Stream: git-wasmtime

Topic: wasmtime / issue #6227 wasmtime symlink resolution policy...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 18 2023 at 03:00):

TerrorJack labeled issue #6227:

Test Case

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  chdir(argv[1]);
  if(fopen("bar", "rb") == NULL) {
    perror(strerror(errno));
    exit(errno);
  }
}

Steps to Reproduce

Use wasi-sdk to compile & link foo.c above to foo.wasm, then:

$ touch /tmp/bar
$ ln -s /tmp/bar bar
$ wasmtime run --mapdir /::/ -- foo.wasm $PWD

Actual Results

The example above would fail with Operation not permitted. However, I've explicitly passed --mapdir /::/ to wasmtime, so the entire host filesystem should be visible within the wasm module, and symlink resolution from $PWD/bar to /tmp/bar should work out of the box.

Versions and Environment

Wasmtime version or commit: wasmtime-cli 7.0.0

Operating system: Ubuntu 22.10

Architecture: x86_64

view this post on Zulip Wasmtime GitHub notifications bot (Apr 18 2023 at 03:00):

TerrorJack opened issue #6227:

Test Case

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
  chdir(argv[1]);
  if(fopen("bar", "rb") == NULL) {
    perror(strerror(errno));
    exit(errno);
  }
}

Steps to Reproduce

Use wasi-sdk to compile & link foo.c above to foo.wasm, then:

$ touch /tmp/bar
$ ln -s /tmp/bar bar
$ wasmtime run --mapdir /::/ -- foo.wasm $PWD

Actual Results

The example above would fail with Operation not permitted. However, I've explicitly passed --mapdir /::/ to wasmtime, so the entire host filesystem should be visible within the wasm module, and symlink resolution from $PWD/bar to /tmp/bar should work out of the box.

Versions and Environment

Wasmtime version or commit: wasmtime-cli 7.0.0

Operating system: Ubuntu 22.10

Architecture: x86_64

view this post on Zulip Wasmtime GitHub notifications bot (Apr 18 2023 at 03:22):

pchickey commented on issue #6227:

This may be the prohibition on absolute symlinks. If you instead ln -s ../../tmp/bar bar, does it work?

view this post on Zulip Wasmtime GitHub notifications bot (Apr 18 2023 at 23:26):

TerrorJack commented on issue #6227:

It works with ../../tmp/bar. But still this looks like a bug to me, why does wasmtime unconditionally prohibit absolute symlinks even if the resolved result belongs to a mapped host directory?

Last updated: Dec 06 2025 at 06:05 UTC