All:
There's a fork of GNU make that uses of
Linux "landlock" to sandbox "command invocations automatically
based on your build rule config. This tool will:
• Restrict filesystem access to target and prerequisite only
• Prevent public internet access, using SECCOMP BPF and ptrace()".
More here: https://github.com/jart/landlock-make
I think it'd be great if this was supported in upstream make, so
that doing something like ".ENFORCE_LANDLOCK" enabled this.
This mechanism would make it easy to detect certain kinds of makefile errors
(e.g., an undeclared dependency), and those fixes would help even
those *not* running on systems with landlock.
Limiting access during execution could counter certain kinds of
build-time attacks, too.
More about landlock here:
https://docs.kernel.org/userspace-api/landlock.html
Sadly, I suspect it'd be nontrivial effort to integrate their changes
upstream, but the developers might be willing to help if there's interest.
If you want to detect makefile rule errors at run-time, you're
also welcome to try out my "make-audit" tool:
https://github.com/david-a-wheeler/make-audit
If you're using make to implement a data pipeline (esp. with Python),
you might find my "make-booster" useful:
https://github.com/david-a-wheeler/make-booster
--- David A. Wheeler
