Skip to main content

Module wasm_sandbox_runtime

sochdb_kernel

Module wasm_sandbox_runtime 

Source
Expand description

WASM-Sandbox Crate Integration (Task 10)

This module provides integration with the wasm-sandbox crate for running untrusted WASM plugins in a secure sandbox with:

  • Memory isolation
  • CPU time limits (fuel)
  • Syscall filtering
  • Capability-based access control

§Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    SochDB Kernel                                │
│  ┌───────────────────────────────────────────────────────────┐ │
│  │              WasmSandboxRuntime                           │ │
│  │  ┌─────────────────────────────────────────────────────┐ │ │
│  │  │            Sandbox Manager                          │ │ │
│  │  │  ┌─────────┐ ┌─────────┐ ┌─────────┐              │ │ │
│  │  │  │Plugin 1 │ │Plugin 2 │ │Plugin N │              │ │ │
│  │  │  │ Sandbox │ │ Sandbox │ │ Sandbox │              │ │ │
│  │  │  └────┬────┘ └────┬────┘ └────┬────┘              │ │ │
│  │  │       │           │           │                    │ │ │
│  │  │       ▼           ▼           ▼                    │ │ │
│  │  │  ┌─────────────────────────────────────────────┐  │ │ │
│  │  │  │         Host Function Bridge                │  │ │ │
│  │  │  │  soch_read │ soch_write │ vector_search    │  │ │ │
│  │  │  └─────────────────────────────────────────────┘  │ │ │
│  │  └─────────────────────────────────────────────────────┘ │ │
│  └───────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘

§Security Model

Each sandbox has:

  • Isolated linear memory (no shared memory between plugins)
  • Fuel-based execution limits (prevents infinite loops)
  • Capability tokens (explicit permissions for each host function)
  • Audit logging of all host calls

Structs§

DefaultHostContextProvider
Default host context provider for testing
PluginInfo
Information about a loaded plugin
PluginSandbox
An isolated sandbox for a single plugin
SandboxConfig
Configuration for the WASM sandbox runtime
SandboxRuntimeStats
Global runtime statistics
SandboxStats
Statistics for a sandbox
WasmSandboxRuntime
WASM sandbox runtime manager

Enums§

SandboxError
Sandbox-specific errors
SandboxState
Sandbox state
SandboxValue
Value that can be passed to/from sandbox

Traits§

HostContextProvider
Provider for host context (dependency injection)