WebAssembly and Back Again: Fine-Grained Sandboxing in Firefox 95

1. fennecbuild

   1 27 - -

   Firefox appears to utilize a custom clang toolchain to enable this without documenting how to make such toolchain (wasi sysroot). And expects you to just download the precompiled version from their servers.

   Fedora and Fennec F-Droid have since disabled this feature.

   https://src.fedoraproject.org/rpms/firefox/c/4cb1381d80a94c9...

   https://gitlab.com/relan/fennecbuild/-/commit/12cdb51bb045c3...

2. CodeRabbit

   coderabbit.ai featured

   CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

   

3. wasi-libc

   2 57 902 8.1 C

   WASI libc implementation for WebAssembly

   

   Pretty sure you can build it yourself from https://github.com/WebAssembly/wasi-libc given that https://github.com/WebAssembly/wasi-libc/commit/ad5133410f66... is a contribution from a MoCo employee doing a lot of work around toolchains.

4. rlbox

   3 2 298 4.2 C++

   RLBox sandboxing framework

   

   https://github.com/PLSysSec/rlbox_sandboxing_api/blob/master...

   Seems like it could get a bit verbose when used all over the place but I’m not really used to the C++ world. Regardless I’m happy to see the effort being made beyond process isolation and OS capabilities.

5. wasi-sdk

   4 12 1,362 7.7 CMake

   WASI-enabled WebAssembly C/C++ toolchain

   

   There's also the https://github.com/WebAssembly/wasi-sdk repo which is kind of a meta-build-system for all this.

   But in FreeBSD we build all the pieces directly, here's our build recipes (with some hacks due to llvm's cmake code being stupid sometimes):

   compiler-rt (from llvm): https://github.com/freebsd/freebsd-ports/blob/main/devel/was...

   libc (from what you linked): https://github.com/freebsd/freebsd-ports/blob/main/devel/was...

   libc++ (from llvm): https://github.com/freebsd/freebsd-ports/blob/main/devel/was...

6. freebsd-ports

   5 41 1,036 10.0 Makefile

   FreeBSD ports tree (read-only mirror)

   

   There's also the https://github.com/WebAssembly/wasi-sdk repo which is kind of a meta-build-system for all this.

   But in FreeBSD we build all the pieces directly, here's our build recipes (with some hacks due to llvm's cmake code being stupid sometimes):

   compiler-rt (from llvm): https://github.com/freebsd/freebsd-ports/blob/main/devel/was...

   libc (from what you linked): https://github.com/freebsd/freebsd-ports/blob/main/devel/was...

   libc++ (from llvm): https://github.com/freebsd/freebsd-ports/blob/main/devel/was...

7. nightly-crimes

   6 6 174 2.6 Rust

   Please do not use this.

   

   More specifically, unsafe blocks may violate the compiler's security guarantees and procedural macros actually run inside the compiler process at build time. Declarative macros do this too, but they're far too restricted to allow shenanigans. Procmacros can disable Rust's stability guarantees[0].

   [0] https://github.com/m-ou-se/nightly-crimes

8. svntogit-packages

   7 247 321 0.0 Shell

   Discontinued Automatic import of svn 'packages' repo (read-only mirror)

   

   Looks like Arch Linux is building it themselves with --with-wasi-sysroot. The changes they made to the build script for the 95.0 release are pretty instructive: https://github.com/archlinux/svntogit-packages/commit/532ac4...

   Hopefully Fedora manage to implement this to their satisfaction in the near future, although requiring extremely recent releases of build tools might be a blocker for some distros.

9. InfluxDB

   influxdata.com featured

   InfluxDB high-performance time series database. Collect, organize, and act on massive volumes of high-resolution data to power real-time intelligent systems.

   

Suggest a related project