fix StoreBuilder::inherit_limited_network (#2541)

* fix `StoreBuilder::inherit_limited_network`

Previously, this called `WasiCtxBuilder::inherit_network`, but that had no
effect since `StoreBuilder::build_with_data` later overwrites that setting by
calling `WasiCtxBuilder::socket_addr_check` with a lambda that uses
`StoreBuilder::net_pool` to check addresses.  In this cases,
`StoreBuilder::net_pool` has not had any subnets added to it, so it denies
everything, which is the opposite of what we intended.

The solution is to have `StoreBuilder::inherit_limited_network` update
`net_pool` to allow all IPv4 and IPv6 networks.

Signed-off-by: Joel Dice <[email protected]>

* address review feedback

- Rename `StoreBuilder::inherit_limited_network` to `inherit_network`
- Add comments explaining use of `Pool` and CIDR addresses

Signed-off-by: Joel Dice <[email protected]>

---------

Signed-off-by: Joel Dice <[email protected]>

Author: dicej

crates/core/src/store.rs

@@ -1,10 +1,11 @@
 use anyhow::{anyhow, Result};
 use bytes::Bytes;
 use cap_primitives::net::Pool;
-use cap_std::ipnet::IpNet;
+use cap_std::ipnet::{IpNet, Ipv4Net, Ipv6Net};
 use std::{
     io::{Read, Write},
     mem,
+    net::{Ipv4Addr, Ipv6Addr},
     path::{Path, PathBuf},
     sync::{Arc, Mutex},
     time::{Duration, Instant},
@@ -201,17 +202,27 @@ impl StoreBuilder {
         );
     }
 
-    /// Inherit the host network with a few hardcoded caveats
-    pub fn inherit_limited_network(&mut self) {
+    /// Allow unrestricted outbound access to the host network.
+    pub fn inherit_network(&mut self) {
         self.with_wasi(|wasi| match wasi {
             WasiCtxBuilder::Preview1(_) => {
                 panic!("Enabling network only allowed in preview2")
             }
-            WasiCtxBuilder::Preview2(ctx) => {
+            WasiCtxBuilder::Preview2(_) => {
                 // TODO: ctx.allow_udp(false);
-                ctx.inherit_network();
             }
         });
+
+        // Allow access to 0.0.0.0/0, i.e. all IPv4 addresses
+        self.net_pool.insert_ip_net_port_any(
+            IpNet::V4(Ipv4Net::new(Ipv4Addr::new(0, 0, 0, 0), 0).unwrap()),
+            cap_primitives::ambient_authority(),
+        );
+        // Allow access to 0:/0, i.e. all IPv6 addresses
+        self.net_pool.insert_ip_net_port_any(
+            IpNet::V6(Ipv6Net::new(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0), 0).unwrap()),
+            cap_primitives::ambient_authority(),
+        );
     }
 
     /// Sets the WASI `stdin` descriptor to the given [`Read`]er.

crates/trigger/src/network.rs

@@ -29,15 +29,13 @@ impl TriggerHooks for Network {
         let allowed_hosts =
             spin_outbound_networking::AllowedHostsConfig::parse(&hosts, &self.resolver)?;
         match allowed_hosts {
-            spin_outbound_networking::AllowedHostsConfig::All => {
-                store_builder.inherit_limited_network()
-            }
+            spin_outbound_networking::AllowedHostsConfig::All => store_builder.inherit_network(),
             spin_outbound_networking::AllowedHostsConfig::SpecificHosts(configs) => {
                 for config in configs {
                     if config.scheme().allows_any() {
                         match config.host() {
                             spin_outbound_networking::HostConfig::Any => {
-                                store_builder.inherit_limited_network()
+                                store_builder.inherit_network()
                             }
                             spin_outbound_networking::HostConfig::AnySubdomain(_) => continue,
                             spin_outbound_networking::HostConfig::ToSelf => {}