I'm just getting into wasmtime (I'm part of the Enarx project - https://enarx.io), and I'm starting to try out some bits and pieces. One of the things I'm playing with is Directory and VirtualDirectory creation. This works as expected (once I worked out what "expected" should be!), but it raised a set of questions in my mind, which I hope aren't too stupid. If there's documentation I've missed, or if this question is best asked in another stream, then please let me know.
In order to allow a workload to access a Directory, it needs to be granted the capability to do so. This is a Good Thing[tm], obviously. What I'm specifically interested in is whether there's a way to see, for a particular WasiCtx, what capabilities have been granted. This seems like an obvious thing to be able to check - one might even want to revoke capabilities at runtime on occasion. My understanding of the Directory capability granting in https://github.com/bytecodealliance/wasmtime/blob/master/crates/wasi-common/src/ctx.rs is that a Directory is just added: there's no accounting going on. Am I missing something at a different level? Is this something which has come up elsewhere? Is it something to propose?
Sorry if this is appallingly n00b: I promise to read anything I'm sent to look, at but I couldn't track down an answer with ease.
Many thanks,
-Mike.
CC @Dan Gohman @Luke Wagner @Alex Crichton
@Mike Bursell WasiCtx
's entries
member holds all the capabilities for a WasiCtx
, but we don't yet have APIs for users to query that information or revoke capabilities
I think it would pretty straightforward to add such APIs.
For revocation, one thing to think about is whether we should track which capabilities a given capability is derived from, eg. which directory a file was opened from, so that if the user revokes a capability, we could revoke everything derived from it
Thanks for the pointers. I'll have a look and a think before replying in any further detail.
Last updated: Dec 23 2024 at 13:07 UTC