envoyproxy · lizan · Feb 9, 2021 · Nov 19, 2020 · Nov 19, 2020 · Nov 19, 2020
diff --git a/api/envoy/extensions/wasm/v3/wasm.proto b/api/envoy/extensions/wasm/v3/wasm.proto
@@ -18,6 +18,26 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Wasm]
 // [#extension: envoy.bootstrap.wasm]
 
+// Configuration for restricting proxy-wasm capabilities available to modules.
+message CapabilityRestrictionConfig {
+  // The proxy-wasm capabilities which will be allowed. Capabilities are mapped by
+  // name. The *SanitizationConfig* which each capability maps to is currently unimplemented and ignored,
+  // and so should be left empty.
+  //
+  // The capability names are given in the
+  // `proxy-wasm ABI <https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT>`_.
+  // Additionally, the following WASI capabilities from
+  // `this list <https://github.com/WebAssembly/WASI/blob/master/phases/snapshot/docs.md#modules>`_
+  // are implemented and can be allowed:
+  // *fd_write*, *fd_read*, *fd_seek*, *fd_close*, *fd_fdstat_get*, *environ_get*, *environ_sizes_get*,
+  // *args_get*, *args_sizes_get*, *proc_exit*, *clock_time_get*, *random_get*.
+  map<string, SanitizationConfig> allowed_capabilities = 1;
+}
+
+// Configuration for sanitization of inputs to an allowed capability. NOTE: This is currently unimplemented.
+message SanitizationConfig {
+}
+
 // Configuration for a Wasm VM.
 // [#next-free-field: 7]
 message VmConfig {
@@ -74,7 +94,7 @@ message VmConfig {
 }
 
 // Base Configuration for Wasm Plugins e.g. filters and services.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message PluginConfig {
   // A unique name for a filters/services in a VM for use in identifying the filter/service if
   // multiple filters/services are handled by the same *vm_id* and *root_id* and for
@@ -105,6 +125,9 @@ message PluginConfig {
   // during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial
   // startup the proxy will not start.
   bool fail_open = 5;
+
+  // Configuration for restricting proxy-wasm capabilities available to modules.
+  CapabilityRestrictionConfig capability_restriction_config = 6;
 }
 
 // WasmService is configured as a built-in *envoy.wasm_service* :ref:`WasmService

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -846,8 +846,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "WebAssembly for Proxies (C++ host implementation)",
         project_desc = "WebAssembly for Proxies (C++ host implementation)",
         project_url = "https://github.com/proxy-wasm/proxy-wasm-cpp-host",
-        version = "6dab125d7a668c7158848b6f48c67fd827c952e6",
-        sha256 = "b5c73ed053a7079bd8bf53b14c4811e87ae521d9fcf4769ec5b248202a27600d",
+        version = "993766996269bd1e41dc625063cfcf4904d940a0",
+        sha256 = "62daa07f1b1dbe7d0462b874149db0db298713026a32b7748aaa929ec35304aa",
         strip_prefix = "proxy-wasm-cpp-host-{version}",
         urls = ["https://github.com/proxy-wasm/proxy-wasm-cpp-host/archive/{version}.tar.gz"],
         use_category = ["dataplane_ext"],
@@ -862,7 +862,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "envoy.wasm.runtime.wavm",
             "envoy.wasm.runtime.wasmtime",
         ],
-        release_date = "2020-12-16",
+        release_date = "2020-12-22",
         cpe = "N/A",
     ),
     proxy_wasm_rust_sdk = dict(

diff --git a/generated_api_shadow/envoy/extensions/wasm/v3/wasm.proto b/generated_api_shadow/envoy/extensions/wasm/v3/wasm.proto
@@ -46,9 +46,10 @@ WasmAccessLogFactory::createAccessLogInstance(const Protobuf::Message& proto_con
   };
 
   if (!Common::Wasm::createWasm(
-          config.config().vm_config(), plugin, context.scope().createScope(""),
-          context.clusterManager(), context.initManager(), context.dispatcher(), context.api(),
-          context.lifecycleNotifier(), remote_data_provider_, std::move(callback))) {
+          config.config().vm_config(), config.config().capability_restriction_config(), plugin,
+          context.scope().createScope(""), context.clusterManager(), context.initManager(),
+          context.dispatcher(), context.api(), context.lifecycleNotifier(), remote_data_provider_,
+          std::move(callback))) {
     throw Common::Wasm::WasmException(
         fmt::format("Unable to create Wasm access log {}", plugin->name_));
   }

@@ -52,9 +52,10 @@ void WasmFactory::createWasm(const envoy::extensions::wasm::v3::WasmService& con
   };
 
   if (!Common::Wasm::createWasm(
-          config.config().vm_config(), plugin, context.scope().createScope(""),
-          context.clusterManager(), context.initManager(), context.dispatcher(), context.api(),
-          context.lifecycleNotifier(), remote_data_provider_, std::move(callback))) {
+          config.config().vm_config(), config.config().capability_restriction_config(), plugin,
+          context.scope().createScope(""), context.clusterManager(), context.initManager(),
+          context.dispatcher(), context.api(), context.lifecycleNotifier(), remote_data_provider_,
+          std::move(callback))) {
     // NB: throw if we get a synchronous configuration failures as this is how such failures are
     // reported to xDS.
     throw Common::Wasm::WasmException(

@@ -42,6 +42,8 @@ using proxy_wasm::WasmResult;
 using proxy_wasm::WasmStreamType;
 
 using VmConfig = envoy::extensions::wasm::v3::VmConfig;
+using CapabilityRestrictionConfig = envoy::extensions::wasm::v3::CapabilityRestrictionConfig;
+using SanitizationConfig = envoy::extensions::wasm::v3::SanitizationConfig;
 using GrpcService = envoy::config::core::v3::GrpcService;
 
 class Wasm;

@@ -100,10 +100,11 @@ void Wasm::initializeLifecycle(Server::ServerLifecycleNotifier& lifecycle_notifi
 }
 
 Wasm::Wasm(absl::string_view runtime, absl::string_view vm_id, absl::string_view vm_configuration,
-           absl::string_view vm_key, const Stats::ScopeSharedPtr& scope,
-           Upstream::ClusterManager& cluster_manager, Event::Dispatcher& dispatcher)
-    : WasmBase(createWasmVm(runtime), vm_id, vm_configuration, vm_key), scope_(scope),
-      cluster_manager_(cluster_manager), dispatcher_(dispatcher),
+           absl::string_view vm_key, proxy_wasm::AllowedCapabilitiesMap allowed_capabilities,
+           const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager,
+           Event::Dispatcher& dispatcher)
+    : WasmBase(createWasmVm(runtime), vm_id, vm_configuration, vm_key, allowed_capabilities),
+      scope_(scope), cluster_manager_(cluster_manager), dispatcher_(dispatcher),
       time_source_(dispatcher.timeSource()),
       wasm_stats_(WasmStats{
           ALL_WASM_STATS(POOL_COUNTER_PREFIX(*scope_, absl::StrCat("wasm.", runtime, ".")),
@@ -312,8 +313,9 @@ WasmEvent toWasmEvent(const std::shared_ptr<WasmHandleBase>& wasm) {
   NOT_IMPLEMENTED_GCOVR_EXCL_LINE;
 }
 
-static bool createWasmInternal(const VmConfig& vm_config, const PluginSharedPtr& plugin,
-                               const Stats::ScopeSharedPtr& scope,
+static bool createWasmInternal(const VmConfig& vm_config,
+                               const CapabilityRestrictionConfig& cr_config,
+                               const PluginSharedPtr& plugin, const Stats::ScopeSharedPtr& scope,
                                Upstream::ClusterManager& cluster_manager,
                                Init::Manager& init_manager, Event::Dispatcher& dispatcher,
                                Api::Api& api, Server::ServerLifecycleNotifier& lifecycle_notifier,
@@ -380,7 +382,7 @@ static bool createWasmInternal(const VmConfig& vm_config, const PluginSharedPtr&
                  .value_or(code.empty() ? EMPTY_STRING : INLINE_STRING);
   }
 
-  auto complete_cb = [cb, vm_config, plugin, scope, &cluster_manager, &dispatcher,
+  auto complete_cb = [cb, vm_config, cr_config, plugin, scope, &cluster_manager, &dispatcher,
                       &lifecycle_notifier, create_root_context_for_testing,
                       wasm_extension](std::string code) -> bool {
     if (code.empty()) {
@@ -391,10 +393,10 @@ static bool createWasmInternal(const VmConfig& vm_config, const PluginSharedPtr&
         proxy_wasm::makeVmKey(vm_config.vm_id(), anyToBytes(vm_config.configuration()), code);
     auto wasm_factory = wasm_extension->wasmFactory();
     proxy_wasm::WasmHandleFactory proxy_wasm_factory =
-        [&vm_config, scope, &cluster_manager, &dispatcher, &lifecycle_notifier,
+        [&vm_config, &cr_config, scope, &cluster_manager, &dispatcher, &lifecycle_notifier,
          wasm_factory](absl::string_view vm_key) -> WasmHandleBaseSharedPtr {
-      return wasm_factory(vm_config, scope, cluster_manager, dispatcher, lifecycle_notifier,
-                          vm_key);
+      return wasm_factory(vm_config, cr_config, scope, cluster_manager, dispatcher,
+                          lifecycle_notifier, vm_key);
     };
     auto wasm = proxy_wasm::createWasm(
         vm_key, code, plugin, proxy_wasm_factory,
@@ -469,15 +471,16 @@ static bool createWasmInternal(const VmConfig& vm_config, const PluginSharedPtr&
   return true;
 }
 
-bool createWasm(const VmConfig& vm_config, const PluginSharedPtr& plugin,
-                const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager,
-                Init::Manager& init_manager, Event::Dispatcher& dispatcher, Api::Api& api,
+bool createWasm(const VmConfig& vm_config, const CapabilityRestrictionConfig& cr_config,
+                const PluginSharedPtr& plugin, const Stats::ScopeSharedPtr& scope,
+                Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager,
+                Event::Dispatcher& dispatcher, Api::Api& api,
                 Envoy::Server::ServerLifecycleNotifier& lifecycle_notifier,
                 Config::DataSource::RemoteAsyncDataProviderPtr& remote_data_provider,
                 CreateWasmCallback&& cb, CreateContextFn create_root_context_for_testing) {
-  return createWasmInternal(vm_config, plugin, scope, cluster_manager, init_manager, dispatcher,
-                            api, lifecycle_notifier, remote_data_provider, std::move(cb),
-                            create_root_context_for_testing);
+  return createWasmInternal(vm_config, cr_config, plugin, scope, cluster_manager, init_manager,
+                            dispatcher, api, lifecycle_notifier, remote_data_provider,
+                            std::move(cb), create_root_context_for_testing);
 }
 
 PluginHandleSharedPtr

@@ -47,8 +47,9 @@ struct WasmStats {
 class Wasm : public WasmBase, Logger::Loggable<Logger::Id::wasm> {
 public:
   Wasm(absl::string_view runtime, absl::string_view vm_id, absl::string_view vm_configuration,
-       absl::string_view vm_key, const Stats::ScopeSharedPtr& scope,
-       Upstream::ClusterManager& cluster_manager, Event::Dispatcher& dispatcher);
+       absl::string_view vm_key, proxy_wasm::AllowedCapabilitiesMap allowed_capabilities,
+       const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager,
+       Event::Dispatcher& dispatcher);
   Wasm(std::shared_ptr<WasmHandle> other, Event::Dispatcher& dispatcher);
   ~Wasm() override;
 
@@ -160,9 +161,10 @@ using CreateWasmCallback = std::function<void(WasmHandleSharedPtr)>;
 // all failures synchronously as it has no facility to report configuration update failures
 // asynchronously. Callers should throw an exception if they are part of a synchronous xDS update
 // because that is the mechanism for reporting configuration errors.
-bool createWasm(const VmConfig& vm_config, const PluginSharedPtr& plugin,
-                const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager,
-                Init::Manager& init_manager, Event::Dispatcher& dispatcher, Api::Api& api,
+bool createWasm(const VmConfig& vm_config, const CapabilityRestrictionConfig& cr_config,
+                const PluginSharedPtr& plugin, const Stats::ScopeSharedPtr& scope,
+                Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager,
+                Event::Dispatcher& dispatcher, Api::Api& api,
                 Envoy::Server::ServerLifecycleNotifier& lifecycle_notifier,
                 Config::DataSource::RemoteAsyncDataProviderPtr& remote_data_provider,
                 CreateWasmCallback&& callback,

@@ -48,13 +48,18 @@ PluginHandleExtensionFactory EnvoyWasm::pluginFactory() {
 }
 
 WasmHandleExtensionFactory EnvoyWasm::wasmFactory() {
-  return [](const VmConfig vm_config, const Stats::ScopeSharedPtr& scope,
-            Upstream::ClusterManager& cluster_manager, Event::Dispatcher& dispatcher,
-            Server::ServerLifecycleNotifier& lifecycle_notifier,
+  return [](const VmConfig vm_config, const CapabilityRestrictionConfig cr_config,
+            const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager,
+            Event::Dispatcher& dispatcher, Server::ServerLifecycleNotifier& lifecycle_notifier,
             absl::string_view vm_key) -> WasmHandleBaseSharedPtr {
+    proxy_wasm::AllowedCapabilitiesMap allowed_capabilities;
+    for (auto& capability : cr_config.allowed_capabilities()) {
+      // TODO(rapilado): Set the SanitizationConfig fields once sanitization is implemented.
+      allowed_capabilities[capability.first] = proxy_wasm::SanitizationConfig();
+    }
     auto wasm = std::make_shared<Wasm>(vm_config.runtime(), vm_config.vm_id(),
-                                       anyToBytes(vm_config.configuration()), vm_key, scope,
-                                       cluster_manager, dispatcher);
+                                       anyToBytes(vm_config.configuration()), vm_key,
+                                       allowed_capabilities, scope, cluster_manager, dispatcher);
     wasm->initializeLifecycle(lifecycle_notifier);
     return std::static_pointer_cast<WasmHandleBase>(std::make_shared<WasmHandle>(std::move(wasm)));
   };

@@ -34,9 +34,10 @@ using CreateContextFn =
 using PluginHandleExtensionFactory = std::function<PluginHandleBaseSharedPtr(
     const WasmHandleSharedPtr& base_wasm, absl::string_view plugin_key)>;
 using WasmHandleExtensionFactory = std::function<WasmHandleBaseSharedPtr(
-    const VmConfig& vm_config, const Stats::ScopeSharedPtr& scope,
-    Upstream::ClusterManager& cluster_manager, Event::Dispatcher& dispatcher,
-    Server::ServerLifecycleNotifier& lifecycle_notifier, absl::string_view vm_key)>;
+    const VmConfig& vm_config, const CapabilityRestrictionConfig& cr_config,
+    const Stats::ScopeSharedPtr& scope, Upstream::ClusterManager& cluster_manager,
+    Event::Dispatcher& dispatcher, Server::ServerLifecycleNotifier& lifecycle_notifier,
+    absl::string_view vm_key)>;
 using WasmHandleExtensionCloneFactory = std::function<WasmHandleBaseSharedPtr(
     const WasmHandleSharedPtr& base_wasm, Event::Dispatcher& dispatcher,
     CreateContextFn create_root_context_for_testing)>;

@@ -24,9 +24,10 @@ FilterConfig::FilterConfig(const envoy::extensions::filters::http::wasm::v3::Was
   };
 
   if (!Common::Wasm::createWasm(
-          config.config().vm_config(), plugin_, context.scope().createScope(""),
-          context.clusterManager(), context.initManager(), context.dispatcher(), context.api(),
-          context.lifecycleNotifier(), remote_data_provider_, std::move(callback))) {
+          config.config().vm_config(), config.config().capability_restriction_config(), plugin_,
+          context.scope().createScope(""), context.clusterManager(), context.initManager(),
+          context.dispatcher(), context.api(), context.lifecycleNotifier(), remote_data_provider_,
+          std::move(callback))) {
     throw Common::Wasm::WasmException(
         fmt::format("Unable to create Wasm HTTP filter {}", plugin->name_));
   }

@@ -24,9 +24,10 @@ FilterConfig::FilterConfig(const envoy::extensions::filters::network::wasm::v3::
   };
 
   if (!Common::Wasm::createWasm(
-          config.config().vm_config(), plugin_, context.scope().createScope(""),
-          context.clusterManager(), context.initManager(), context.dispatcher(), context.api(),
-          context.lifecycleNotifier(), remote_data_provider_, std::move(callback))) {
+          config.config().vm_config(), config.config().capability_restriction_config(), plugin_,
+          context.scope().createScope(""), context.clusterManager(), context.initManager(),
+          context.dispatcher(), context.api(), context.lifecycleNotifier(), remote_data_provider_,
+          std::move(callback))) {
     throw Common::Wasm::WasmException(
         fmt::format("Unable to create Wasm network filter {}", plugin->name_));
   }

@@ -44,9 +44,10 @@ WasmSinkFactory::createStatsSink(const Protobuf::Message& proto_config,
   };
 
   if (!Common::Wasm::createWasm(
-          config.config().vm_config(), plugin, context.scope().createScope(""),
-          context.clusterManager(), context.initManager(), context.dispatcher(), context.api(),
-          context.lifecycleNotifier(), remote_data_provider_, std::move(callback))) {
+          config.config().vm_config(), config.config().capability_restriction_config(), plugin,
+          context.scope().createScope(""), context.clusterManager(), context.initManager(),
+          context.dispatcher(), context.api(), context.lifecycleNotifier(), remote_data_provider_,
+          std::move(callback))) {
     throw Common::Wasm::WasmException(
         fmt::format("Unable to create Wasm Stat Sink {}", plugin->name_));
   }

@@ -58,9 +58,10 @@ static void bmWasmSimpleCallSpeedTest(benchmark::State& state, std::string test,
   auto plugin = std::make_shared<Extensions::Common::Wasm::Plugin>(
       name, root_id, vm_id, runtime, plugin_configuration, false,
       envoy::config::core::v3::TrafficDirection::UNSPECIFIED, local_info, nullptr);
+  proxy_wasm::AllowedCapabilitiesMap allowed_capabilities;
   auto wasm = std::make_unique<Extensions::Common::Wasm::Wasm>(
-      absl::StrCat("envoy.wasm.runtime.", runtime), vm_id, vm_configuration, vm_key, scope,
-      cluster_manager, *dispatcher);
+      absl::StrCat("envoy.wasm.runtime.", runtime), vm_id, vm_configuration, vm_key,
+      allowed_capabilities, scope, cluster_manager, *dispatcher);
   std::string code;
   if (runtime == "null") {
     code = "WasmSpeedCpp";