Skip to main content

Module sandbox

rustledger_plugin

Module sandbox 

Source
Expand description

Shared wasmtime sandbox configuration.

Both the directive-plugin runtime (crate::runtime) and the WASM importer host (rustledger-importer/src/wasm.rs) load untrusted .wasm modules into wasmtime. They have the same security model and should agree on:

  • Which wasm proposals are enabled (attack surface)
  • Whether fuel metering is on (DoS bound)
  • How per-call Store resource limits are enforced
  • The cost of Engine creation (compilation cache + thread pool)

This module is the single source of truth for those decisions. Adding a feature flag here applies it to every WASM-loaded component in rustledger.

§⚠️ Breaking change for user WASM plugins

As of the v0.16-pre reshape, sandbox_config explicitly disables these wasm proposals (full list — the rustdoc on sandbox_config explains the rationale for each):

  • wasm_threads, wasm_shared_everything_threads
  • wasm_multi_memory, wasm_memory64
  • wasm_component_model (and all sub-flags)
  • wasm_gc, wasm_function_references
  • wasm_stack_switching, wasm_tail_call

A user-shipped .wasm plugin or importer that relies on any disabled proposal will now fail to compile at load time with a wasmtime validation error. This is intentional security tightening, but plugin authors targeting earlier rustledger versions may need to recompile against the new sandbox profile.

§Why share the Engine?

wasmtime’s Engine owns the JIT compilation cache and the background-compilation thread pool. wasmtime documentation explicitly recommends one Engine per process — sharing it across all imported modules lets us amortize that cost. A per-call Store still provides isolation; the Engine only holds compiled-code state.

Structs§

MemoryLimiter
Per-store memory limiter.
StoreState
Store user-data — just the MemoryLimiter today.

Enums§

AbiCheck
Outcome of reading a freshly instantiated guest’s ABI version.

Constants§

DEFAULT_SANDBOX_MAX_MEMORY
Default per-instance linear-memory cap (in bytes) for any sandboxed wasmtime Store in rustledger.
DEFAULT_SANDBOX_MAX_TIME_SECS
Default per-call CPU-time budget (in seconds) for sandboxed wasmtime calls in rustledger.
HOST_ABI_VERSION
The plugin-types ABI version this host build speaks.
MAX_TABLE_ELEMENTS
Hard cap on the number of elements in any single WASM table.

Functions§

apply_proposal_disables
Apply rustledger’s WASM-proposal disable list to an existing Config.
check_guest_abi
Read a freshly instantiated guest’s ABI version and compare it to HOST_ABI_VERSION.
make_sandboxed_store
Create a Store with rustledger’s sandbox enforcement wired in:
sandbox_config
Build a wasmtime Config with rustledger’s locked-down security posture. Exposed for tests and embedders who need to construct an Engine with the same flags but different lifetimes.
shared_engine
Per-process shared wasmtime Engine with rustledger’s security posture. Cheap to clone (Arc).