Merge branch 'main' of github.com:Lind-Project/lind-wasm

Author: stupendoussuperpowers

.github/workflows/dev.yml

@@ -23,7 +23,7 @@ jobs:
       # - securesystemslab/lind-wasm-dev:latest
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             securesystemslab/lind-wasm-dev

.github/workflows/e2e.yml

@@ -96,7 +96,7 @@ jobs:
           echo "----------------------------------"
 
       - name: Upload HTML report artifact to report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: wasm-e2e-report
           path: ${{ env.REPORT_LOCAL_DIR }}/${{ env.REPORT_LOCAL_FILE }}

.github/workflows/lint.yml

@@ -49,7 +49,7 @@ jobs:
               -A clippy::not_unsafe_ptr_arg_deref \
               -A clippy::absurd_extreme_comparisons
       - name: Install Zizmor via Cargo
-        run: cargo install zizmor
+        run: cargo install zizmor --version 1.15.2
 
       - name: Run Zizmor
         env:

.github/workflows/release.yml

@@ -31,7 +31,7 @@ jobs:
       # - securesystemslab/lind-wasm:latest
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: |
             securesystemslab/lind-wasm

.gitignore

@@ -8,4 +8,4 @@ clang+llvm-*
 
 #Ignore Build artifacts
 src/glibc/build/
-src/RawPOSIX/tmp/
+src/tmp/

Docker/Dockerfile.dev

@@ -27,6 +27,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends -qq \
     bison \
     build-essential \
     ca-certificates \
+    wabt \
+    strace \
     curl \
     gawk \
     git \
@@ -94,6 +96,17 @@ ENV PATH="/usr/local/bin:/home/${USERNAME}/.cargo/bin:/home/${USERNAME}/go/bin:$
 ENV CLANG="/home/${USERNAME}/lind-wasm/${CLANG_PACKAGE}"
 
 # --- Prebuild ---
-RUN make sysroot && make wasmtime
+ENV WASMTIME_PROFILE=debug
+RUN make sysroot && make wasmtime-debug
+
+# --- Make lind_* available from anywhere in the dev container ---
+# Tell scripts where the repo is (they are installed to /usr/local/bin)
+ENV LIND_WASM_ROOT=/home/${USERNAME}/lind-wasm
+USER root
+RUN install -D -m 0755 /home/${USERNAME}/lind-wasm/scripts/lind_compile /usr/local/bin/lind_compile \
+ && install -D -m 0755 /home/${USERNAME}/lind-wasm/scripts/lind_run     /usr/local/bin/lind_run     \
+ && ln -sf /usr/local/bin/lind_compile /usr/local/bin/lind-clang \
+ && ln -sf /usr/local/bin/lind_run     /usr/local/bin/lind-wasm
+USER ${USERNAME}
 
 CMD ["/bin/bash"]

Docker/Dockerfile.e2e

@@ -40,6 +40,8 @@ RUN apt-get update && \
         bison \
         build-essential \
         ca-certificates \
+        wabt \
+        strace \
         curl \
         gawk \
         libc6-dev-i386-cross \
@@ -100,10 +102,18 @@ COPY --from=build-wasmtime --parents  src/wasmtime/target .
 COPY --from=build-glibc --parents src/glibc/sysroot .
 COPY --parents scripts tests tools skip_test_cases.txt .
 
+ENV LIND_WASM_ROOT=/
+RUN install -D -m 0755 /scripts/lind_compile /usr/local/bin/lind_compile \
+ && install -D -m 0755 /scripts/lind_run     /usr/local/bin/lind_run     \
+ && ln -sf /usr/local/bin/lind_compile /usr/local/bin/lind-clang \
+ && ln -sf /usr/local/bin/lind_run     /usr/local/bin/lind-wasm
+
 
 # Run all tests, print results, and exit with 1, if any test fails; 0 otherwise
 FROM base AS test
 COPY --parents scripts tests tools skip_test_cases.txt Makefile .
+# Create symlink so hardcoded paths in wasmtime match Docker environment
+RUN mkdir -p /home/lind && ln -sf / /home/lind/lind-wasm
 # NOTE: Build artifacts from prior stages are only mounted, to save COPY time
 # and cache layers. This means they are not preserved in the resulting image.
 RUN --mount=from=build-wasmtime,source=src/wasmtime/target,destination=src/wasmtime/target \

Makefile

@@ -1,8 +1,14 @@
+LIND_ROOT ?= src/tmp
 
 .PHONY: build 
 build: sysroot wasmtime
 	@echo "Build complete"
 
+.PHONY: prepare-lind-root
+prepare-lind-root:
+	mkdir -p $(LIND_ROOT)/dev
+	touch $(LIND_ROOT)/dev/null
+
 .PHONY: all
 all: build
 
@@ -15,10 +21,15 @@ wasmtime:
 	# Build wasmtime with `--release` flag for faster runtime (e.g. for tests)
 	cargo build --manifest-path src/wasmtime/Cargo.toml --release
 
+.PHONY: wasmtime-debug
+wasmtime-debug:
+	# Build wasmtime in debug mode for faster iteration in devcontainer
+	cargo build --manifest-path src/wasmtime/Cargo.toml
+
 .PHONY: test
-test:
+test: prepare-lind-root
 	# NOTE: `grep` workaround required for lack of meaningful exit code in wasmtestreport.py
-	LIND_WASM_BASE=. LIND_FS_ROOT=src/RawPOSIX/tmp \
+	LIND_WASM_BASE=. LIND_ROOT=$(LIND_ROOT) \
 	./scripts/wasmtestreport.py && \
 	cat results.json; \
 	if grep -q '"number_of_failures": [^0]' results.json; then \
@@ -85,5 +96,5 @@ clean:
 distclean: clean
 	@echo "removing test outputs & temp files"
 	$(RM) -f results.json report.html
-	$(RM) -r src/RawPOSIX/tmp/testfiles || true
+	$(RM) -r $(LIND_ROOT)/testfiles || true
 	find tests -type f \( -name '*.wasm' -o -name '*.cwasm' -o -name '*.o' \) -delete

README.md

@@ -14,7 +14,7 @@ In Old Norse, Old High German and Old English a “lind” is a shield construct
 ## Getting started
 
 Check out the [Getting started](https://lind-project.github.io/lind-wasm/getting-started/)
-guide and [docs on our website](https://lind-project.github.io/lind-wasm/)
+guide for a Hello World! example and [our docs](https://lind-project.github.io/lind-wasm/)
 to learn more about Lind!
 
 
@@ -28,7 +28,10 @@ This monorepo combines various subprojects and dependencies that work together t
 | Component     | Location          | Description                                                                 |
 |---------------|-------------------|-----------------------------------------------------------------------------|
 | `fdtables`    | `src/fdtables`    | Provides file descriptor table management, used to emulate POSIX semantics |
-| `RawPOSIX`    | `src/RawPOSIX`    | Implementation of raw POSIX syscall wrappers used internally by Lind       |
+| `rawposix`    | `src/rawposix`    | Implementation of raw POSIX syscall wrappers used internally by Lind       |
+| `threei`    | `src/threei`   | System call mediation layer for policy deployment                          |
+| `typemap`   | `src/typemap`  | Defines custom data structures and type conversion functions used across Lind |
+| `cage`      | `src/cage`     | Implements the custom `Cage` structure and its subsystems, including `vmmap` (virtual memory mapping) and `signal` handling |
 | `sysdefs`     | `src/sysdefs`     | Shared system call definitions and constants for cross-platform support    |
 
 ### Third-Party Projects (Source)

docs/getting-started.md

@@ -39,8 +39,8 @@ EOF
 Use lind scripts to compile and run your program in the Lind Sandbox.
 
 ```bash
-./scripts/lind_compile hello.c
-./scripts/lind_run hello.cwasm
+lind-clang hello.c
+lind-wasm hello.cwasm
 ```
 
 *Here is what happens under the hood:*