Carnet: Bureaucracy for Cargo
IMPORTANT NOTICE: Carnet is pre-alpha software. Sandboxing works. Crate authentication is not ready yet. Identity and key life-cycle management are WIH.
Carnet is a small tool that imposes additional security constraints on Rust's official package manager, Cargo. This tool aims to prevent or otherwise limit the damage malicious crates can cause.
Carnet imposes two types of security constraints on Cargo:
It can isolate Cargo to a separate system-enforced sandbox, only allowing access to a limited subset of system resources.
It can authenticate crates before allowing Cargo to operate on them. (This feature is incomplete and should not be used yet.)
Carnet is meant as a temporary solution until Cargo gains the ability to impose these constraints on its own.
Installing & updating
If your system is compatible with the FHS standard, you can install Carnet system-wide by downloading this repository and running the following command at the root of the repository:
sudo install ./carnet /usr/local/bin/carnet
Alternatively, you can install Carnet to your user's
bin directory by running the following command in the root of this repository if your system is configured to respect the XDG standard:
install ./carnet ~/.local/bin
Carnet requires the following dependencies to be installed on your system:
- A modern version of GNU Bash (>= 4.4, 2016)
- GNU Core Utilities
- Bubblewrap (
- OpenSSL CLI Tool (
- Tiny C Compiler (
Carnet can be used in place of Cargo, transparently accepting all its arguments:
carnet test carnet build --release
In both the commands above, Carnet will first verify the authenticity of the crate and then run the corresponding cargo command in a restrictive sandbox (unless configured otherwise). This sandbox prevents Cargo from accessing the network, most of the user's home directory, most of the filesystem, and so on by default.
Sandbox restrictions can be relaxed easily and can even be disabled entirely by simply passing the appropriate flag to Carnet:
carnet --unsandbox-network ... carnet --unsandbox-cargo-home ... carnet --unsandbox-processes ... carnet --unsandbox-session ... carnet --unsandbox-filesystem ... ... and so on.
In addition to general flags that act on entire resource classes, Carnet can also expose individual files and directories within the sandbox via the flags
To avoid ambiguity, flags intended for Carnet can be prefixed with
carnet: while flags intend for Cargo can be prefixed with
cargo:. If both Carnet and Cargo accept the same flag and prefixes are not used, the handling of this flag is unspecified. The following example illustrates the use of both prefixes:
carnet --carnet:unsandbox-network test --cargo:release
Both the sandboxing of Cargo and the automatic verification of crates can be disabled, for a single invocation or persistently, through the use of the appropreate flag or by disabling the feature in Carnet's configuration settings:
carnet --disable-sandbox ... carnet --disable-verification ... carnet disable sandbox carnet disable verification
carnet carnet:help or
carnet --carnet:help for more information.
History & future plans
We originally wrote this version of Carnet to only serve as a prototype for when we wanted to implement Carnet more robustly (in Rust). However, we ultimately decided against this approach and published Carnet as-is. Our decision was in part because we couldn't guarantee when this rewrite would occur. We also hope to gather enough feedback to help us make a better Carnet when the rewrite eventually takes place.
Support & licensing
Official commercial support and custom licensing are available directly from the authors of this software. Please send your inquiries via any of our official communication channels.
Our communication channels are listed at: https://www.ka.com.kw/en/contact
Copyright © 2021 Kutometa SPC, Kuwait
Unless expressly stated otherwise, this work and all related material are made available to you under the terms of version 3 of the GNU Lesser General Public License (hereinafter, the LGPL-3.0) and the following supplemental terms:
This work must retain all legal notices. These notices must not be altered or truncated in any way.
The origin of any derivative or modified versions of this work must not be presented in a way that may mislead a reasonable person into mistaking the derive work to originate from Kutometa or the authors of this work.
Derivative or modified versions of this work must be clearly and easily distinguishable from the original work by a reasonable person.
Unless express permission is granted in writing, The name of the original work may not be used within the name of any derivative or modified version of the work.
Unless express permission is granted in writing, Trade names, trademarks, and service marks used in this work may not be included in any derivative or modified versions of this work.
Unless express permission is granted in writing, the names and trademarks of Kutometa and other right holders may not be used to endorse derivative or modified versions of this work.
The licensee must defend, indemnify, and hold harmless Kutometa and authors of this software from any and all actions, claims, judgments, losses, penalties, liabilities, damages, expenses, demands, fees (including, but not limited to, reasonable legal and other professional fees), taxes, and cost that result from or in connection with any liability imposed on Kutometa or other authors of this software as a result of the licensee conveying this work or a derivative thereof with contractual assumptions of liability to a third party recipient.
Unless expressly stated otherwise or required by applicable law, this work is provided AS-IS with NO WARRANTY OF ANY KIND, INCLUDING THE WARRANTY OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Use this work at your own risk.
This license agreement is governed by and is construed in accordance with the laws of the state of Kuwait. You must submit all disputes arising out of or in connection with this work to the exclusive jurisdiction of the courts of Kuwait.