fix(capsule): preserve device attenuation in dispatch#1240
Open
joshuajbouw wants to merge 14 commits into
Open
fix(capsule): preserve device attenuation in dispatch#1240joshuajbouw wants to merge 14 commits into
joshuajbouw wants to merge 14 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates capsule dispatch to carry the authenticated device scope into access resolution so dispatch decisions (candidate expansion, execution gating, and grant signalling) reflect the same attenuated authority enforced at the kernel boundary (Issue #1239 / RFC #36).
Changes:
- Thread
device_key_idthrough dispatcher matching and resolve a single immutable (principal/profile/groups/device-scope) access snapshot per stamped event. - Enforce fail-closed behavior for disabled/invalid/unknown/revoked identities before interceptor matching and before emitting
GrantRequired. - Add a dedicated regression suite covering device-scoped inventory vs execution authority and legacy no-resolver behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| crates/astrid-capsule/src/dispatcher.rs | Carries device key id into matching, resolves per-event access snapshot, and updates candidate expansion + grant-on-use behavior. |
| crates/astrid-capsule/src/dispatcher_tests.rs | Updates existing tests to the new find_matching_interceptors signature. |
| crates/astrid-capsule/src/dispatcher_device_scope_tests.rs | Adds device-scope focused dispatch regression tests (inventory vs execution, invalid identities, legacy path). |
| crates/astrid-capsule/src/access.rs | Introduces ResolvedCapsuleAccess snapshot and device-scoped capability evaluation for capsule:list and capsule:access:any. |
| CHANGELOG.md | Documents the security behavior change under [Unreleased]. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5b5cbcd to
b93409c
Compare
8a8b18c to
81db358
Compare
81db358 to
76e7291
Compare
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linked Issue
Closes #1239
Depends on #1238. Refs #1237 and astrid-runtime/rfcs#36.
Summary
Carries the authenticated device into capsule dispatch so execution and inventory use the same live authority already enforced at the kernel boundary. The change is generic to Astrid and introduces no product-specific role or trust path.
Changes
capsule:listonly for global describe visibilitycapsule:access:anyfor unrestricted execution and candidate expansionFullbehavior, and unprincipled lifecycle dispatchGrantRequiredonly for a valid in-view denied matchVerification
cargo fmt --all -- --checkgit diff --checkFull, scoped allow/deny, direct exact-capability authority, explicit capsule grants, disabled/invalid/revoked identities, group snapshot changes, grant signalling, and the no-resolver pathDependency handling
This PR targets
main. Its current diff includes #1238, which must land first; GitHub will then narrow this PR. RFC #36 is design context, not a merge dependency for this fail-closed correction.Checklist
[Unreleased]