cargo-sandbox
cargo-sandbox copied to clipboard
insanitybit
Currently the way things work is: * Container is created for a project * Container has a bindmount for the project directory * 'init' process for container is `sleep infinity`...
It is likely the case that users will want to shell into specific build containers. Adding a `shell` command to do so would help them avoid needing to work directly...
I've added two new profiles in `static/seccomp/`. We should hook them up to the `create_container` API, somewhere in `CreateContainerArgs` probably.
`cargo` has a number of "common commands", a number of which are security relevant. - [x] #7 - [x] #8 - [ ] #9 - [ ] #10 - [...
It would be helpful to add negative testcases to ensure that the sandbox is working appropriately.
Allow overriding the docker socket path. This would allow for cargo-sandbox to use a different docker daemon, which would make privesc via the daemon possible to hedge against (with regards...
It would be useful to add commands for understanding the current state of project containers. For example, listing out all of the containers for projects, their running state, etc.
`cargo-sandbox` aims to be drop-in compatible, which means it may not always provide the strictest isolation. Users should be able to easily configure the sandbox for various commands.