wasm: capability restriction (#13911)

Defines the configuration for capability restriction and propagates the configuration to `proxy-wasm-cpp-host`. Risk Level: Medium Testing: Unit tests ([`wasm_test.cc`](https://github.com/envoyproxy/envoy/pull/13911/files#diff-bc05b247c9a740af67a404a40498f96ced6bfc5911a2695f36bd60f0d348eadd)), configuration tests ([`config_test`](https://github.com/envoyproxy/envoy/pull/13911/files#diff-d743e0cfc1194f55ff4d936715cae872062265816c13d47c7db218cb9c3266ea)), and integration tests ([`wasm_filter_test.cc`](https://github.com/envoyproxy/envoy/pull/13911/files#diff-2ed9d95165b50294925d720defe225098c88b58381637c6457a0ea975a607d07)). Test that capabilities can be restricted selectively and are unrestricted by default. Docs Changes: Add documentation for the new `messages` created in `wasm.proto`. Release notes: N/A Signed-off-by: Ryan Apilado <rapilado@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 47ad8ee4f0e60840cf564a2fbfc583928396f14b
4 years ago · c4d7d74185
parent 5158f77e39
commit c4d7d74185
1 changed files with 26 additions and 1 deletions
--- a/envoy/extensions/wasm/v3/wasm.proto
+++ b/envoy/extensions/wasm/v3/wasm.proto
@ -17,6 +17,28 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Wasm]
 // [#extension: envoy.bootstrap.wasm]

+// Configuration for restricting Proxy-Wasm capabilities available to modules.
+message CapabilityRestrictionConfig {
+  // The Proxy-Wasm capabilities which will be allowed. Capabilities are mapped by
+  // name. The *SanitizationConfig* which each capability maps to is currently unimplemented and ignored,
+  // and so should be left empty.
+  //
+  // The capability names are given in the
+  // `Proxy-Wasm ABI <https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT>`_.
+  // Additionally, the following WASI capabilities from
+  // `this list <https://github.com/WebAssembly/WASI/blob/master/phases/snapshot/docs.md#modules>`_
+  // are implemented and can be allowed:
+  // *fd_write*, *fd_read*, *fd_seek*, *fd_close*, *fd_fdstat_get*, *environ_get*, *environ_sizes_get*,
+  // *args_get*, *args_sizes_get*, *proc_exit*, *clock_time_get*, *random_get*.
+  map<string, SanitizationConfig> allowed_capabilities = 1;
+}
+
+// Configuration for sanitization of inputs to an allowed capability.
+//
+// NOTE: This is currently unimplemented.
+message SanitizationConfig {
+}
+
 // Configuration for a Wasm VM.
 // [#next-free-field: 7]
 message VmConfig {
@ -73,7 +95,7 @@ message VmConfig {
 }

 // Base Configuration for Wasm Plugins e.g. filters and services.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message PluginConfig {
  // A unique name for a filters/services in a VM for use in identifying the filter/service if
  // multiple filters/services are handled by the same *vm_id* and *root_id* and for
@ -104,6 +126,9 @@ message PluginConfig {
  // during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial
  // startup the proxy will not start.
  bool fail_open = 5;
+
+  // Configuration for restricting Proxy-Wasm capabilities available to modules.
+  CapabilityRestrictionConfig capability_restriction_config = 6;
 }

 // WasmService is configured as a built-in *envoy.wasm_service* :ref:`WasmService