-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wasm: capability restriction #13911
wasm: capability restriction #13911
Changes from all commits
f468a96
13b76e0
a62f952
4c0d583
a8e77dd
4dffd5e
15dacd1
cb0bce3
b988429
af695b1
f9cf17f
8c8b69f
e63f7ed
9edc973
caa4f68
486b68a
b5f793c
91067f6
f189898
1959a9c
f3f73d4
5b27bb2
12bd787
5798880
559f452
238bace
0b9099c
acc3e53
5c8f31b
372d335
eed3c43
452b91e
86c5c34
cc60e16
bb76300
0d0a6c2
af91df7
909b1fd
d6fa1c1
ac3f629
7101e0c
ee8a52b
38afe66
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,6 +18,28 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; | |
// [#protodoc-title: Wasm] | ||
// [#extension: envoy.bootstrap.wasm] | ||
|
||
// Configuration for restricting Proxy-Wasm capabilities available to modules. | ||
message CapabilityRestrictionConfig { | ||
// The Proxy-Wasm capabilities which will be allowed. Capabilities are mapped by | ||
// name. The *SanitizationConfig* which each capability maps to is currently unimplemented and ignored, | ||
// and so should be left empty. | ||
// | ||
// The capability names are given in the | ||
// `Proxy-Wasm ABI <https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT>`_. | ||
// Additionally, the following WASI capabilities from | ||
// `this list <https://github.com/WebAssembly/WASI/blob/master/phases/snapshot/docs.md#modules>`_ | ||
// are implemented and can be allowed: | ||
// *fd_write*, *fd_read*, *fd_seek*, *fd_close*, *fd_fdstat_get*, *environ_get*, *environ_sizes_get*, | ||
// *args_get*, *args_sizes_get*, *proc_exit*, *clock_time_get*, *random_get*. | ||
map<string, SanitizationConfig> allowed_capabilities = 1; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should this be There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same goes for proxy-wasm-cpp-host side PR There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The keys in the map are always allowed capabilities, so I think the name is still accurate. The There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ah, right. Thanks |
||
} | ||
|
||
// Configuration for sanitization of inputs to an allowed capability. | ||
// | ||
// NOTE: This is currently unimplemented. | ||
message SanitizationConfig { | ||
} | ||
|
||
// Configuration for a Wasm VM. | ||
// [#next-free-field: 7] | ||
message VmConfig { | ||
|
@@ -74,7 +96,7 @@ message VmConfig { | |
} | ||
|
||
// Base Configuration for Wasm Plugins e.g. filters and services. | ||
// [#next-free-field: 6] | ||
// [#next-free-field: 7] | ||
message PluginConfig { | ||
// A unique name for a filters/services in a VM for use in identifying the filter/service if | ||
// multiple filters/services are handled by the same *vm_id* and *root_id* and for | ||
|
@@ -105,6 +127,9 @@ message PluginConfig { | |
// during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial | ||
// startup the proxy will not start. | ||
bool fail_open = 5; | ||
|
||
// Configuration for restricting Proxy-Wasm capabilities available to modules. | ||
CapabilityRestrictionConfig capability_restriction_config = 6; | ||
} | ||
|
||
// WasmService is configured as a built-in *envoy.wasm_service* :ref:`WasmService | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
everything listed here except
fd_write
,clock_time_get
,get_random
is not supported actually as you can see, for instance, https://github.com/proxy-wasm/proxy-wasm-cpp-host/blob/master/src/exports.cc#L727-L732 .Also clock_time_get and get_random are implemented now https://github.com/proxy-wasm/proxy-wasm-cpp-host/blob/master/src/exports.cc#L804-L829And in the future, we may support get_environ since there's a feature request in the multiple SDK repositories, proxy-wasm/spec#19.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even though the host implementation of WASI is indeed a bunch of mostly non-working (but adhering to spec) stubs, modules compiled against WASI want to import them, and this PR is purely about allowing/rejecting such calls.