Sandbox manifest builds

Ideas
1

My team recently suffered a week of very slow tuist generate times. We thought it was a regression in Tuist, perhaps related to cached binaries.

We eventually discovered that it was a regression in our project. The project manifest had been changed to perform a file system enumeration for every target, resulting in bad performance.

Tuist recommends we don’t touch the file system in our manifests, but it is very easy to do if you’re not aware. I was thinking it might be a good idea to build project manifests in a sandbox that makes file system access impossible. If needed, we could also add an opt out mechanism for projects where they really do need to access the file system.

2

This should be the default option to nudge developers towards not introducing side effects. SwiftPM uses sandbox-exec and they have a utility in their codebase that we can use as a reference. By looking at the code, I realized they haven’t addressed sandboxing in other platforms, which, if I’m not mistaken, can be a severe attack surface because SwiftPM might evaluate a malicious Package.swift file that accesses the system environment :grimacing:.

What about the adopting a similar approach, and have a configuration in Tuist.swift to disable it?

let tuist = Tuist(project: .generated(options: .options(disableSandbox: true)))
1 Like
3

I think that would be great.

4

Yes! Since to read that variable, we need to read Tuist.swift file first, I’d consider choosing the safer option for Tuist.swift itself and compile that sandboxed by default.

Also, interestingly enough, the sandbox-exec utility has been deprecated for a couple of major releases with no clear replacement (afaik) :upside_down_face: But given SwiftPM and probably a lot of other tools depend on this utility, it’s quite unlikely that they would remove it:

DESCRIPTION
     The sandbox-exec command is DEPRECATED.  Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the
     App Sandbox Design Guide.  The sandbox-exec command enters a sandbox using a profile specified by the -f, -n, or -p option and executes
     command with arguments.

Apple does say we should be using the App Sandbox, but I fail to see whether that’s even an option for CLIs (I think not)?

5

I have a WIP PR at Sandbox manifest builds with option to opt out by hiltonc · Pull Request #7594 · tuist/tuist · GitHub. It seems to work great with manual testing, I still need to add automated tests.

2 Likes