Skip to content

idea on how to get sandboxed build-scripts #15672

Open
Open
idea on how to get sandboxed build-scripts#15672
Labels
A-build-scriptsArea: build.rs scriptsC-feature-requestCategory: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`S-needs-team-inputStatus: Needs input from team on whether/how to proceed.
@boozook

Description

@boozook
boozook
opened on Jun 16, 2025

Problem

Known problem - build-scripts are allowed to do absolutely anything - network, io, write fs outside of OUT_DIR, etc..

Proposed Solution

We just need custom runner setting such as existing target..runner but for build-scripts.
That way everyone on any platform can specify their own parameters for their sandbox. e.g. for macOs something like : sandbox-exec -p “(version 1)(allow default)(deny network*)” denies network access.

This is good, I suppose, because:

  1. Universal solution that can be used in various ways on any host,
  2. Independent from inner in-toolchain implementation, see next point,
  3. Depends only on outer things by user or users System, which is great. It can be user’s script, tool, or preconfigured sandbox or environment.
  4. Simpl impl - runner already there.

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-build-scriptsArea: build.rs scriptsC-feature-requestCategory: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`S-needs-team-inputStatus: Needs input from team on whether/how to proceed.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions