Better network sandbox

[maminrayej]

Overview

This PR adds a more fine-grained sandbox for the network layer. Previously, the wasm module did not have access to any networking functionality by default and the user could give this access by providing the --net flag to the wasmer client. But this would expose all of host's network stack to the wasm module. Now users can provide a list of of patterns that will act as a whitelist or blacklist. This is done by extending the --net flag:

wasmer run --net=<comma_separated_list_of_rules>

Rule Specification

Each member of the <comma_separated_list_of_rules> can be expressed like:

<rule_kind>:<rule_action>=<rule_expr>

<rule_kind>: dns, ipv4, ipv6

<rule_action>: allow | deny

dns:
<rule_expr>:
{<domain_spec>}:{<port_spec>} (this will be expanded to an outbound IP rule)
<domain_spec>: domain | domain glob | *

ipv4:
<rule_expr>:
<ipv4_specs>:<port_specs>/<in|out>
<ipv4_specs>: <ipv4_spec> | {<ipv4_spec>,}
<ipv4_spec>: ipv4 | ipv4_range | *

ipv6:
<rule_expr>:
<ipv6_specs>:<port_specs>/<in|out>
<ipv6_specs>: <ipv6_spec> | {<ipv6_spec>,}
<ipv6_spec>: ipv6 | ipv6_range | *

<port_specs>: <port_spec> | {<port_specs>,}
<port_spec>: port | start_port-end_port | *

Some examples:

• Allow a specific domain and port: dns:allow=example.com:80
• Deny a domain and all its subdomains on all ports: dns:deny=*danger.xyz:*
• Allow opening ipv4 sockets only on a specific IP and port: ipv4:allow=127.0.0.1:80/in.

Features

Whitelisting and Blacklisting

Each rule can be expressed as an allow (whitelist) or deny (blacklist). A socket or domain is only accessible if at least one rule whitelists it and no rule blacklists it.

Directional Filtering

IP based rules can be either directional by specifying /in or /out postfixes to the rule, or bidirectional which is the default setting for these rules.

Rule Combination

In order to prevent repetition, the parts before and after the : could hold multiple values. For example:

ipv4:deny={127.0.0.1/24, 192.168.1.1/24}:{80, 443}

This is equivalent to:

ipv4:deny=127.0.0.1/24:80,
ipv4:deny=127.0.0.1/24:443,
ipv4:deny=192.168.1.1/24:80,
ipv4:deny=192.168.1.1/24:443

Resolves #5280.

[ibuildthecloud]

Is there a way to allow all domains? Basically in the syntax what does * mean, or it is even valid? Does * mean any domain and : is any IP?

[ibuildthecloud]

We couldn't figure out a way to allow only specific IPs and all domains. For example we wanted to allow *:80, *:443. This ends up not being possible because we need to add additionally some pattern for domains like *.com.

[ibuildthecloud]

I don't think the current design will satisfy these two common use cases.

Use case 1

• I want to only allow access to example.com

Use case 2

• I want to only allow access to *:80, *:443

The first fails because there is no way to allow all IPs but just specific domains.
The second falls because there is no way to allow only IPs but all domains.