Skip to content

Apply device attenuation to every kernel authority view #1237

Description

@joshuajbouw

Problem

Primary kernel request checks apply the authenticating device scope, but several secondary authority decisions rebuild principal authority without that device context. A scoped device can therefore receive a broader capsule, principal, or group view than its effective authority permits. A scoped pair request with bare allow = ["*"] is also equivalent to unattenuated authority and must use the full-scope privilege gate.

Scope

  • use one typed device-scope resolver for primary and secondary checks
  • apply device attenuation to capsule inventory visibility
  • apply device attenuation to global principal and group visibility
  • require effective self:auth:pair:admin for a scoped pair request containing bare *
  • preserve the self:* use-only preset
  • deny malformed, unknown, or revoked device IDs
  • preserve current no-device and Full behavior

Non-goals

  • no public API, WIT, HTTP, IPC, or serialized wire change
  • no product-specific identity or trust path
  • no capability-registry activation or persisted-policy migration
  • capsule dispatcher and gateway audit-probe changes remain separately scoped

Acceptance criteria

  • an attenuated admin device cannot gain global capsule, principal, or group visibility unless its scope admits the exact global capability
  • a scoped pair request with bare * cannot bypass the pair-admin requirement
  • an issuer's own device denies constrain every child scope
  • focused kernel regressions cover no-device, Full, scoped, malformed, unknown, and revoked device cases
  • formatting, kernel tests, clippy, and repository CI pass

Tracks #1228 and astrid-runtime/rfcs#36.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions