RFC: Implement a sandbox for environment variables and files #2391
Conversation
jsgf
changed the title
Centril
added
T-compiler
| These are processed in the order: | ||
| 1. `--env-clear` | ||
| 2. `--env-allow NAME` | ||
| 3. `--env-set NAME=VAL` |
There was a problem hiding this comment.
what's the benefit of this (rustc --env-set NAME=value) over NAME=value rustc --env-allow NAME other than brevity? is it specifically to stop propagation into sub-processes?
There was a problem hiding this comment.
Several reasons:
- You can use it to override the value of things that rustc (or the linker) itself uses, like
PATHorLD_LIBRARY_PATH(among others) - You can just change
rustc's command-line args, whereas manipulating the environment might need deeper changes to whatever's invokingrustc(possibly system-dependent changes) - Non-propagation isn't something that had occurred to me, but it is related to my first point
There was a problem hiding this comment.
my question was more that my understanding is that running > NAME=value rustc --env-allow NAME is only overriding the value for that instantiation of rustc, so I don't understand what your first point is specifying? are you meaning that some point before/around your 'sandboxed' area is able to access the environment but then the majority is going to use the --env-allow value?
your option may also be more sensible for any shells/clients which don't support 'instantiation-local environment variables', but I think the RFC could do with more discussion of these points.
thanks!
There was a problem hiding this comment.
I mean that when rustc itself is - say - invoking the linker, it may use $PATH to find the executable. If we want env!("PATH") to work at all, but not necessarily return the PATH that's been set up for rustc to be able to find its linker, then we need some way of allowing env!("PATH") and rustc's own runtime call to std::env::var("PATH") to be able to return distinct values.
| process environment variable to be logically pasted into the source as a string | ||
| (or `Option` string). | ||
|
|
||
| `Rustc` has the following command-line options to allow the access to |
|
rust-lang/cargo#3676 is sort of related. |
|
@sfackler There seems to be a few use-cases in controlling the environment visible to build scripts. |
|
cc @rust-lang/dev-tools -- I'm never sure who owns this sort of thing, but it's not clearly T-compiler. =) |
|
@nikomatsakis so my reasoning for T-compiler was: "well, it makes changes to |
|
I think it's fine under devtools. (I also like this RFC and do think we (the devtools team) should eventually think about sandboxing build processes in general) |
ohhh that would be awesome ❤️ ❤️ ❤️ |
Centril
added
A-env
nrc
added
T-dev-tools
|
We discussed this in the Cargo meeting today. The RFC doesn't have much content related to Cargo, given the early conversation, we've re-assigned to dev-tools (and the compiler team). @jsgf is this RFC still something that would be useful for you? |
|
@nrc Yes. My plan is to split this into two RFCs to handle environment and files separately, and probably focus on env first as it is more straightforward. It's on my TODO list, but pushing closer to the top. |
|
@jsgf should we close this in the meantime? |
|
@Manishearth Yes, I suppose so. |
Allow
rustcto be invoked with constraints on which environment variables maybe queried, and which files may be included.
Rendered
Companion PR: rust-lang/rust#49387