To generate the LLVM code correctly you need to run build.rs if there is any, and run proc macros which are natively compiled compiler plugins, currently running without any sandbox.
The final code isn’t run, but the build process of Cargo crates can involve running of arbitrary code.
The compilation process can be sandboxed as a whole, but if it runs arbitrary code, a malicious crate could take over the build process and falsify the LLVM output.
To generate the LLVM code correctly you need to run
build.rsif there is any, and run proc macros which are natively compiled compiler plugins, currently running without any sandbox.The final code isn’t run, but the build process of Cargo crates can involve running of arbitrary code.
The compilation process can be sandboxed as a whole, but if it runs arbitrary code, a malicious crate could take over the build process and falsify the LLVM output.