aragon · facuspagnuolo · Apr 24, 2019 · Apr 24, 2019 · Apr 24, 2019 · Apr 24, 2019
diff --git a/contracts/apps/AragonApp.sol b/contracts/apps/AragonApp.sol
@@ -20,6 +20,7 @@ import "../evmscript/EVMScriptRunner.sol";
 // are included so that they are automatically usable by subclassing contracts
 contract AragonApp is AppStorage, Autopetrified, VaultRecoverable, ReentrancyGuard, EVMScriptRunner, ACLSyntaxSugar {
     string private constant ERROR_AUTH_FAILED = "APP_AUTH_FAILED";
+    string private constant ERROR_CONTRACT_CALL_NOT_ALLOWED = "APP_CONTRACT_CALL_NOT_ALLOWED";
 
     modifier auth(bytes32 _role) {
         require(canPerform(msg.sender, _role, new uint256[](0)), ERROR_AUTH_FAILED);
@@ -31,6 +32,12 @@ contract AragonApp is AppStorage, Autopetrified, VaultRecoverable, ReentrancyGua
         _;
     }
 
+    modifier killSwitched {
+        bool _shouldDenyCall = kernel().killSwitch().shouldDenyCallingContract(_baseApp());
+        require(!_shouldDenyCall, ERROR_CONTRACT_CALL_NOT_ALLOWED);
+        _;
+    }
+
     /**
     * @dev Check whether an action can be performed by a sender for a particular role on this app
     * @param _sender Sender of the call
@@ -65,4 +72,12 @@ contract AragonApp is AppStorage, Autopetrified, VaultRecoverable, ReentrancyGua
         // Funds recovery via a vault is only available when used with a kernel
         return kernel().getRecoveryVault(); // if kernel is not set, it will revert
     }
+
+    /**
+    * @dev Get the address of the base implementation for the current app
+    * @return Address of the base implementation
+    */
+    function _baseApp() internal view returns (address) {
+        return kernel().getApp(KERNEL_APP_BASES_NAMESPACE, appId());
+    }
 }
diff --git a/contracts/factory/DAOFactory.sol b/contracts/factory/DAOFactory.sol
@@ -3,6 +3,8 @@ pragma solidity 0.4.24;
 import "../kernel/IKernel.sol";
 import "../kernel/Kernel.sol";
 import "../kernel/KernelProxy.sol";
+import "../kill_switch/IKillSwitch.sol";
+import "../kill_switch/IIssuesRegistry.sol";
 
 import "../acl/IACL.sol";
 import "../acl/ACL.sol";
@@ -13,6 +15,7 @@ import "./EVMScriptRegistryFactory.sol";
 contract DAOFactory {
     IKernel public baseKernel;
     IACL public baseACL;
+    IKillSwitch public baseKillSwitch;
     EVMScriptRegistryFactory public regFactory;
 
     event DeployDAO(address dao);
@@ -24,14 +27,22 @@ contract DAOFactory {
     * @param _baseACL Base ACL
     * @param _regFactory EVMScriptRegistry factory
     */
-    constructor(IKernel _baseKernel, IACL _baseACL, EVMScriptRegistryFactory _regFactory) public {
+    constructor(
+        IKernel _baseKernel,
+        IACL _baseACL,
+        IKillSwitch _baseKillSwitch,
+        EVMScriptRegistryFactory _regFactory
+    )
+        public
+    {
         // No need to init as it cannot be killed by devops199
         if (address(_regFactory) != address(0)) {
             regFactory = _regFactory;
         }
 
         baseKernel = _baseKernel;
         baseACL = _baseACL;
+        baseKillSwitch = _baseKillSwitch;
     }
 
     /**
@@ -40,38 +51,64 @@ contract DAOFactory {
     * @return Newly created DAO
     */
     function newDAO(address _root) public returns (Kernel) {
-        Kernel dao = Kernel(new KernelProxy(baseKernel));
+        Kernel dao = _newDAO();
 
         if (address(regFactory) == address(0)) {
             dao.initialize(baseACL, _root);
         } else {
             dao.initialize(baseACL, this);
+            _setupNewDaoPermissions(_root, dao);
+        }
 
-            ACL acl = ACL(dao.acl());
-            bytes32 permRole = acl.CREATE_PERMISSIONS_ROLE();
-            bytes32 appManagerRole = dao.APP_MANAGER_ROLE();
+        return dao;
+    }
 
-            acl.grantPermission(regFactory, acl, permRole);
+    /**
+    * @notice Create a new DAO with `_root` set as the initial admin and `_issuesRegistry` as the source of truth for kill-switch purpose
+    * @param _root Address that will be granted control to setup DAO permissions
+    * @param _issuesRegistry Address of the registry of issues that will be used in case of critical situations by the kill switch
+    * @return Newly created DAO
+    */
+    function newDAOWithKillSwitch(address _root, IIssuesRegistry _issuesRegistry) public returns (Kernel) {
+        Kernel dao = _newDAO();
 
-            acl.createPermission(regFactory, dao, appManagerRole, this);
+        if (address(regFactory) == address(0)) {
+            dao.initializeWithKillSwitch(baseACL, _root, baseKillSwitch, _issuesRegistry);
+        } else {
+            dao.initializeWithKillSwitch(baseACL, address(this), baseKillSwitch, _issuesRegistry);
+            _setupNewDaoPermissions(_root, Kernel(dao));
+        }
 
-            EVMScriptRegistry reg = regFactory.newEVMScriptRegistry(dao);
-            emit DeployEVMScriptRegistry(address(reg));
+        return dao;
+    }
 
-            // Clean up permissions
-            // First, completely reset the APP_MANAGER_ROLE
-            acl.revokePermission(regFactory, dao, appManagerRole);
-            acl.removePermissionManager(dao, appManagerRole);
+    function _newDAO() internal returns (Kernel) {
+        Kernel dao = Kernel(new KernelProxy(baseKernel));
+        emit DeployDAO(address(dao));
+        return dao;
+    }
 
-            // Then, make root the only holder and manager of CREATE_PERMISSIONS_ROLE
-            acl.revokePermission(regFactory, acl, permRole);
-            acl.revokePermission(this, acl, permRole);
-            acl.grantPermission(_root, acl, permRole);
-            acl.setPermissionManager(_root, acl, permRole);
-        }
+    function _setupNewDaoPermissions(address _root, Kernel _dao) internal {
+        ACL acl = ACL(_dao.acl());
+        bytes32 permRole = acl.CREATE_PERMISSIONS_ROLE();
+        bytes32 appManagerRole = _dao.APP_MANAGER_ROLE();
 
-        emit DeployDAO(address(dao));
+        acl.grantPermission(regFactory, acl, permRole);
 
-        return dao;
+        acl.createPermission(regFactory, _dao, appManagerRole, this);
+
+        EVMScriptRegistry reg = regFactory.newEVMScriptRegistry(_dao);
+        emit DeployEVMScriptRegistry(address(reg));
+
+        // Clean up permissions
+        // First, completely reset the APP_MANAGER_ROLE
+        acl.revokePermission(regFactory, _dao, appManagerRole);
+        acl.removePermissionManager(_dao, appManagerRole);
+
+        // Then, make root the only holder and manager of CREATE_PERMISSIONS_ROLE
+        acl.revokePermission(regFactory, acl, permRole);
+        acl.revokePermission(this, acl, permRole);
+        acl.grantPermission(_root, acl, permRole);
+        acl.setPermissionManager(_root, acl, permRole);
     }
 }
diff --git a/contracts/kernel/IKernel.sol b/contracts/kernel/IKernel.sol
@@ -5,6 +5,7 @@
 pragma solidity ^0.4.24;
 
 import "../acl/IACL.sol";
+import "../kill_switch/IKillSwitch.sol";
 import "../common/IVaultRecoverable.sol";
 
 
@@ -16,6 +17,7 @@ interface IKernelEvents {
 // This should be an interface, but interfaces can't inherit yet :(
 contract IKernel is IKernelEvents, IVaultRecoverable {
     function acl() public view returns (IACL);
+    function killSwitch() public view returns (IKillSwitch);
     function hasPermission(address who, address where, bytes32 what, bytes how) public view returns (bool);
 
     function setApp(bytes32 namespace, bytes32 appId, address app) public;

diff --git a/contracts/kernel/Kernel.sol b/contracts/kernel/Kernel.sol
@@ -10,6 +10,8 @@ import "../common/IsContract.sol";
 import "../common/Petrifiable.sol";
 import "../common/VaultRecoverable.sol";
 import "../factory/AppProxyFactory.sol";
+import "../kill_switch/IKillSwitch.sol";
+import "../kill_switch/IIssuesRegistry.sol";
 import "../lib/misc/ERCProxy.sol";
 
 
@@ -54,6 +56,27 @@ contract Kernel is IKernel, KernelStorage, KernelAppIds, KernelNamespaceConstant
         recoveryVaultAppId = KERNEL_DEFAULT_VAULT_APP_ID;
     }
 
+    /**
+    * @dev Initialize can only be called once. It saves the block number in which it was initialized.
+    * @notice Initialize this kernel instance, its ACL setting `_permissionsCreator` as the entity that can create other permissions, and a KillSwitch instance setting `_issuesRegistry
+    * @param _baseAcl Address of base ACL app
+    * @param _permissionsCreator Entity that will be given permission over createPermission
+    * @param _baseKillSwitch Address of base KillSwitch app
+    * @param _issuesRegistry Issues registry that will act as the default source of truth to provide info about applications issues
+    */
+    function initializeWithKillSwitch(IACL _baseAcl, address _permissionsCreator, IKillSwitch _baseKillSwitch, IIssuesRegistry _issuesRegistry)
+        public onlyInit
+    {
+        // Set and create ACL app
+        initialize(_baseAcl, _permissionsCreator);
+
+        // Set and create KillSwitch app
+        _setApp(KERNEL_APP_BASES_NAMESPACE, KERNEL_DEFAULT_KILL_SWITCH_APP_ID, _baseKillSwitch);
+        IKillSwitch killSwitch = IKillSwitch(newAppProxy(this, KERNEL_DEFAULT_KILL_SWITCH_APP_ID));
+        killSwitch.initialize(_issuesRegistry);
+        _setApp(KERNEL_APP_ADDR_NAMESPACE, KERNEL_DEFAULT_KILL_SWITCH_APP_ID, killSwitch);
+    }
+
     /**
     * @dev Create a new instance of an app linked to this kernel
     * @notice Create a new upgradeable instance of `_appId` app linked to the Kernel, setting its code to `_appBase`
@@ -169,6 +192,7 @@ contract Kernel is IKernel, KernelStorage, KernelAppIds, KernelNamespaceConstant
     function APP_ADDR_NAMESPACE() external pure returns (bytes32) { return KERNEL_APP_ADDR_NAMESPACE; }
     function KERNEL_APP_ID() external pure returns (bytes32) { return KERNEL_CORE_APP_ID; }
     function DEFAULT_ACL_APP_ID() external pure returns (bytes32) { return KERNEL_DEFAULT_ACL_APP_ID; }
+    function DEFAULT_KILL_SWITCH_APP_ID() external pure returns (bytes32) { return KERNEL_DEFAULT_KILL_SWITCH_APP_ID; }
     /* solium-enable function-order, mixedcase */
 
     /**
@@ -197,6 +221,14 @@ contract Kernel is IKernel, KernelStorage, KernelAppIds, KernelNamespaceConstant
         return IACL(getApp(KERNEL_APP_ADDR_NAMESPACE, KERNEL_DEFAULT_ACL_APP_ID));
     }
 
+    /**
+    * @dev Get the installed KillSwitch app
+    * @return KillSwitch app
+    */
+    function killSwitch() public view returns (IKillSwitch) {
+        return IKillSwitch(getApp(KERNEL_APP_ADDR_NAMESPACE, KERNEL_DEFAULT_KILL_SWITCH_APP_ID));
+    }
+
     /**
     * @dev Function called by apps to check ACL on kernel or to check permission status
     * @param _who Sender of the original call

diff --git a/contracts/kernel/KernelConstants.sol b/contracts/kernel/KernelConstants.sol
@@ -10,10 +10,12 @@ contract KernelAppIds {
     bytes32 internal constant KERNEL_CORE_APP_ID = apmNamehash("kernel");
     bytes32 internal constant KERNEL_DEFAULT_ACL_APP_ID = apmNamehash("acl");
     bytes32 internal constant KERNEL_DEFAULT_VAULT_APP_ID = apmNamehash("vault");
+    bytes32 internal constant KERNEL_DEFAULT_KILL_SWITCH_APP_ID = apmNamehash("killSwitch");
     */
     bytes32 internal constant KERNEL_CORE_APP_ID = 0x3b4bf6bf3ad5000ecf0f989d5befde585c6860fea3e574a4fab4c49d1c177d9c;
     bytes32 internal constant KERNEL_DEFAULT_ACL_APP_ID = 0xe3262375f45a6e2026b7e7b18c2b807434f2508fe1a2a3dfb493c7df8f4aad6a;
     bytes32 internal constant KERNEL_DEFAULT_VAULT_APP_ID = 0x7e852e0fcfce6551c13800f1e7476f982525c2b5277ba14b24339c68416336d1;
+    bytes32 internal constant KERNEL_DEFAULT_KILL_SWITCH_APP_ID = 0x05b6cbc146cecc3a8014843768ab6e17332ef00418da7f6babf4ea94c76ab6a1;
 }
 
 

diff --git a/contracts/kill_switch/IIssuesRegistry.sol b/contracts/kill_switch/IIssuesRegistry.sol
@@ -0,0 +1,16 @@
+pragma solidity 0.4.24;
+
+
+contract IIssuesRegistry {
+    enum Severity { None, Low, Mid, High, Critical }
+
+    event SeveritySet(address indexed entry, Severity severity, address sender);
+
+    function initialize() external;
+
+    function setSeverityFor(address entry, Severity severity) external;
+
+    function isSeverityFor(address entry) public view returns (bool);
+
+    function getSeverityFor(address entry) public view returns (Severity);
+}
diff --git a/contracts/kill_switch/IKillSwitch.sol b/contracts/kill_switch/IKillSwitch.sol
@@ -0,0 +1,10 @@
+pragma solidity 0.4.24;
+
+import "./IIssuesRegistry.sol";
+
+
+contract IKillSwitch {
+    function initialize(IIssuesRegistry _issuesRegistry) external;
+
+    function shouldDenyCallingContract(address _contract) external returns (bool);
+}
diff --git a/contracts/kill_switch/IssuesRegistry.sol b/contracts/kill_switch/IssuesRegistry.sol
@@ -0,0 +1,28 @@
+pragma solidity 0.4.24;
+
+import "../apps/AragonApp.sol";
+import "./IIssuesRegistry.sol";
+
+
+contract IssuesRegistry is IIssuesRegistry, AragonApp {
+    bytes32 constant public SET_ENTRY_SEVERITY_ROLE = keccak256("SET_ENTRY_SEVERITY_ROLE");
+
+    mapping (address => Severity) internal issuesSeverity;
+
+    function initialize() external onlyInit {
+        initialized();
+    }
+
+    function setSeverityFor(address entry, Severity severity) external authP(SET_ENTRY_SEVERITY_ROLE, arr(entry, msg.sender)) {
+        issuesSeverity[entry] = severity;
+        emit SeveritySet(entry, severity, msg.sender);
+    }
+
+    function isSeverityFor(address entry) public view isInitialized returns (bool) {
+        return issuesSeverity[entry] != Severity.None;
+    }
+
+    function getSeverityFor(address entry) public view isInitialized returns (Severity) {
+        return issuesSeverity[entry];
+    }
+}