GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → kutometa → carnet

kutometa / carnet

Licence: other
A Tool for Sandboxing Cargo and Buildscripts

Programming Languages

shell
77523 projects
rust
11053 projects

Labels

authenticationcargosandboxingpackage-managment

Projects that are alternatives of or similar to carnet

Gradle Cargo Plugin
Gradle plugin that provides deployment capabilities to local and remote containers via Cargo
Stars: ✭ 238 (+205.13%)
Mutual labels:  cargo
cargo-watch
Watches over your Cargo project's source.
Stars: ✭ 2,061 (+2542.31%)
Mutual labels:  cargo
so stupid search
It's my honor to drive you fucking fire faster, to have more time with your Family and Sunshine.This tool is for those who often want to search for a string Deeply into a directory in Recursive mode, but not with the great tools: grep, ack, ripgrep .........every thing should be Small, Thin, Fast, Lazy....without Think and Remember too much ...一…
Stars: ✭ 135 (+73.08%)
Mutual labels:  cargo
Alexandrie
An alternative crate registry, implemented in Rust.
Stars: ✭ 251 (+221.79%)
Mutual labels:  cargo
templa-rs
One-Stop Solution for all boilerplate needs!
Stars: ✭ 27 (-65.38%)
Mutual labels:  cargo
teamcity-rust-plugin
TeamCity Rust and Cargo plugin
Stars: ✭ 29 (-62.82%)
Mutual labels:  cargo
Cargo
🚂🚋🚋 A browser with almost no UI.
Stars: ✭ 221 (+183.33%)
Mutual labels:  cargo
rsblocks
A fast status-bar for dwm window manager written in Rust 🦀
Stars: ✭ 30 (-61.54%)
Mutual labels:  cargo
minijail
sandboxing and containment tool used in ChromeOS and Android
Stars: ✭ 155 (+98.72%)
Mutual labels:  sandboxing
autotools-rs
build.rs helper to configure and compile autotools and configure/make projects
Stars: ✭ 21 (-73.08%)
Mutual labels:  cargo
rust-nix-templater
Generates Nix build / dev files for Rust projects.
Stars: ✭ 49 (-37.18%)
Mutual labels:  cargo
rlbox sandboxing api
RLBox sandboxing framework
Stars: ✭ 239 (+206.41%)
Mutual labels:  sandboxing
coding-challenge
Algorithms and Data-structures, problems and solutions in Rust language using cargo-workspaces
Stars: ✭ 17 (-78.21%)
Mutual labels:  cargo
Dinghy
Easier cross-compilation for phones and single boards computers
Stars: ✭ 241 (+208.97%)
Mutual labels:  cargo
scuba
Kubernetes Container Runtime Interface daemon for running CloudABI jobs
Stars: ✭ 18 (-76.92%)
Mutual labels:  sandboxing
Toolchain
🛠️ GitHub Action for `rustup` commands
Stars: ✭ 229 (+193.59%)
Mutual labels:  cargo
cargo-hack
Cargo subcommand to provide various options useful for testing and continuous integration.
Stars: ✭ 295 (+278.21%)
Mutual labels:  cargo
cargo-cook
A rust cargo subcommand which cooks your crate
Stars: ✭ 29 (-62.82%)
Mutual labels:  cargo
cargo-supply-chain
Gather author, contributor and publisher data on crates in your dependency graph.
Stars: ✭ 287 (+267.95%)
Mutual labels:  cargo
crane
A Nix library for building cargo projects. Never build twice thanks to incremental artifact caching.
Stars: ✭ 348 (+346.15%)
Mutual labels:  cargo
View All Similar Projects ➔

Carnet: Bureaucracy for Cargo

IMPORTANT NOTICE: Carnet is pre-alpha software. Sandboxing works. Crate authentication is not ready yet. Identity and key life-cycle management are WIH.

Carnet is a small tool that imposes additional security constraints on Rust's official package manager, Cargo. This tool aims to prevent or otherwise limit the damage malicious crates can cause.

Carnet imposes two types of security constraints on Cargo:

  1. It can isolate Cargo to a separate system-enforced sandbox, only allowing access to a limited subset of system resources.

  2. It can authenticate crates before allowing Cargo to operate on them. (This feature is incomplete and should not be used yet.)

Carnet is meant as a temporary solution until Cargo gains the ability to impose these constraints on its own.

Installing & Updating

If your system is compatible with the FHS standard, you can install Carnet system-wide by downloading this repository and running the following command at the root of the repository:

sudo install ./carnet /usr/local/bin/carnet

Alternatively, you can install Carnet to your user's bin directory by running the following command in the root of this repository if your system is configured to respect the XDG standard:

install ./carnet ~/.local/bin

Carnet requires the following dependencies to be installed on your system:

  • A modern version of GNU Bash (>= 4.4, 2016)
  • GNU Core Utilities
  • Bubblewrap (bwrap)
  • OpenSSL CLI Tool (openssl)
  • Tiny C Compiler (tcc)

Using Carnet

Carnet can be used in place of Cargo, transparently accepting all its arguments:

carnet test
carnet build --release

In both the commands above, Carnet will first verify the authenticity of the crate and then run the corresponding cargo command in a restrictive sandbox (unless configured otherwise). This sandbox prevents Cargo from accessing the network, most of the user's home directory, most of the filesystem, and so on by default.

Sandbox restrictions can be relaxed easily and can even be disabled entirely by simply passing the appropriate flag to Carnet:

carnet --unsandbox-network     ...
carnet --unsandbox-cargo-home  ...
carnet --unsandbox-processes   ...
carnet --unsandbox-session     ...
carnet --unsandbox-filesystem  ...
... and so on.

In addition to general flags that act on entire resource classes, Carnet can also expose individual files and directories within the sandbox via the flags --carnet:ro-paths and --carnet:rw-paths.

To avoid ambiguity, flags intended for Carnet can be prefixed with carnet: while flags intend for Cargo can be prefixed with cargo:. If both Carnet and Cargo accept the same flag and prefixes are not used, the handling of this flag is unspecified. The following example illustrates the use of both prefixes:

carnet --carnet:unsandbox-network test --cargo:release

Both the sandboxing of Cargo and the automatic verification of crates can be disabled, for a single invocation or persistently, through the use of the appropreate flag or by disabling the feature in Carnet's configuration settings:

carnet --disable-sandbox       ...
carnet --disable-verification  ...

carnet disable sandbox
carnet disable verification

Run carnet carnet:help or carnet --carnet:help for more information.

History & Future Plans

We originally wrote this version of Carnet to only serve as a prototype for when we wanted to implement Carnet more robustly (in Rust). However, we ultimately decided against this approach and published Carnet as-is. Our decision was in part because we couldn't guarantee when this rewrite would occur. We also hope to gather enough feedback to help us make a better Carnet when the rewrite eventually takes place.

Feedback is Important

Since we don't include any telemetry in Carnet, we rely on your feedback to gauge how successful this project is. If you use Carnet and don't mind sharing this fact publicly, let us know by leaving a comment on the Github issue here: #3

Alternatively, you can let us know by sending a short email to [email protected].

Contributing

Please see CONTRIBUTING.en.md in the root of this repository.

Support & Licensing

Official commercial support and custom licensing are available directly from the authors of this software. Please send your inquiries via any of our official communication channels.

Our communication channels are listed at: https://www.ka.com.kw/en/contact

Copyright

Copyright © 2021 Kutometa SPC, Kuwait

Unless expressly stated otherwise, this work and all related material are made available to you under the terms of version 3 of the GNU Lesser General Public License (hereinafter, the LGPL-3.0) and the following supplemental terms:

  1. This work must retain all legal notices. These notices must not be altered or truncated in any way.

  2. The origin of any derivative or modified versions of this work must not be presented in a way that may mislead a reasonable person into mistaking the derive work to originate from Kutometa or the authors of this work.

  3. Derivative or modified versions of this work must be clearly and easily distinguishable from the original work by a reasonable person.

  4. Unless express permission is granted in writing, The name of the original work may not be used within the name of any derivative or modified version of the work.

  5. Unless express permission is granted in writing, Trade names, trademarks, and service marks used in this work may not be included in any derivative or modified versions of this work.

  6. Unless express permission is granted in writing, the names and trademarks of Kutometa and other right holders may not be used to endorse derivative or modified versions of this work.

  7. The licensee must defend, indemnify, and hold harmless Kutometa and authors of this software from any and all actions, claims, judgments, losses, penalties, liabilities, damages, expenses, demands, fees (including, but not limited to, reasonable legal and other professional fees), taxes, and cost that result from or in connection with any liability imposed on Kutometa or other authors of this software as a result of the licensee conveying this work or a derivative thereof with contractual assumptions of liability to a third party recipient.

Unless expressly stated otherwise or required by applicable law, this work is provided AS-IS with NO WARRANTY OF ANY KIND, INCLUDING THE WARRANTY OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Use this work at your own risk.

This license agreement is governed by and is construed in accordance with the laws of the state of Kuwait. You must submit all disputes arising out of or in connection with this work to the exclusive jurisdiction of the courts of Kuwait.

You should have received a copy of the LGPL-3.0 along with this program; if not, visit www.ka.com.kw/en/legal, write to [email protected], or write to Kutometa SPC, 760 SAFAT 13008, Kuwait.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].