Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow polkadotXcm.send #1150

Merged
merged 1 commit into from
Jul 31, 2023
+14 −6
Merged

feat: allow polkadotXcm.send #1150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions parachain/runtime/interlay/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,11 +197,15 @@ impl Contains<RuntimeCall> for BaseCallFilter {
) {
// always allow core calls
true
} else if let RuntimeCall::PolkadotXcm(_) = call {
// For security reasons, disallow usage of the xcm package by users. Sudo and
} else if let RuntimeCall::PolkadotXcm(polkadot_xcm_call) = call {
// For security reasons, disallow most usage of the xcm package by users. Sudo and
// governance are still able to call these (sudo is explicitly white-listed, while
// governance bypasses this call filter).
false

// We do allow PolkadotXcm.send - it's needed for e.g. wormhole interactions on
// moonbeam/moonriver. We could probably also allow other functions, but this way
// we don't need to worry about security implications of these functions
matches!(polkadot_xcm_call, pallet_xcm::Call::<Runtime>::send { .. })
} else if let RuntimeCall::EVM(_) = call {
// disable non-root EVM access
false
Expand Down
10 changes: 7 additions & 3 deletions parachain/runtime/kintsugi/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,11 +196,15 @@ impl Contains<RuntimeCall> for BaseCallFilter {
) {
// always allow core calls
true
} else if let RuntimeCall::PolkadotXcm(_) = call {
// For security reasons, disallow usage of the xcm package by users. Sudo and
} else if let RuntimeCall::PolkadotXcm(polkadot_xcm_call) = call {
// For security reasons, disallow most usage of the xcm package by users. Sudo and
// governance are still able to call these (sudo is explicitly white-listed, while
// governance bypasses this call filter).
false

// We do allow PolkadotXcm.send - it's needed for e.g. wormhole interactions on
// moonbeam/moonriver. We could probably also allow other functions, but this way
// we don't need to worry about security implications of these functions
matches!(polkadot_xcm_call, pallet_xcm::Call::<Runtime>::send { .. })
} else if let RuntimeCall::EVM(_) = call {
// disable non-root EVM access
false
Expand Down
Loading