fix StoreBuilder::inherit_limited_network (#2541)

* fix `StoreBuilder::inherit_limited_network` Previously, this called `WasiCtxBuilder::inherit_network`, but that had no effect since `StoreBuilder::build_with_data` later overwrites that setting by calling `WasiCtxBuilder::socket_addr_check` with a lambda that uses `StoreBuilder::net_pool` to check addresses. In this cases, `StoreBuilder::net_pool` has not had any subnets added to it, so it denies everything, which is the opposite of what we intended. The solution is to have `StoreBuilder::inherit_limited_network` update `net_pool` to allow all IPv4 and IPv6 networks. Signed-off-by: Joel Dice <joel.dice@fermyon.com> * address review feedback - Rename `StoreBuilder::inherit_limited_network` to `inherit_network` - Add comments explaining use of `Pool` and CIDR addresses Signed-off-by: Joel Dice <joel.dice@fermyon.com> --------- Signed-off-by: Joel Dice <joel.dice@fermyon.com>
fermyon · Jun 10, 2024 · 13a133f · 13a133f
1 parent 7864d69
commit 13a133f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/crates/core/src/store.rs b/crates/core/src/store.rs
@@ -1,10 +1,11 @@
 use anyhow::{anyhow, Result};
 use bytes::Bytes;
 use cap_primitives::net::Pool;
-use cap_std::ipnet::IpNet;
+use cap_std::ipnet::{IpNet, Ipv4Net, Ipv6Net};
 use std::{
     io::{Read, Write},
     mem,
+    net::{Ipv4Addr, Ipv6Addr},
     path::{Path, PathBuf},
     sync::{Arc, Mutex},
     time::{Duration, Instant},
@@ -201,17 +202,27 @@ impl StoreBuilder {
         );
     }
 
-    /// Inherit the host network with a few hardcoded caveats
-    pub fn inherit_limited_network(&mut self) {
+    /// Allow unrestricted outbound access to the host network.
+    pub fn inherit_network(&mut self) {
         self.with_wasi(|wasi| match wasi {
             WasiCtxBuilder::Preview1(_) => {
                 panic!("Enabling network only allowed in preview2")
             }
-            WasiCtxBuilder::Preview2(ctx) => {
+            WasiCtxBuilder::Preview2(_) => {
                 // TODO: ctx.allow_udp(false);
-                ctx.inherit_network();
             }
         });
+
+        // Allow access to 0.0.0.0/0, i.e. all IPv4 addresses
+        self.net_pool.insert_ip_net_port_any(
+            IpNet::V4(Ipv4Net::new(Ipv4Addr::new(0, 0, 0, 0), 0).unwrap()),
+            cap_primitives::ambient_authority(),
+        );
+        // Allow access to 0:/0, i.e. all IPv6 addresses
+        self.net_pool.insert_ip_net_port_any(
+            IpNet::V6(Ipv6Net::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0), 0).unwrap()),
+            cap_primitives::ambient_authority(),
+        );
     }
 
     /// Sets the WASI `stdin` descriptor to the given [`Read`]er.

diff --git a/crates/trigger/src/network.rs b/crates/trigger/src/network.rs
@@ -29,15 +29,13 @@ impl TriggerHooks for Network {
         let allowed_hosts =
             spin_outbound_networking::AllowedHostsConfig::parse(&hosts, &self.resolver)?;
         match allowed_hosts {
-            spin_outbound_networking::AllowedHostsConfig::All => {
-                store_builder.inherit_limited_network()
-            }
+            spin_outbound_networking::AllowedHostsConfig::All => store_builder.inherit_network(),
             spin_outbound_networking::AllowedHostsConfig::SpecificHosts(configs) => {
                 for config in configs {
                     if config.scheme().allows_any() {
                         match config.host() {
                             spin_outbound_networking::HostConfig::Any => {
-                                store_builder.inherit_limited_network()
+                                store_builder.inherit_network()
                             }
                             spin_outbound_networking::HostConfig::AnySubdomain(_) => continue,
                             spin_outbound_networking::HostConfig::ToSelf => {}