idea on how to get sandboxed build-scripts

[boozook]

Problem

Known problem - build-scripts are allowed to do absolutely anything - network, io, write fs outside of OUT_DIR, etc..

Proposed Solution

We just need custom runner setting such as existing target..runner but for build-scripts.
That way everyone on any platform can specify their own parameters for their sandbox. e.g. for macOs something like : sandbox-exec -p “(version 1)(allow default)(deny network*)” denies network access.

---

This is good, I suppose, because:

1. Universal solution that can be used in various ways on any host,
2. Independent from inner in-toolchain implementation, see next point,
3. Depends only on outer things by user or users System, which is great. It can be user’s script, tool, or preconfigured sandbox or environment.
4. Simpl impl - runner already there.

[epage]

Note that our primary issue for discussing sandboxing is #5720. The main reason I can think of to keep these separate is if this is a short-term / limited improvement while we want to keep #5720 as the more general improvement.

Couldn't the same thing be done via cargo fetch && sandbox-exec -p “(version 1)(allow default)(deny network*)” cargo build? The main benefit of a more general solution would be that you can be more precise in which packages are granted exceptions and what those exceptions are.

[boozook]

@epage Thanks. I've updated first comment, added reasons why it could be good and simple.

Couldn't the same thing be done via cargo fetch && sandbox-exec -p “(version 1)(allow default)(deny network*)” cargo build

Unfortunately not at all, because this way we

1. Have to do pre-call fetch and
2. We can't determine what tool we are calling - there is only cargo on top with all its sub-processes.
   But my suggested solution allows (as for runner) determine what thing we are executing and what sendboxing rules to use. Yup, there is no crate name, but there is bin name with path, as minimum. Just imagine replace sandbox-exec... with your script/tool.

[weihanglo]

For a similar solution, see weihanglo#66. I kinda agree with Ed that if it is wrappping-it-all, the motivation of sandboxing is less strong than solutions that do need custom runners such as wasi runner.
(I am not saying sandboxing is not necessary to clarify)