• Stars
    star
    646
  • Rank 69,672 (Top 2 %)
  • Language
    Rust
  • License
    Other
  • Created over 4 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Capability-oriented version of the Rust standard library

cap-std

Capability-based version of the Rust standard library

A Bytecode Alliance project

Github Actions CI Status zulip chat

The cap-std project is organized around the eponymous cap-std crate, and develops libraries to make it easy to write capability-based code, including:

There is also a cap-std-ext crate available which is maintained independently, and includes further extension APIs for both filesystem APIs (including atomic create/replace on Linux specifically) and passing file descriptors to child processes.

Cap-std features protection against CWE-22, "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", which is #8 in the 2021 CWE Top 25 Most Dangerous Software Weaknesses. It can also be used to prevent untrusted input from inducing programs to open "/proc/self/mem" on Linux.

Capability-based security

Operating systems have a concept of resource handles, or file descriptors, which are values that can be passed around within and sometimes between programs, and which represent access to external resources. Programs typically have the ambient authority to request any file or network handle simply by providing its name or address:

let file = File::open("/anything/you/want.txt")?;

There may be access-control lists, namespaces, firewalls, or virtualization mechanisms governing which resources can actually be accessed, but those are typically coarse-grained and configured outside of the application.

Capability-based security seeks to avoid ambient authority, to make sandboxing finer-grained and composable. To open a file, one needs a Dir, representing an open directory it's in:

let file = dir.open("the/thing.txt")?;

Attempts to access paths not contained within the directory:

let hidden = dir.open("../hidden.txt")?;

dir.symlink("/hidden.txt", "misdirection.txt")?;
let secret = dir.open("misdirection.txt")?;

return PermissionDenied errors.

This allows application logic to configure its own access, without changing the behavior of the whole host process, setting up a separate host process, or requiring external configuration.

How do I obtain a Dir?

If every resource requires some other resource to obtain, how does one obtain the first resource?

There currently are three main ways:

  • Use the cap-directories crate to create Dirs for config, cache and other data directories.
  • Use the cap-tempfile crate to create Dirs for temporary directories.
  • Use Dir::open_ambient_dir to open a plain path. This function is not sandboxed, and may open any file the host process has access to.

Examples

There are several examples of cap-std in use:

  • As a sandbox: For a simple yet complete example of cap-std in action, see this port of tide, to use cap-std to access static files, where it prevents path resolution from following symlinks outside of the designated root directory. The diff shows the kinds of changes needed to use this API.

  • As a general-purpose Dir type for working with directories: The io-streams crate uses cap-tempdir to create temporary directories for unit tests. Here, the main benefit of Dir is just convenienceβ€”Dir's API lets tests just say dir.open(...) instead of using open(path.join(...)) or dealing with chdir and global mutable state. The fact that it also sandboxes the unit tests is just a nice side effect.

  • As an application data store: See the kv-cli example for a simple example of a program using cap-directories and cap-std APIs to store application-specific data.

  • And, cap-std is a foundation for the WASI implementation in Wasmtime, providing sandboxing and support for Linux, macOS, Windows, and more.

What can I use cap-std for?

cap-std is not a sandbox for untrusted Rust code. Among other things, untrusted Rust code could use unsafe or the unsandboxed APIs in std::fs.

cap-std allows code to declare its intent and to opt in to protection from malicious path names. Code which takes a Dir from which to open files, rather than taking bare filenames, declares its intent to only open files underneath that Dir. And, Dir automatically protects against paths which might include .., symlinks, or absolute paths that might lead outside of that Dir.

cap-std also has another role, within WASI, because cap-std's filesystem APIs closely follow WASI's sandboxing APIs. In WASI, cap-std becomes a very thin layer, thinner than libstd's filesystem APIs because it doesn't need extra code to handle absolute paths.

How fast is it?

On Linux 5.6 and newer, cap-std uses openat2 to implement Dir::open with a single system call in common cases. Several other operations internally utilize openat2, O_PATH, and /proc/self/fd (though only when /proc is mounted, it's really procfs, and there are no mounts on top of it) for fast path resolution as well.

Otherwise, cap-std opens each component of a path individually, in order to specially handle .. and symlinks. The algorithm is carefully designed to minimize system calls, so opening red/green/blue performs just 5 system callsβ€”it opens red, green, and then blue, and closes the handles for red and green.

What about networking?

cap-std also contains a simple capability-based version of std::net, with a Pool type that represents a pool of network addresses and ports that can be accessed, which serves an analogous role to Dir. It's usable for basic use cases, though it's not yet very sophisticated.

What is cap_std::fs_utf8?

It's similar to cap_std::fs, but uses camino for its Path types, so paths are always valid UTF-8. To use it, opt in by enabling the fs_utf8 feature and using std::fs_utf8 in place of std::fs.

There's also an experimental extension to fs_utf8 which allows losslessly encoding arbitrary host byte sequences within UTF-8 strings, using the arf-strings technique. To try this experiment, opt in by enabling the arf_strings feature.

Similar crates

cap-std provides similar functionality to the openat crate, with a similar Dir type with associated functions corresponding to *at functions. cap-std's Dir type performs sandboxing, including for multiple-component paths. And cap-std supports symlinks as long as they remain within the sandbox, while openat doesn't support following symlinks.

cap-std has some similar functionality to pathrs in that it also explicitly verifies that /proc has actual procfs mounted on it and nothing mounted on top, and it can also use openat2. And it has some similar functionality to unix_fd. However, cap-std uses RESOLVE_BENEATH-style resolution where absolute paths are considered errors, while pathrs and unix_fd use RESOLVE_IN_ROOT-style resolution, where absolute paths are interpreted as references to the base file descriptor. And overall, cap-std seeks to provide a portable std-like API which supports Windows in addition to Unix-like platforms, while pathrs provides a lower-level API that exposes more of the underlying openat2 options and only supports Linux, and unix_fd is specific to Unix-like platforms.

obnth is a new crate which appears to be very similar to cap_std::fs. It's not mature yet, and it doesn't support Windows. It does support openat2-like features such as RESOLVE_NO_XDEV, RESOLVE_NO_SYMLINKS, and RESOLVE_IN_ROOT, including emulation when openat2 isn't available.

Why use RESOLVE_BENEATH?

Capability-based security is all about granularity. We want to encourage applications and users to think about having separate handles for directories they need, so that they're isolated from each other, rather than in terms of having "root directories" containing multiple unrelated resources.

Also, some applications have "well known" absolute path strings present, such as "/etc/resolv.conf", and could accidentally use them within Dir methods. RESOLVE_BENEATH catches such errors early, rather than taking chances with user content inside the Dir.

And, RESOLVE_BENEATH handles symlinks within a Dir consistently. Accessing a symlink to an absolute path within a Dir is always an error. With RESOLVE_IN_ROOT, a symlink to an absolute path in a Dir may succeed, and potentially resolve to something different than it would when resolved through the process filesystem namespace.

Minimum Supported Rust Version (MSRV)

This crate currently works on Rust 1.63, when default features are enabled. Some of the optional features have stricter requirements.

More Repositories

1

wasmtime

A fast and secure runtime for WebAssembly
Rust
15,075
star
2

wasm-micro-runtime

WebAssembly Micro Runtime (WAMR)
C
4,925
star
3

lucet

Lucet, the Sandboxing WebAssembly Compiler.
Rust
4,065
star
4

cranelift

Cranelift code generator
2,488
star
5

javy

JS to WebAssembly toolchain
Rust
2,240
star
6

rustix

Safe Rust bindings to POSIX-ish APIs
Rust
1,424
star
7

wasm-tools

CLI and Rust libraries for low-level manipulation of WebAssembly modules
Rust
1,270
star
8

wit-bindgen

A language binding generator for WebAssembly interface types
Rust
1,024
star
9

wizer

The WebAssembly Pre-Initializer
Rust
932
star
10

wasmtime-go

Go WebAssembly runtime powered by Wasmtime
Go
771
star
11

cranelift-jit-demo

JIT compiler and runtime for a toy language, using Cranelift
Rust
636
star
12

jco

JavaScript toolchain for working with WebAssembly Components
Rust
598
star
13

cargo-component

A Cargo subcommand for creating WebAssembly components based on the component model proposal.
Rust
468
star
14

cargo-wasi

A lightweight Cargo subcommand to build Rust code for the `wasm32-wasi` target
Rust
439
star
15

wasmtime-dotnet

.NET embedding of Wasmtime https://bytecodealliance.github.io/wasmtime-dotnet/
C#
409
star
16

wasmtime-py

Python WebAssembly runtime powered by Wasmtime
Python
385
star
17

wasi-rs

Experimental WASI API bindings for Rust
Rust
254
star
18

ComponentizeJS

JS -> WebAssembly Component
Rust
213
star
19

wasi.dev

JavaScript
209
star
20

regalloc2

A new register allocator
Rust
200
star
21

registry

WebAssembly Registry (Warg)
Rust
189
star
22

wasmparser

A simple event-driven library for parsing WebAssembly binary files
178
star
23

wasmtime-demos

Historical and dated demos for Wasmtime usage and WASI content
C#
153
star
24

WASI-Virt

Virtual implementations of WASI APIs
Rust
139
star
25

componentize-py

Rust
138
star
26

wrpc

Wasm component-native RPC framework
Rust
114
star
27

wat

Rust WAT and WAST parser (WebAssembly Text Format)
113
star
28

wac

WebAssembly Composition (WAC) tooling
Rust
107
star
29

regalloc.rs

Modular register allocator algorithms
Rust
106
star
30

wasmtime-rb

Ruby WebAssembly runtime powered by Wasmtime
Rust
95
star
31

spidermonkey-wasm-rs

Rust
87
star
32

wasmtime-cpp

C++
81
star
33

preview2-prototyping

Polyfill adapter for preview1-using wasm modules to call preview2 functions.
Rust
79
star
34

wasm-interface-types

Raw Rust toolchain support for Wasm Interface Types
Rust
70
star
35

component-docs

Documentation around creating and using WebAssembly Components
Rust
68
star
36

sightglass

A benchmark suite and tool to compare different implementations of the same primitives.
C
67
star
37

wasm-tools-go

WebAssembly + Component Model tools for Go
Go
60
star
38

rfcs

RFC process for Bytecode Alliance projects
60
star
39

StarlingMonkey

The StarlingMonkey JS runtime
C++
58
star
40

wasm-pkg-tools

Rust
56
star
41

target-lexicon

Target "triple" support
Rust
48
star
42

wit-deps

WIT dependency manager
Rust
47
star
43

userfaultfd-rs

Rust bindings for the Linux userfaultfd functionality
Rust
43
star
44

wasi-nn

High-level bindings for wasi-nn system calls
CSS
42
star
45

system-interface

Extensions to the Rust standard library
Rust
41
star
46

waffle

Wasm Analysis Framework For Lightweight Experiments
Rust
34
star
47

wasmprinter

Rust library to print a WebAssembly binary to its textual format
32
star
48

wasm-component-ld

Command line linker for creating WebAssembly components
Rust
31
star
49

meetings

Python
28
star
50

wamr-rust-sdk

Rust
28
star
51

wasm-score

A benchmark for standalone WebAssembly
C
26
star
52

weval

the WebAssembly partial evaluator
Rust
25
star
53

spidermonkey-wasm-build

Utilities to compile SpiderMonkey to wasm32-wasi
JavaScript
24
star
54

vscode-wit

Visual Studio Code extension to recognize and highlight the WebAssembly Interface Type (WIT) IDL.
TypeScript
22
star
55

filecheck

Library for writing tests for utilities that read text files and produce text output
Rust
21
star
56

componentize-dotnet

Tooling for creating WebAssembly components from C#
C#
17
star
57

cranelift.vim

Vim editor configuration for working with cranelift IR (clif) files
Vim Script
15
star
58

arf-strings

Encoding and decoding for ARF strings
C
13
star
59

SIG-Guest-Languages

Special Interest Group (SIG) whose goal is to investigate how best to integrate Wasm and components into dynamic programming language ecosystems in a way that feels native to those ecosystems.
13
star
60

SIG-Registries

11
star
61

governance

11
star
62

subscribe-to-label-action

A GitHub action that allows users to subscribe to a label and automatically get @'d when the label is applied
JavaScript
11
star
63

bytecodealliance.org

CSS
10
star
64

wasm-spec-interpreter

Rust bindings for the Wasm spec interpreter.
Rust
10
star
65

spidermonkey-wasi-embedding

Shell
9
star
66

wamr-app-framework

WebAssembly Micro Runtime Application Framework
C
9
star
67

wasm-parallel-gzip

Some example scripts for building a parallel compression/decompression tool for WebAssembly
Makefile
8
star
68

fs-set-times

Set filesystem timestamps
Rust
6
star
69

wasmtime-libfuzzer-corpus

libFuzzer corpus for our wasmtime fuzz targets
Shell
6
star
70

rust-oci-wasm

A Rust implementation of the OCI artifact specification for WebAssembly
Rust
6
star
71

arena-btree

Rust
6
star
72

cm-go

Go
6
star
73

sig-embedded

6
star
74

wamr-python

Python
6
star
75

wamr.dev

The WAMR homepage
HTML
5
star
76

wasmtime.dev

The Wasmtime homepage
CSS
4
star
77

libc-test

Mirror of git://nsz.repo.hu:49100/repo/libc-test (see https://wiki.musl-libc.org/libc-test.html for more information)
C
4
star
78

actions

GitHub actions to setup wasm-tools and wasmtime
TypeScript
3
star
79

wasmtime-wasi-nn

2
star
80

cranelift.dev

CSS
1
star
81

label-messager-action

Automatically leave a message when an issue or pull request has a certain label
JavaScript
1
star
82

wasm-ml-meetings

Informal working group for machine learning and WebAssembly, especially wasi-nn
1
star