Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upRFC: Implement a sandbox for environment variables and files #2391
Conversation
jsgf
changed the title
Initial draft of env-sandboxing RFC
env-sandboxing RFC
Apr 5, 2018
jsgf
changed the title
env-sandboxing RFC
RFC: Implement a sandbox for environment variables and files
Apr 5, 2018
Centril
added
T-compiler
T-cargo
labels
Apr 6, 2018
fbstj
reviewed
Apr 6, 2018
| These are processed in the order: | ||
| 1. `--env-clear` | ||
| 2. `--env-allow NAME` | ||
| 3. `--env-set NAME=VAL` |
This comment has been minimized.
This comment has been minimized.
fbstj
Apr 6, 2018
•
what's the benefit of this (rustc --env-set NAME=value) over NAME=value rustc --env-allow NAME other than brevity? is it specifically to stop propagation into sub-processes?
This comment has been minimized.
This comment has been minimized.
jsgf
Apr 6, 2018
Author
Several reasons:
- You can use it to override the value of things that rustc (or the linker) itself uses, like
PATHorLD_LIBRARY_PATH(among others) - You can just change
rustc's command-line args, whereas manipulating the environment might need deeper changes to whatever's invokingrustc(possibly system-dependent changes) - Non-propagation isn't something that had occurred to me, but it is related to my first point
This comment has been minimized.
This comment has been minimized.
fbstj
Apr 6, 2018
my question was more that my understanding is that running > NAME=value rustc --env-allow NAME is only overriding the value for that instantiation of rustc, so I don't understand what your first point is specifying? are you meaning that some point before/around your 'sandboxed' area is able to access the environment but then the majority is going to use the --env-allow value?
your option may also be more sensible for any shells/clients which don't support 'instantiation-local environment variables', but I think the RFC could do with more discussion of these points.
thanks!
This comment has been minimized.
This comment has been minimized.
jsgf
Apr 9, 2018
Author
I mean that when rustc itself is - say - invoking the linker, it may use $PATH to find the executable. If we want env!("PATH") to work at all, but not necessarily return the PATH that's been set up for rustc to be able to find its linker, then we need some way of allowing env!("PATH") and rustc's own runtime call to std::env::var("PATH") to be able to return distinct values.
fbstj
reviewed
Apr 6, 2018
| process environment variable to be logically pasted into the source as a string | ||
| (or `Option` string). | ||
|
|
||
| `Rustc` has the following command-line options to allow the access to |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
rust-lang/cargo#3676 is sort of related. |
This comment has been minimized.
This comment has been minimized.
|
@sfackler There seems to be a few use-cases in controlling the environment visible to build scripts. |
nikomatsakis
referenced this pull request
Apr 11, 2018
Closed
Implement a sandbox for environment variables and files #49387
This comment has been minimized.
This comment has been minimized.
|
cc @rust-lang/dev-tools -- I'm never sure who owns this sort of thing, but it's not clearly T-compiler. =) |
This comment has been minimized.
This comment has been minimized.
|
@nikomatsakis so my reasoning for T-compiler was: "well, it makes changes to |
This comment has been minimized.
This comment has been minimized.
|
I think it's fine under devtools. (I also like this RFC and do think we (the devtools team) should eventually think about sandboxing build processes in general) |
This comment has been minimized.
This comment has been minimized.
ohhh that would be awesome |
jsgf commentedApr 5, 2018
•
edited
Allow
rustcto be invoked with constraints on which environment variables maybe queried, and which files may be included.
Rendered
Companion PR: rust-lang/rust#49387