feat(ses): Vetted shims

[kriskowal]

Closes #422

This change separates out the internal phases of lockdown: repairIntrinsics() and hardenIntrinsics().

[kriskowal]

Developer log (draft):

I’m attempting to make it clearer that ses is itself a stack of shims, so I’ve refactored index.js to reflect that and hope to break it down further. I’ve also attempted to factor x.js and x-shim.js modules such that x.js implements the behavior in a way that might be used without shimming.

In the course of doing this, it became clear that the errors sub-section should not be using ambient types. I’ve attempted to correct this. I’m stopping for now at this yak:

$ tsc
types.test-d.ts:91:1 - error TS2775: Assertions require every name in the call target to be declared with an explicit type annotation.

91 assert.typeof(10.1, 'number');
...

[kriskowal]

I managed to getting vetted shims implemented without refactoring ambient types. Or rather, I managed to keep that work out of this pull request for purposes of limiting the scope of review and will submit that cleanup separately.

[kriskowal]

For reviewers: I’ve created an initial commit that renames lockdown-shim.js and compartment-shim.js to lockdown.js and compartment.js so that the subsequent commit’s diff clearly illustrates that all of the shim behavior was extracted from those modules and moved into the (new) adjacent -shim.js layering.

[kriskowal]

Moves to a new assert-sloppy-mode.js, as imported by lockdown-shim.js to ensure it runs first and fails fast.

[kriskowal]

Moves to compartment-shim.js

[kriskowal]

Moves to lockdown-shim.js

[kriskowal]

Moves to assert-shim.js

[kriskowal]

Moves to compartment-shim.js

[kriskowal]

I’ve moved all of the globalThis assignment behaviors into the shim to decontaminate the non-shim modules.

So, note that the global repairIntrinsics doesn’t return hardenIntrinsics and the global hardenIntrinsics does not return harden, but the internal versions perform this cascade.

hardenIntrinsics did not previously return harden.

[leotm]

we should update docs too right (mb better as follow-up)

• https://github.com/endojs/endo/blob/master/packages/ses/docs/guide.md
• https://github.com/endojs/endo/blob/master/packages/ses/docs/reference.md

so lockdown and harden relevant parts then add repair section

can prob reuse bits from the well-written issue description too

[kriskowal]

I’ve added a commit with documentation changes and the update for the change log. Thank you!

[erights]

just doc comments so far. rest coming but will take longer.

[erights]

Suggested change

	And, an application that choses to call these also has the option of running
	An application that choses to call these also has the option of running

I'll do things like a jarring initial "And, " when it adds enough meaning to be worth it. I don't think it is here.

[erights]

Need to be explicit that this is the post-repairIntrinsics behavior of Compartment. In our system as it is now, or as it is as of this PR, what is the status of Compartment before repairIntrinsics? I'm probably happy with any answer for now, since I only really care about after repairIntrinsics. But we should be explicit somewhere. If we are explicit elsewhere, can we link to it from here?

[kriskowal]

Compartment exists before repairIntrinsics and the only current difference is that the intrinsics are not hardened. Compartments constructed before repairIntrinsics do not guarantee confinement even after repairIntrinsics.

[erights]

It is even more important that this example import sequence appear in the guide. This is the use pattern we should generally encourage.

[erights]

What about https://github.com/endojs/endo/blob/master/packages/ses/docs/lockdown.md ?

Should "Lockdown options" be renamed? What about LOCKDOWN_* environment variables?

IMO the env vars do not need to be renamed. The doc should at least be clear about what these options mean in the new world.

[kriskowal]

In the type definition, I took the liberty of renaming LockdownOptions to RepairOptions and leaving an alias for backward compatibility. I agree that we do not need to change the names of the environment variables, or even really call attention to repairIntrinsics() unless it’s needed.

[kriskowal]

Question for reviewers: do we need to tackle making harden available after repairIntrinsics but before hardenIntrinsics with the queuing behavior? The heart of this question is whether it’s necessary and whether we can expect any environment to repair but not harden indefinitely.

On the question of necessity, a vetted shim could be divided into layers that run before and after hardenIntrinsics(). So, I’d argue it’s not necessary but might make for better ergonomics once we start implementing hardened shims.

I also don’t think repairing but not hardening intrinsics is coherent, but I might be forgetting something.

[erights]

Question for reviewers: do we need to tackle making harden available after repairIntrinsics but before hardenIntrinsics with the queuing behavior? The heart of this question is whether it’s necessary and whether we can expect any environment to repair but not harden indefinitely.

On the question of necessity, a vetted shim could be divided into layers that run before and after hardenIntrinsics(). So, I’d argue it’s not necessary but might make for better ergonomics once we start implementing hardened shims.

I also don’t think repairing but not hardening intrinsics is coherent, but I might be forgetting something.

How we want to bridge harden per-vs-post hardenIntrinsics is still an open design issue.
Let's keep this PR conservative without painting ourselves into any corners. I think the best way to do that is for hardenIntrinsics to introduce harden for now, but with a note that you should not count on harden being absent prior to hardenIntrinsics. In the future, some attenuated form of harden may exist between repairIntrinsics and hardenIntrinsics.

If we already have an issue where we're discussing that open design issue, we should link to it.

[mhofman]

Agreed with @erights. Let's not introduce some queuing behavior for harden that may not be part of the final design. I am ok with requiring shims to run a part post hardenIntrinsics for now. Maybe we should consider for harden to throw before hardenIntrinsics is called (which I believe is currently the behavior of XS's harden implementation before lockdown is called).

To be clear: a world where shims explicitly harden after hardenIntrinsics is forward compatible with a world where a pre-hardenIntrinsics vetted shim is able to use some version of harden and avoid running a post-hardenIntrinsics step.

[erights]

Maybe we should consider for harden to throw before ...

Also fine with me. Even better because the diagnostic can help set expectations. My favorite word for such messages is "yet" ;)

[erights]

OTOH, absence would make feature testing pleasant. I'm ok either way.

[kriskowal]

I’m settling on the current state: presence of globalThis.harden is a reliable signal that it’s available for use. I think this is more likely to be consistent with the @endo/harden ponyfill @mhofman and I have been discussing, and is the more reversible option.

[erights]

For reviewers: I’ve created an initial commit that renames lockdown-shim.js and compartment-shim.js to lockdown.js and compartment.js so that the subsequent commit’s diff clearly illustrates that all of the shim behavior was extracted from those modules and moved into the (new) adjacent -shim.js layering.

Thank you! I was reviewing the overall differences until I got to one of those. I'm surprised that github diff loses the mv behavior for the overall diffs, but it does. Your separation is a lifesaver.

[erights]

LGTM!!!!

I love that we can get this into the next endo release. Awesome!

[erights]

Please comment that we preserve LockdownOptions only for legacy compat. Perhaps deprecate?