Open tarcieri opened 5 years ago
There are many different approaches to sandboxing this crate could potentially take. I would suggest discussion of significantly different approaches (e.g. virtual machines) happen on the Determine project goals (#3) issue, and suggest this PR focus specifically on whether or not gaol
is the correct path forward here.
I will provide a quick list of pros/cons for gaol
:
No Windows support -- and Windows is by far the most complex OS to work on. Sadly Windows doesn't really land itself to the nice granular API that gaol exposes, and that you can get on Linux or macOS. Instead Windows has really coarse grained controls like the access token and integrity level. Even things like allowing access to some directories and restricting access to others generally requires a broker process.
Note that this may be changed/better with Windows 10s Application Container APIs, I'm not an expert in those.
This commit signals the intent of this project to explore
gaol
as the mechanism by which builds are sandboxed:https://github.com/servo/gaol
The README.md for
gaol
carries the following warning:However, cursory review of gaol's source code shows it's a relatively simple cross-platform sandboxing solution which provides pure Rust wrappers for the underlying OS facilities sandboxing solutions should be leveraging.
As
gaol
is used by Servo, it's something the Rust team is probably already familiar with, which increases the chances of upstreaming a sandboxing solution into Cargo proper, a potential goal for this project.