Filesystem gate#30
Draft
scothis wants to merge 1 commit into
Draft
Conversation
Intercept wasi:filesystem calls allowing per call access control
decisions. The 'gate' is a component that virtualizes the
wasi:filesystem interfaces and also import a latch interface. The latch
defines the access control check and returns a decision.
For any call, a latch can either allow, deny or abstain. Denials include
an error-code as the reason. Latches can be composed together to define
more advanced behavior. The latch-N components compose N latches
together. An allow or deny decision is returned immediately while an
abstain decision allows the next latch to have an opinion.
For example, if we want to make a component's access to the filesystem
be read-only while other parts of the runtime need read-write, we can
compose the ro-consume with a gate, while the rw-consumer has full
access to the filesystem. The latch is itself a composition of two other
latches, the first is the read-only latch which denies calls that would
modify the filesystem. The allow latch approves calls that have
otherwise not been denied. The composition enabled additional behavior
be added, such as denying access to certain directories, or any other.
behavior a use chooses to implement. Replace the latch2 component with
latch3 when there is a third latch to orchestrate.
```
host
↗ ↖ ↗ latch-readonly
rw-consumer gate → latch2
↑ ↘ latch-allow
ro-consumer
```
Signed-off-by: Scott Andrews <scott@andrews.me>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Intercept wasi:filesystem calls allowing per call access control decisions. The 'gate' is a component that virtualizes the wasi:filesystem interfaces and also import a latch interface. The latch defines the access control check and returns a decision.
For any call, a latch can either allow, deny or abstain. Denials include an error-code as the reason. Latches can be composed together to define more advanced behavior. The latch-N components compose N latches together. An allow or deny decision is returned immediately while an abstain decision allows the next latch to have an opinion.
For example, if we want to make a component's access to the filesystem be read-only while other parts of the runtime need read-write, we can compose the ro-consume with a gate, while the rw-consumer has full access to the filesystem. The latch is itself a composition of two other latches, the first is the read-only latch which denies calls that would modify the filesystem. The allow latch approves calls that have otherwise not been denied. The composition enabled additional behavior be added, such as denying access to certain directories, or any other. behavior a use chooses to implement. Replace the latch-2 component with latch-3 when there is a third latch to orchestrate.