From patchwork Tue Apr  8 19:57:20 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Eure <ian@retrospec.tv>
X-Patchwork-Id: 2912
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id A311A27BC4B; Tue,  8 Apr 2025 20:58:27 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 84F6127BC49
	for <patchwork@mira.cbaines.net>; Tue,  8 Apr 2025 20:58:26 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1u2F5C-0006t6-2m; Tue, 08 Apr 2025 15:58:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1u2F5A-0006sN-9v
 for guix-patches@gnu.org; Tue, 08 Apr 2025 15:58:04 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1u2F59-0003Pi-Vz
 for guix-patches@gnu.org; Tue, 08 Apr 2025 15:58:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:Date:From:To:Subject;
 bh=0UUAqwMtjrq9UrYC/6JSIkPF8vtVBG7ItbCAiOXQGgA=;
 b=ugb0cHcbFSm/2SPZwTlk/Jc9YjzUbKir7EXiiWQSJP9/LBWWCc8+3THYMHq9bgHwX1eRqUlaNZFjLGCsFGIUCfKGn7VEeEiOIO5d+nQ7jegJJeDEOLT+ovgVMPubOgHaAoxAvfEXuPwEZKBo1WiT/TK4Sc+QaKcgxt3CVWMj/UE87zfhXPH4ts5HfrEwX3O+Cquauw50jjJv1Fq5bEo1xL1kvmu35e6+gxPoRnxUf/aKWZy8SDgc1CX0XZ8yaCgkLuHZWyiatohvksZrMviVaH6oSsgXvyXXFbvrqBq/grXkQbLclF5mW8S45Oau7MraPFJEUXjgL4INfrotl4tweQ==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u2F58-0000Jg-EP
 for guix-patches@gnu.org; Tue, 08 Apr 2025 15:58:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#77653] [PATCH 0/4] Add WASM toolchain, wasi-libc,
 and browser WASM sandbox support
Resent-From: Ian Eure <ian@retrospec.tv>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 08 Apr 2025 19:58:02 +0000
Resent-Message-ID: <handler.77653.B.17441422701181@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 77653
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77653@debbugs.gnu.org
Cc: Ian Eure <ian@retrospec.tv>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.17441422701181
 (code B ref -1); Tue, 08 Apr 2025 19:58:02 +0000
Received: (at submit) by debbugs.gnu.org; 8 Apr 2025 19:57:50 +0000
Received: from localhost ([127.0.0.1]:35599 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1u2F4v-0000Ix-KH
 for submit@debbugs.gnu.org; Tue, 08 Apr 2025 15:57:50 -0400
Received: from lists.gnu.org ([2001:470:142::17]:35914)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ian@retrospec.tv>) id 1u2F4s-0000Ia-Iv
 for submit@debbugs.gnu.org; Tue, 08 Apr 2025 15:57:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ian@retrospec.tv>) id 1u2F4j-0006oS-5H
 for guix-patches@gnu.org; Tue, 08 Apr 2025 15:57:37 -0400
Received: from fout-a4-smtp.messagingengine.com ([103.168.172.147])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ian@retrospec.tv>) id 1u2F4c-0003O3-5o
 for guix-patches@gnu.org; Tue, 08 Apr 2025 15:57:36 -0400
Received: from phl-compute-11.internal (phl-compute-11.phl.internal
 [10.202.2.51])
 by mailfout.phl.internal (Postfix) with ESMTP id 09B6A1380194;
 Tue,  8 Apr 2025 15:57:25 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
 by phl-compute-11.internal (MEProxy); Tue, 08 Apr 2025 15:57:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h=
 cc:cc:content-transfer-encoding:content-type:date:date:from:from
 :in-reply-to:message-id:mime-version:reply-to:subject:subject:to
 :to; s=fm1; t=1744142245; x=1744228645; bh=0UUAqwMtjrq9UrYC/6JSI
 kPF8vtVBG7ItbCAiOXQGgA=; b=jyOvFfTfiiVBdSxoSkSc0vOBP/NC9QctuV5gA
 3K/eeQLJnriyy/L44+q31HKi2EXzFIzdxr59ROIzlhQjb6wQVD14iFEOJoQt8Ok1
 WnGpWTLEDs1QkCZvmmFn0cEsPmICY+T9Nc1jssCB6PRy4gDzlFhXNZaQGMff528/
 90Yf6uT6GaoREk0m+pvu9ggX+ot4BxEhZuFN/xeXBtGALGC+rbp0ZMwqBw8JvsAL
 8QFv1/F68NkHx/+puSbUACrq/T441XaMrQYPMJdNO3oR0KDhUhfFAkJmUZvyMkB/
 qMux27011c3Cngs6kKIY7SBkgmqHefN/vs02BSHxJt8uEJ6Yw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-transfer-encoding
 :content-type:date:date:feedback-id:feedback-id:from:from
 :in-reply-to:message-id:mime-version:reply-to:subject:subject:to
 :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=
 1744142245; x=1744228645; bh=0UUAqwMtjrq9UrYC/6JSIkPF8vtVBG7ItbC
 AiOXQGgA=; b=xkOGWio+TDBUNjhE7coUD8PPF+hu0eUWo9/J0gHXSnTlvLD7RCQ
 mGj0FMzrukvt104k/AXsQamaMMWYHDV75SPTqebVsleOJ7wnGeCPbl+UohEXkRPL
 JpXZfULrf8PCVtMYaAVUhrfx9PsPkJFv6Y6UjkNSYzAzzZsDiljZwACtlY0OfiQU
 7cf1hXBRlJrZSABjKHGmEr0QwkUTkDUYQ4THxNGU3o+WXzSU5bz+MX1YP6mCt//f
 BuG+32CYfgazOo1cEDvFMnQMlPuaOpZgHEtuBCTMtrMhzAhTvjMEtYKUuc2HQzfZ
 CQeVogGYBGjdUp9d3lU56r9Q30y0D5t2VuQ==
X-ME-Sender: <xms:pH_1Z7AgHTisfbl4IZQ_s49EGH8OxFOxSIPQEsDsKA0wltCzxyIesw>
 <xme:pH_1Zxgn-xnzLbj949CYtMmQ7OM9DoUzEjrB5sgBMa_8EgM-wmsXCk_Oy9DAfB3hl
 JhnnQZEXUaD5N48Rg>
X-ME-Received: 
 <xmr:pH_1Z2mNj4av7oDkVK6NYzAaCTM7Y_cuXhUeuck3sPIuXNz2eaSF1kiu0aPOak0_gX6GBFPm18vAKEvZz7XsdxeZGEV0pX0q4gdpZgxGc3hZZuGdpDarKg>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvtdefleelucetufdoteggodetrf
 dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
 pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
 evufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefkrghnucfguhhrvgcuoehirghn
 sehrvghtrhhoshhpvggtrdhtvheqnecuggftrfgrthhtvghrnhepteduveegfefhieegke
 efkeeitdelleelffettefgueelteeitdeuleefgeffjeevnecuffhomhgrihhnpehmohii
 ihhllhgrrdhorhhgpdgtohguvggsvghrghdrohhrghdpghhithhlrggsrdgtohhmnecuve
 hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihgrnhesrhgv
 thhrohhsphgvtgdrthhvpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuth
 dprhgtphhtthhopehguhhigidqphgrthgthhgvshesghhnuhdrohhrghdprhgtphhtthho
 pehirghnsehrvghtrhhoshhpvggtrdhtvh
X-ME-Proxy: <xmx:pH_1Z9z32vO_wUt98fD1IAPmLzmrusNRam2VAqBF1SYf_zdMBB8zwA>
 <xmx:pH_1ZwT1_hHf00THCoUDvVN4oMGWH5RDnx1O71r_FYxlu-8I3iXTzA>
 <xmx:pH_1ZwaHRpJymlH5rt7Of7h4KkdSmf-InnIwV18qBNeacAcoLCzAYA>
 <xmx:pH_1ZxRzfMWoHel0ezQ0Jk9uwm0LzGWM-PdC7ItdBIonY9HiVP9S9Q>
 <xmx:pX_1Z5TPQAjwhT8wLYntSC9bLRjqgLWOGU3urnQU6QzfdcM1aSsaUBRh>
Feedback-ID: id9014242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 8 Apr 2025 15:57:23 -0400 (EDT)
From: Ian Eure <ian@retrospec.tv>
Date: Tue,  8 Apr 2025 12:57:20 -0700
Message-ID: <20250408195720.2021-1-ian@retrospec.tv>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Received-SPF: pass client-ip=103.168.172.147; envelope-from=ian@retrospec.tv;
 helo=fout-a4-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

This patch series adds a Clang variant which can emit WASM; runtime support for WASM binaries; wasi-libc, a libc implementation for WASM programs; and a `wasm-sandboxed' function which creates a WASM sandboxed variant of Firefox-based browsers.

In Firefox and Firefox-derived browsers, WASM sandboxing is a security technique which compiles C/C++ libraries into WASM, then translates the WASM back into native code.  This allows leveraging the WASM security model to isolate the library from the browser, without needing a separate process to contain it.  Please see this blog post for more info: https://hacks.mozilla.org/2020/02/securing-firefox-with-webassembly/

The code is extracted from my personal channel[1], which in turn is based on work done for nonguix's Firefox package.  I've been daliy-driving personal variants of LibreWolf since before the package was accepted into Guix, and nonguix's Firefox has been using it even longer.

[1]: https://codeberg.org/ieure/atomized-guix/src/branch/main/atomized/packages/wasm.scm
[2]: https://gitlab.com/nonguix/nonguix/-/blob/master/nongnu/packages/wasm.scm?ref_type=heads

Ian Eure (4):
  gnu: Add wasi-libc.
  gnu: Add wasm32-wasi-clang-runtime.
  gnu: Add wasm32-wasi-clang.
  gnu: Add wasm-sandboxed.

 gnu/packages/gnuzilla.scm |  30 +++++++++
 gnu/packages/wasm.scm     | 135 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 165 insertions(+)
 create mode 100644 gnu/packages/wasm.scm