From 8a4dab1fc9cc5bba0a0b877f0711287c2bc3bb5b Mon Sep 17 00:00:00 2001 From: Jon Langevin Date: Mon, 25 May 2026 01:28:54 -0400 Subject: [PATCH] fix: align default runtime profile shapes --- protocol/types.go | 70 ++++++++++++++++++++++++---------- protocol/types_test.go | 85 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 135 insertions(+), 20 deletions(-) diff --git a/protocol/types.go b/protocol/types.go index 17a47c2..4775b4a 100644 --- a/protocol/types.go +++ b/protocol/types.go @@ -1304,26 +1304,58 @@ func (p ResiduePolicy) UsesReusableWorkspace() bool { } func DefaultProviderRuntimeProfile(executorProvider string, tier ExecutionSecurityTier, proof ProofTier) ProviderRuntimeProfile { + runtimeProfile := RuntimeProfileSandboxedOCI + writableRootFS := RuntimePermissionForbidden + capabilities := []string{} + conformance := []string{"sandboxed-oci-v1"} + mountRefs := []string{"workspace"} + writablePaths := []string{"/tmp"} + runtimeTools := []ContainerRuntimeTool{ContainerRuntimePodman, ContainerRuntimeDocker, ContainerRuntimeNerdctl} + imageDigestRequired := true + rootFSDigestRequired := true + switch executorProvider { + case "sandboxed-container-build": + runtimeProfile = RuntimeProfileContainerBuild + writableRootFS = RuntimePermissionExplicit + capabilities = []string{"CHOWN", "FOWNER"} + conformance = []string{"container-build-v1"} + writablePaths = []string{"/tmp", "/wfcompute-build"} + case "service-sandboxed-container", "node-service-sandboxed-container": + runtimeProfile = RuntimeProfileServiceOCI + conformance = []string{"service-oci-v1"} + if executorProvider == "node-service-sandboxed-container" { + mountRefs = []string{"workspace", "node-data"} + } + case "wasm-component": + runtimeProfile = RuntimeProfileWASMComponent + conformance = []string{"wasm-component-v1"} + mountRefs = nil + writablePaths = nil + runtimeTools = nil + imageDigestRequired = false + rootFSDigestRequired = false + } + hostWorkspaceSupported := runtimeProfile != RuntimeProfileWASMComponent && runtimeProfile != RuntimeProfileBrowserWorker return ProviderRuntimeProfile{ - ID: executorProvider + "-" + string(tier) + "-" + string(proof) + "-runtime", - RuntimeProfile: RuntimeProfileServiceOCI, - ExecutorProvider: executorProvider, - ExecutionSecurityTier: tier, - ProofTier: proof, - AllowedRuntimeTools: []ContainerRuntimeTool{ContainerRuntimePodman, ContainerRuntimeDocker, ContainerRuntimeNerdctl}, - ImageDigestRequired: true, - RootFSDigestRequired: true, - AllowedMountRefs: []string{"workspace", "node-data"}, - WritablePaths: []string{"/tmp"}, - WritableRootFS: RuntimePermissionForbidden, - Privileged: RuntimePermissionForbidden, - HostNamespaces: RuntimePermissionForbidden, - HostSocket: RuntimePermissionForbidden, - SeccompDisable: RuntimePermissionForbidden, - NoNewPrivilegesDisable: RuntimePermissionForbidden, - ConformanceProfiles: []string{"service-oci-v1"}, - HostWorkspaceSupported: true, - UpstreamClientConformance: UpstreamClientConformanceShapeOnly, + ID: executorProvider + "-" + string(tier) + "-" + string(proof) + "-runtime", + RuntimeProfile: runtimeProfile, + ExecutorProvider: executorProvider, + ExecutionSecurityTier: tier, + ProofTier: proof, + AllowedRuntimeTools: runtimeTools, + ImageDigestRequired: imageDigestRequired, + RootFSDigestRequired: rootFSDigestRequired, + AllowedMountRefs: mountRefs, + WritablePaths: writablePaths, + WritableRootFS: writableRootFS, + Privileged: RuntimePermissionForbidden, + HostNamespaces: RuntimePermissionForbidden, + HostSocket: RuntimePermissionForbidden, + SeccompDisable: RuntimePermissionForbidden, + NoNewPrivilegesDisable: RuntimePermissionForbidden, + AllowedCapabilities: capabilities, + ConformanceProfiles: conformance, + HostWorkspaceSupported: hostWorkspaceSupported, } } diff --git a/protocol/types_test.go b/protocol/types_test.go index 62d3b05..bd31ddc 100644 --- a/protocol/types_test.go +++ b/protocol/types_test.go @@ -804,13 +804,96 @@ func TestDefaultProviderRuntimeContractBuildsRuntimeMatrix(t *testing.T) { profile.UpstreamClientEvidenceDigest == "" { t.Fatalf("runtime profile missing shared options: %+v", profile) } - if !slices.Contains(profile.ConformanceProfiles, "service-oci-v1") || + if len(profile.ConformanceProfiles) < 2 || !slices.Contains(profile.ConformanceProfiles, "upstream-client-v1") { t.Fatalf("runtime profile missing default or option conformance profiles: %+v", profile.ConformanceProfiles) } } } +func TestDefaultProviderRuntimeProfileMatchesKnownExecutorShapes(t *testing.T) { + tests := []struct { + executor string + runtimeProfile protocol.RuntimeProfile + conformanceProfile string + writableRootFS protocol.RuntimePermission + allowedCapabilities []string + allowedMountRefs []string + writablePaths []string + imageDigestRequired bool + rootFSDigestRequired bool + hostWorkspaceSupported bool + }{ + { + executor: "sandboxed-command", + runtimeProfile: protocol.RuntimeProfileSandboxedOCI, + conformanceProfile: "sandboxed-oci-v1", + writableRootFS: protocol.RuntimePermissionForbidden, + allowedMountRefs: []string{"workspace"}, + writablePaths: []string{"/tmp"}, + imageDigestRequired: true, + rootFSDigestRequired: true, + hostWorkspaceSupported: true, + }, + { + executor: "sandboxed-container-build", + runtimeProfile: protocol.RuntimeProfileContainerBuild, + conformanceProfile: "container-build-v1", + writableRootFS: protocol.RuntimePermissionExplicit, + allowedCapabilities: []string{"CHOWN", "FOWNER"}, + allowedMountRefs: []string{"workspace"}, + writablePaths: []string{"/tmp", "/wfcompute-build"}, + imageDigestRequired: true, + rootFSDigestRequired: true, + hostWorkspaceSupported: true, + }, + { + executor: "node-service-sandboxed-container", + runtimeProfile: protocol.RuntimeProfileServiceOCI, + conformanceProfile: "service-oci-v1", + writableRootFS: protocol.RuntimePermissionForbidden, + allowedMountRefs: []string{"workspace", "node-data"}, + writablePaths: []string{"/tmp"}, + imageDigestRequired: true, + rootFSDigestRequired: true, + hostWorkspaceSupported: true, + }, + { + executor: "wasm-component", + runtimeProfile: protocol.RuntimeProfileWASMComponent, + conformanceProfile: "wasm-component-v1", + writableRootFS: protocol.RuntimePermissionForbidden, + imageDigestRequired: false, + rootFSDigestRequired: false, + hostWorkspaceSupported: false, + }, + } + for _, tc := range tests { + t.Run(tc.executor, func(t *testing.T) { + profile := protocol.DefaultProviderRuntimeProfile(tc.executor, protocol.ExecutionSandboxedContainer, protocol.ProofArtifactHash) + if profile.RuntimeProfile != tc.runtimeProfile || + profile.WritableRootFS != tc.writableRootFS || + profile.ImageDigestRequired != tc.imageDigestRequired || + profile.RootFSDigestRequired != tc.rootFSDigestRequired || + profile.HostWorkspaceSupported != tc.hostWorkspaceSupported { + t.Fatalf("runtime profile mismatch: %+v", profile) + } + if !slices.Contains(profile.ConformanceProfiles, tc.conformanceProfile) { + t.Fatalf("missing conformance profile %q: %+v", tc.conformanceProfile, profile.ConformanceProfiles) + } + if !slices.Equal(profile.AllowedCapabilities, tc.allowedCapabilities) { + t.Fatalf("allowed capabilities = %+v, want %+v", profile.AllowedCapabilities, tc.allowedCapabilities) + } + if !slices.Equal(profile.AllowedMountRefs, tc.allowedMountRefs) { + t.Fatalf("allowed mount refs = %+v, want %+v", profile.AllowedMountRefs, tc.allowedMountRefs) + } + if !slices.Equal(profile.WritablePaths, tc.writablePaths) { + t.Fatalf("writable paths = %+v, want %+v", profile.WritablePaths, tc.writablePaths) + } + }) + } +} + func countString(values []string, target string) int { count := 0 for _, value := range values {