sandbox webassembly blazor-webassembly isolation wasmtime

host can choose which system calls pass to each webassembly module

part of the talk of Lin Clark in https://hacks.mozilla.org/2019/03/standardizing-wasi-a-webassembly-system-interface/:

It also gives us sandboxing because the host can choose which wasi-core functions to pass in — so, which system calls to allow — on a program-by-program basis. This preserves security.

she says host can choose which system calls pass to each wasm module. for example read() system call passes to module A and write() system call to module B.

is it implemented in wasmtime or lucet or other runtimes? or is it just a dream without implementation in real world?

Solution

Yes it is implemented in all runtimes implementing wasi. The reason is that this feature is related to import/export mechanism of WebAssembly.

remember user selected folder and reopen it by NSOpenPanel under Sandbox
Apple Push Notification Service connects, but no notification is recieved
Reading file contents on the client-side in javascript in various browsers
How to get the parent window URL from Iframe?
Trouble downloading files in Google Apps Script web app after Chrome update
CCAvenue Sandbox Site For Testing
Blocked script execution in because the document's frame is sandboxed - Angular application
Is there a PHP Sandbox, something like JSFiddle is to JS?
In App Sandbox does not work IOS Simulator - Flutter
Python: block network connections for testing purposes?
Azure app authentication with Sandbox account returns "unauthorized_client: The client does not exist or is not enabled for consumers." error
Swift Vapor Console App - The operation couldn’t be completed. Permission denied
How to build Sandboxed app without XCode?
How to prevent external script from top level navigation
dnsmasq: failed to start DNS caching server
Sandbox app in purchase show different price iOS
Business Central Sandbox for old version
What is ().__class__.__base__.__subclasses__()?
How to give access to a group of users after refreshing a salesforce sandbox?
Can you run GUI applications in a Linux Docker container?
How to create a 'sandbox' with a virtualised registry for an application?
How to set a Flatpak application to autostart?
How can I prevent an iframe displaying an email to load images and other email trackers?
Cannot login to Salesforce Sandbox via python API
Create java sandbox based on security policies
How to run java code in a restricted sandbox (without network, filesystem access)
Disable access to os and io library in Lua runtime
I cannot set permissions to read a file in my project directory using Xcode 14 and Swift 5 on macOS Ventura
Canvas drawing in a sandboxed iframe
Electron Drag & Drop Into Unfocused Window