rust-secure-code / cargo-sandbox

Perform Cargo builds inside of a sandboxed environment
Apache License 2.0
52 stars 1 forks source link

Use gaol as the sandboxing mechanism #4

Open tarcieri opened 5 years ago

tarcieri commented 5 years ago

This commit signals the intent of this project to explore gaol as the mechanism by which builds are sandboxed:

https://github.com/servo/gaol

The README.md for gaol carries the following warning:

gaol is only lightly reviewed for correctness and security. It should not be considered mature or "battle-tested". Use at your own risk.

However, cursory review of gaol's source code shows it's a relatively simple cross-platform sandboxing solution which provides pure Rust wrappers for the underlying OS facilities sandboxing solutions should be leveraging.

As gaol is used by Servo, it's something the Rust team is probably already familiar with, which increases the chances of upstreaming a sandboxing solution into Cargo proper, a potential goal for this project.

tarcieri commented 5 years ago

There are many different approaches to sandboxing this crate could potentially take. I would suggest discussion of significantly different approaches (e.g. virtual machines) happen on the Determine project goals (#3) issue, and suggest this PR focus specifically on whether or not gaol is the correct path forward here.

I will provide a quick list of pros/cons for gaol:

Pros

Cons

alex commented 5 years ago

No Windows support -- and Windows is by far the most complex OS to work on. Sadly Windows doesn't really land itself to the nice granular API that gaol exposes, and that you can get on Linux or macOS. Instead Windows has really coarse grained controls like the access token and integrity level. Even things like allowing access to some directories and restricting access to others generally requires a broker process.

Note that this may be changed/better with Windows 10s Application Container APIs, I'm not an expert in those.