fix StoreBuilder::inherit_limited_network

Previously, this called `WasiCtxBuilder::inherit_network`, but that had no effect since `StoreBuilder::build_with_data` later overwrites that setting by calling `WasiCtxBuilder::socket_addr_check` with a lambda that uses `StoreBuilder::net_pool` to check addresses. In this cases, `StoreBuilder::net_pool` has not had any subnets added to it, so it denies everything, which is the opposite of what we intended. The solution is to have `StoreBuilder::inherit_limited_network` update `net_pool` to allow all IPv4 and IPv6 networks. Signed-off-by: Joel Dice <[email protected]>
fermyon · Jun 3, 2024 · 3896596 · 3896596
1 parent 9b56fe5
commit 3896596
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/crates/core/src/store.rs b/crates/core/src/store.rs
@@ -1,10 +1,11 @@
 use anyhow::{anyhow, Result};
 use bytes::Bytes;
 use cap_primitives::net::Pool;
-use cap_std::ipnet::IpNet;
+use cap_std::ipnet::{IpNet, Ipv4Net, Ipv6Net};
 use std::{
     io::{Read, Write},
     mem,
+    net::{Ipv4Addr, Ipv6Addr},
     path::{Path, PathBuf},
     sync::{Arc, Mutex},
     time::{Duration, Instant},
@@ -209,9 +210,17 @@ impl StoreBuilder {
             }
             WasiCtxBuilder::Preview2(ctx) => {
                 // TODO: ctx.allow_udp(false);
-                ctx.inherit_network();
             }
         });
+
+        self.net_pool.insert_ip_net_port_any(
+            IpNet::V4(Ipv4Net::new(Ipv4Addr::new(0, 0, 0, 0), 0).unwrap()),
+            cap_primitives::ambient_authority(),
+        );
+        self.net_pool.insert_ip_net_port_any(
+            IpNet::V6(Ipv6Net::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0), 0).unwrap()),
+            cap_primitives::ambient_authority(),
+        );
     }
 
     /// Sets the WASI `stdin` descriptor to the given [`Read`]er.