1

As I know, WASI gives sand-boxed WebAssembly applications access to the underlying operating system and also Emscripten FS provides several file systems such, NODEFS. My question is both WASI and EMscriptenFS stands for same objective to provide sand-boxed file systems or these two has different usage? can some one help me out the understand both?

Asanka
  • 552
  • 6
  • 15

1 Answers1

3

Emscripten itself does not aim to provide any sandboxing. With emscripten, any sandboxing of the compiled code is provide by the host environment. For example, by far the most common host if the web which has a very strong sandbox of its own. If you run emscripten code on the web is has exactly the same privileges as the rest of the JS code on the page. Likewise, if you run emscripten generated code under node if has the same privileges as the rest of the JS code in the process (i.e. by default this means the same privileges as the node process itself).

One of the goals of WASI however is to define a strict sandbox such that it becomes simple for a host environment to decide exactly what resources to share with a WebAssembly module.

sbc100
  • 2,619
  • 14
  • 11
  • 1
    Interestingly/confusingly due to the fast that the web isself provides no local filesystem access at all, emscripten code normally runs in *more* of a filesystem sandbox than wasi (since wasi programs are often given access to certain local directories). But this is not but design of emscripten, its just a side effect of running on the web. – sbc100 Mar 08 '21 at 15:43
  • My use-case is running on server-side: if only `.wasm` file is generated using Emscripten for native code, with file read implementation in native language. (Js code is use to just instantiate WebAssembly module). Then can webassebly code read the file system ? – Asanka Mar 08 '21 at 17:46
  • No.. WebAssembly core can't go anything except call the functions that it imports, so if you want want create your own JS code to load the module its completely up to use to decide what it has access to. In that case you would effectively be creating your own sandbox implementation in JS. – sbc100 Mar 09 '21 at 18:15