Privilege system for syscalls

[raulk]

We currently don't have an ACL/permissioning/privilege system for syscalls. Ideally we wouldn't need it, but Filecoin is different to other chains in the sense that there's significant functionality contained in built-in actors, some which needs to perform side-effects that should not be available to user-defined actors. Examples:

• gas::charge_gas (attempt to refactor in Clean up and simplify gas functionality #442, but likely not landing)
• actor::create_actor in its current form (explicitly taking an ActorID), although we could also modify this syscall to return the ActorID (correct way)
• Potentially some proof verification functions used only by the miner actor, which presumably have no direct applicability outside the miner actor. Other actors would probably query the state of the miner actor instead of verifying proofs explicitly.

None of this is a problem for M1, since it doesn't support the installation and deployment of user-defined actors. However, we could lay out the groundwork ahead of time.

[Stebalien]

Implementation wise, we have two ways to check this:

1. On call, we can check the caller.
2. On instantiation of the execution container by simply not making the syscalls available.

I'd much prefer the latter.

[raulk]

I also prefer (2). But worthy to note that it'll lead to an ugly, unhandled panic instead of an ErrSysIllegalInstruction (which is what I maybe would expect)?

[Stebalien]

Actually, it should just mean the actor will fail to instantiate. We can even check this at deploy time. Actors declare their imports.

[Stebalien]

Punted to M2.2 because this isn't a security issue for M2.1. The EVM actor literally doesn't import any privileged methods, so they're statically uncallable (even if there were a bug in the EVM).