.rs b/actors/power/src/lib.rs index 6229f61f0..21dc612b6 100644 --- a/actors/power/src/lib.rs +++ b/actors/power/src/lib.rs @@ -9,8 +9,8 @@ use ext::init; use fil_actors_runtime::runtime::builtins::Type; use fil_actors_runtime::runtime::{ActorCode, Runtime}; use fil_actors_runtime::{ - actor_error, cbor, make_map_with_root_and_bitwidth, ActorDowncast, ActorError, Multimap, - CRON_ACTOR_ADDR, INIT_ACTOR_ADDR, REWARD_ACTOR_ADDR, SYSTEM_ACTOR_ADDR, + actor_error, cbor, make_map_with_root_and_bitwidth, restrict_internal_api, ActorDowncast, + ActorError, Multimap, CRON_ACTOR_ADDR, INIT_ACTOR_ADDR, REWARD_ACTOR_ADDR, SYSTEM_ACTOR_ADDR, }; use fvm_ipld_encoding::RawBytes; use fvm_shared::address::Address; @@ -625,6 +625,7 @@ impl ActorCode for Actor { where RT: Runtime, { + restrict_internal_api(rt, method)?; match FromPrimitive::from_u64(method) { Some(Method::Constructor) => { Self::constructor(rt)?; diff --git a/actors/power/tests/harness/mod.rs b/actors/power/tests/harness/mod.rs index 50114a29c..5849e2b9c 100644 --- a/actors/power/tests/harness/mod.rs +++ b/actors/power/tests/harness/mod.rs @@ -101,6 +101,7 @@ pub struct Harness { impl Harness { pub fn construct(&self, rt: &mut MockRuntime) { + rt.set_caller(*SYSTEM_ACTOR_CODE_ID, SYSTEM_ACTOR_ADDR); rt.expect_validate_caller_addr(vec![SYSTEM_ACTOR_ADDR]); rt.call::(Method::Constructor as MethodNum, &RawBytes::default()).unwrap(); rt.verify() diff --git a/actors/reward/src/lib.rs b/actors/reward/src/lib.rs index e01a414b5..54c4f41d4 100644 --- a/actors/reward/src/lib.rs +++ b/actors/reward/src/lib.rs @@ -3,8 +3,8 @@ use fil_actors_runtime::runtime::{ActorCode, Runtime}; use fil_actors_runtime::{ - actor_error, cbor, ActorError, BURNT_FUNDS_ACTOR_ADDR, EXPECTED_LEADERS_PER_EPOCH, - STORAGE_POWER_ACTOR_ADDR, SYSTEM_ACTOR_ADDR, + actor_error, cbor, restrict_internal_api, ActorError, BURNT_FUNDS_ACTOR_ADDR, + EXPECTED_LEADERS_PER_EPOCH, STORAGE_POWER_ACTOR_ADDR, SYSTEM_ACTOR_ADDR, }; use fvm_ipld_encoding::RawBytes; @@ -223,6 +223,7 @@ impl ActorCode for Actor { where RT: Runtime, { + restrict_internal_api(rt, method)?; match FromPrimitive::from_u64(method) { Some(Method::Constructor) => { let param: Option = cbor::deserialize_params(params)?; diff --git a/actors/reward/tests/reward_actor_test.rs b/actors/reward/tests/reward_actor_test.rs index c303bb541..947d48fdc 100644 --- a/actors/reward/tests/reward_actor_test.rs +++ b/actors/reward/tests/reward_actor_test.rs @@ -340,6 +340,7 @@ fn construct_and_verify(curr_power: &StoragePower) -> MockRuntime { caller_type: *SYSTEM_ACTOR_CODE_ID, ..Default::default() }; + rt.set_caller(*SYSTEM_ACTOR_CODE_ID, SYSTEM_ACTOR_ADDR); rt.expect_validate_caller_addr(vec![SYSTEM_ACTOR_ADDR]); let ret = rt .call::( diff --git a/actors/system/src/lib.rs b/actors/system/src/lib.rs index f68d8e2f6..c7abe1af7 100644 --- a/actors/system/src/lib.rs +++ b/actors/system/src/lib.rs @@ -11,7 +11,9 @@ use num_derive::FromPrimitive; use num_traits::FromPrimitive; use fil_actors_runtime::runtime::{ActorCode, Runtime}; -use fil_actors_runtime::{actor_error, ActorContext, ActorError, AsActorError, SYSTEM_ACTOR_ADDR}; +use fil_actors_runtime::{ + actor_error, restrict_internal_api, ActorContext, ActorError, AsActorError, SYSTEM_ACTOR_ADDR, +}; #[cfg(feature = "fil-actor")] fil_actors_runtime::wasm_trampoline!(Actor); @@ -73,6 +75,7 @@ impl ActorCode for Actor { where RT: Runtime, { + restrict_internal_api(rt, method)?; match FromPrimitive::from_u64(method) { Some(Method::Constructor) => { Self::constructor(rt)?;