Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement a sandbox for environment variables and files #49387

Closed
wants to merge 6 commits into from
Closed

Implement a sandbox for environment variables and files #49387

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6b16797
compiletest: show rustc env when verbose
jsgf Mar 26, 2018
8780e3f
First cut of process environment sandbox for rustc
jsgf Mar 25, 2018
13904d5
Add command-line options to configure environment sandbox
jsgf Mar 25, 2018
b40ae5f
Wire EnvSandbox into the ParseSess
jsgf Mar 25, 2018
f78f462
Enforce sandbox for environment
jsgf Mar 25, 2018
dc1ed74
Enforce sandbox for include
jsgf Mar 25, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions src/librustc/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ syntax = { path = "../libsyntax" }
syntax_pos = { path = "../libsyntax_pos" }
backtrace = "0.3.3"
byteorder = { version = "1.1", features = ["i128"]}
env_sandbox = { path = "../librustc_env_sandbox" }

# Note that these dependencies are a lie, they're just here to get linkage to
# work.
Expand Down
1 change: 1 addition & 0 deletions src/librustc/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ extern crate rustc_errors as errors;
extern crate syntax_pos;
extern crate jobserver;
extern crate proc_macro;
extern crate env_sandbox;

extern crate serialize as rustc_serialize; // used by deriving

Expand Down
61 changes: 61 additions & 0 deletions src/librustc/session/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ use syntax::feature_gate::UnstableFeatures;

use errors::{ColorConfig, FatalError, Handler};

use env_sandbox::{EnvSandboxBuilder, EnvSandbox};

use getopts;
use std::collections::{BTreeMap, BTreeSet};
use std::collections::btree_map::Iter as BTreeMapIter;
Expand Down Expand Up @@ -413,6 +415,9 @@ top_level_options!(
// Remap source path prefixes in all output (messages, object files, debug, etc)
remap_path_prefix: Vec<(PathBuf, PathBuf)> [UNTRACKED],
edition: Edition [TRACKED],

// Environment sandbox for process envvars and include path prefixes
env_sb: EnvSandbox [UNTRACKED],
}
);

Expand Down Expand Up @@ -593,6 +598,7 @@ pub fn basic_options() -> Options {
cli_forced_thinlto_off: false,
remap_path_prefix: Vec::new(),
edition: DEFAULT_EDITION,
env_sb: EnvSandbox::default(),
}
}

Expand Down Expand Up @@ -1653,6 +1659,34 @@ pub fn rustc_optgroups() -> Vec<RustcOptGroup> {
"Remap source names in all output (compiler messages and output files)",
"FROM=TO",
),
opt::multi_s(
"",
"env-allow",
"Allow a specific environment variable to be accessed with an env!() macro",
"ENVVAR",
),
opt::multi_s(
"",
"env-define",
"Define an environment variable for reading with an env!() macro",
"ENVVAR=VALUE",
),
opt::flag_s(
"",
"env-clear",
"Clear all environment, and prevent access to process environment",
),
opt::multi_s(
"",
"include-prefix",
"Define a valid prefix for include!() macros",
"PATH",
),
opt::flag_s(
"",
"clear-include-prefixes",
"Clear all path prefixes, disallowing access to all files",
),
]);
opts
}
Expand Down Expand Up @@ -2161,6 +2195,32 @@ pub fn build_session_options_and_crate_config(
})
.collect();

let mut env_sb = EnvSandboxBuilder::new();

if matches.opt_present("env-clear") {
env_sb.env_clear();
}
for env in matches.opt_strs("env-allow") {
env_sb.env_allow(env);
}
for envvar in matches.opt_strs("env-define") {
let envvar: Vec<_> = envvar.splitn(2, '=').collect();
if envvar.len() != 2 {
early_error(error_format, "--env-define must contain '=' between ENVVAR and VALUE");
}
env_sb.env_define(envvar[0], envvar[1]);
}

if matches.opt_present("clear-include-prefixes") {
env_sb.paths_clear();
}
for pathpfx in matches.opt_strs("include-prefix") {
if let Err(err) = env_sb.path_add(pathpfx) {
early_error(error_format, &format!("--include-prefix path error: {}", err));
}
}
let env_sb = env_sb.build();

(
Options {
crate_types,
Expand Down Expand Up @@ -2191,6 +2251,7 @@ pub fn build_session_options_and_crate_config(
cli_forced_thinlto_off: disable_thinlto,
remap_path_prefix,
edition,
env_sb,
},
cfg,
)
Expand Down
3 changes: 2 additions & 1 deletion src/librustc/session/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1052,7 +1052,8 @@ pub fn build_session_(
};
let target_cfg = config::build_target_config(&sopts, &span_diagnostic);

let p_s = parse::ParseSess::with_span_handler(span_diagnostic, codemap);
let env_sb = Lrc::new(sopts.env_sb.clone());
let p_s = parse::ParseSess::with_span_handler(span_diagnostic, codemap, env_sb);
let default_sysroot = match sopts.maybe_sysroot {
Some(_) => None,
None => Some(filesearch::get_or_default_sysroot()),
Expand Down
12 changes: 12 additions & 0 deletions src/librustc_env_sandbox/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
[package]
authors = ["The Rust Project Developers"]
name = "env_sandbox"
version = "0.0.0"

[lib]
name = "env_sandbox"
path = "lib.rs"
crate-type = ["dylib"]

[dev-dependencies]
tempdir = "0.3"
Loading