cargo-sandbox
cargo-sandbox copied to clipboard
rust-secure-code
Perform Cargo builds inside of a sandboxed environment
There is a proof-of-concept implementation using https://github.com/containers/bubblewrap as the sandboxing backend See https://www.reddit.com/r/rust/comments/hjxh2a/partially_sandbox_your_rust_builds/
If that inspires anything: ` $ cargo fetch && podman run --rm -it --mount type=bind,source="$(pwd)"/,target=/build,rw --mount type=bind,source="${HOME}"/.cargo/git,target=/usr/local/cargo/git,ro --mount type=bind,source="${HOME}"/.cargo/registry,target=/usr/local/cargo/registry,ro --network none -w /build rust cargo build --offline ` Replace `podman`...
Uses a restricted Docker container for performing Rust builds: https://github.com/rust-lang/rustwide May be helpful for (or eliminate the need for) this project.
Pushing this up for posterity... it doesn't seem like `rustwide` is well-suited to use in a development environment, and would be better for things like reproducible builds of released crates.
This project is using Docker to run sandboxed builds: https://www.reddit.com/r/rust/comments/dti647/announcing_cargowharf_docker_image_builder_for/ Apparently the sandboxing backends are also pluggable.
At a high-level, the goal of this project is to perform cargo builds inside of a sandboxed environment which restricts, to some extent, the capabilities of any code that executes...
This commit signals the intent of this project to explore `gaol` as the mechanism by which builds are sandboxed: https://github.com/servo/gaol The README.md for `gaol` carries the following warning: > gaol...
Metadata
Owner
Metadata
Perform Cargo builds inside of a sandboxed environment