diff --git a/Cargo.lock b/Cargo.lock index 505b8909..f2251c43 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -450,6 +450,19 @@ version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b" +[[package]] +name = "birdcage" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "848df95320021558dd6bb4c26de3fe66724cdcbdbbf3fa720150b52b086ae568" +dependencies = [ + "bitflags", + "libc", + "log", + "rustix", + "seccompiler", +] + [[package]] name = "bisection" version = "0.1.0" @@ -3550,6 +3563,7 @@ dependencies = [ "rattler_package_streaming", "rattler_redaction", "rattler_repodata_gateway", + "rattler_sandbox", "rattler_shell", "rattler_solve", "rattler_virtual_packages", @@ -3895,6 +3909,16 @@ dependencies = [ "zstd 0.13.2", ] +[[package]] +name = "rattler_sandbox" +version = "0.1.0" +dependencies = [ + "birdcage", + "clap", + "fs-err 3.0.0", + "tokio", +] + [[package]] name = "rattler_shell" version = "0.22.5" @@ -4401,6 +4425,15 @@ dependencies = [ "syn", ] +[[package]] +name = "seccompiler" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f6575e3c2b3a0fe2ef3e53855b6a8dead7c29f783da5e123d378c8c6a89017e" +dependencies = [ + "libc", +] + [[package]] name = "secret-service" version = "4.0.0" diff --git a/Cargo.toml b/Cargo.toml index a962fcc9..09c64916 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -142,6 +142,7 @@ rattler_shell = { version = "0.22.5", default-features = false, features = ["sys rattler_solve = { version = "1.2.0", default-features = false, features = ["resolvo", "serde"] } rattler_virtual_packages = { version = "1.1.8", default-features = false } rattler_package_streaming = { version = "0.22.11", default-features = false } +rattler_sandbox = { path = "../rattler/crates/rattler_sandbox", features = ["tokio"] } lazy_static = "1.5.0" [dev-dependencies] diff --git a/src/main.rs b/src/main.rs index aa07881a..19f626b4 100644 --- a/src/main.rs +++ b/src/main.rs @@ -18,6 +18,8 @@ use tempfile::tempdir; #[tokio::main] async fn main() -> miette::Result<()> { + rattler_sandbox::init_sandbox(); + let app = App::parse(); let log_handler = if !app.is_tui() { Some( diff --git a/src/script.rs b/src/script.rs index d5250a23..3cde2a0d 100644 --- a/src/script.rs +++ b/src/script.rs @@ -764,7 +764,33 @@ async fn run_process_with_replacements( cwd: &Path, replacements: &HashMap, ) -> Result { - let mut command = tokio::process::Command::new(args[0]); + let temp_folder = std::env::var("TMPDIR").ok(); + + let mut sandbox_exceptions = vec![ + rattler_sandbox::Exception::Read("/".to_string()), + rattler_sandbox::Exception::ExecuteAndRead("/bin/".to_string()), + rattler_sandbox::Exception::ExecuteAndRead("/usr/bin/".to_string()), + rattler_sandbox::Exception::ExecuteAndRead("/Users/wolfv/.pixi/".to_string()), + rattler_sandbox::Exception::ExecuteAndRead( + cwd.parent().unwrap().to_string_lossy().to_string(), + ), + rattler_sandbox::Exception::ReadAndWrite( + cwd.parent().unwrap().to_string_lossy().to_string(), + ), + // conda compiler activation writes to this tmp folder + rattler_sandbox::Exception::ReadAndWrite("/tmp".to_string()), + // configure command for curl seems to want to write to this temp folder + rattler_sandbox::Exception::ReadAndWrite("/var/tmp".to_string()), + ]; + + if let Some(temp_folder) = temp_folder { + // the is the temp folder from TMPDIR + sandbox_exceptions.push(rattler_sandbox::Exception::ReadAndWrite( + temp_folder.to_string(), + )) + } + + let mut command = rattler_sandbox::tokio::sandboxed_command(args[0], &sandbox_exceptions); command .current_dir(cwd) .args(&args[1..])