Stream: general

Topic: wasi with access to only part of the filesystem


view this post on Zulip Léo Gaspard (May 07 2020 at 20:28):

Hello,

Just wanted to check, as I'm not sure I understand the whole implementation of the wasmtime-wasi crate, and the documentation is sparse: if I never call preopen_dir nor preopened_virt, then the guest will have access to none of the filesystem, and if I call preopen_dir then it will have access only to what is inside dir and nothing outside (eg. by passing paths such as .. relative to dir).

Am I correctly understanding these security properties?

Also, thank you for wasmtime! I'm still in the exploratory phase so haven't actually started using it yet, but it looks great!

view this post on Zulip Yury Delendik (May 07 2020 at 20:32):

Looking at https://github.com/bytecodealliance/wasmtime/blob/master/docs/WASI-tutorial.md#executing-in-wasmtime-runtime , you have to provide --dir=. so looks like there is no default preopens

Standalone JIT-style runtime for WebAssembly, using Cranelift - bytecodealliance/wasmtime

view this post on Zulip Yury Delendik (May 07 2020 at 20:36):

so that's a correct description of the properties

view this post on Zulip Léo Gaspard (May 07 2020 at 20:47):

Great, thank you!


Last updated: Dec 23 2024 at 13:07 UTC