Problem

Supply chain attacks became very common thing these days, but we're still running untrusted code on our machines everyday. This crate provides safe-cargo subcommand, that runs all commands in a sandboxed environment.

For now it is working on macOS only using Apple's sandboxing mechanism.

How to use it?

Installation

$ cargo install safe-cargo

Using is pretty simple, you can use any cargo command:

$ safe-cargo buld
$ safe-cargo test
$ safe-cargo run

Or any other cargo command.

What is allowed inside sandoxed environment

Read access

Sandobx allow access to list all files (without reading their content), and read/execute following files and directories:

/dev/random and /dev/urandom
/dev/tty
All files in PATH directiories
All files in following directories (and subdirectories):
- /private/etc/
- /private/var/db/timezone/
- /Applications/Xcode.app/Contents/Developer
- /usr/lib/
- /private/var/db/dyld/
- /System/Library/
- /System/Volumes/Preboot/Cryptexes/OS
- /System/Cryptexes/OS/
- /Library/Preferences/

Write access

OS temporary directory
cargo and target directories private to a sandbox (separate from $HOME/.cargo and target in your workdir)
Cargo.lock in your project directory – otherwise it's impossible to build a project

Network access

communication over /private/var/run/mDNSResponder – to allow DNS lookups
outbound network connections to ports 80/443 - to download crates

Full list of permissions can be found in sources.