Skip to content

Commit

Permalink
Build without sandboxing on Windows (#1485)
Browse files Browse the repository at this point in the history 
This patch uses `#[cfg(unix)]` to enable sandboxing only on unix
targets. Other targets will still have the `--skip-sandbox` flag
available, but it won't have any effect on the behavior since sandboxing
will never be used.
  • Loading branch information
@kylewillmon
kylewillmon authored Aug 30, 2024
1 parent 59e3668 commit 56496cd
Show file tree
Hide file tree
Showing 9 changed files with 184 additions and 122 deletions.
14 changes: 13 additions & 1 deletion .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,18 @@ on:
- cron: '30 5 * * 1'

jobs:
windows:
runs-on: windows-latest
steps:
- name: Checkout the repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Install Rust toolchain
run: rustup toolchain install --no-self-update stable --profile minimal

- name: Test
run: cargo +stable test --locked --no-default-features

rustfmt:
if: github.event_name != 'schedule'
runs-on: ubuntu-20.04
Expand Down Expand Up @@ -149,7 +161,7 @@ jobs:
# This job reports the results of the matrixes above
test:
if: always()
needs: [clippy, test-matrix, all-features, oldstable]
needs: [windows, clippy, test-matrix, all-features, oldstable]
runs-on: ubuntu-latest
steps:
- if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
Expand Down
12 changes: 9 additions & 3 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ end-to-end-tests = ["extensions"]
anyhow = "1.0.44"
axum = "0.7.4"
base64 = "0.21.1"
birdcage = { version = "0.8.1" }
bytes = "1.1.0"
chrono = { version = "^0.4", default-features = false, features = ["serde", "clock"] }
cidr = "0.2.0"
Expand Down Expand Up @@ -71,6 +70,9 @@ vulnreach_types = { path = "../vulnreach_types", optional = true }
walkdir = "2.3.2"
zip = { version = "2.1.0", default-features = false, features = ["deflate"] }

[target.'cfg(unix)'.dependencies]
birdcage = { version = "0.8.1" }

[dev-dependencies]
assert_cmd = "2.0.4"
predicates = { version = "3.0", default-features = false, features = ["diff"] }
Expand Down
151 changes: 79 additions & 72 deletions cli/src/app.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ pub fn app() -> Command {

/// Add non-extension subcommands.
pub fn add_subcommands(command: Command) -> Command {
#[allow(unused_mut)]
let mut app = command
.subcommand(
Command::new("history").about("Return information about historical jobs").args(&[
Expand Down Expand Up @@ -571,34 +572,6 @@ pub fn add_subcommands(command: Command) -> Command {
.about("Find all lockfile and manifest paths")
.hide(true),
)
.subcommand(
Command::new("parse-sandboxed")
.args(&[
Arg::new("depfile")
.value_name("DEPENDENCY_FILE")
.required(true)
.help("Canonical dependency file path"),
Arg::new("display-path")
.value_name("DISPLAY_PATH")
.required(true)
.help("Dependency file display path"),
Arg::new("type")
.long("type")
.value_name("TYPE")
.help("Dependency file type used (default: auto)")
.value_parser(PossibleValuesParser::new(parse::lockfile_types(true))),
Arg::new("generate-lockfile")
.long("generate-lockfile")
.help("Whether lockfile generation should be performed")
.action(ArgAction::SetTrue),
Arg::new("skip-sandbox")
.long("skip-sandbox")
.help("Skip sandbox initialization")
.action(ArgAction::SetTrue),
])
.about("Run lockfile generation inside sandbox and write it to STDOUT")
.hide(true),
)
.subcommand(
Command::new("org")
.about("Manage organizations")
Expand Down Expand Up @@ -666,50 +639,84 @@ pub fn add_subcommands(command: Command) -> Command {

#[cfg(unix)]
{
app = app.subcommand(
Command::new("sandbox").hide(true).about("Run an application in a sandbox").args(&[
Arg::new("allow-read")
.help("Add filesystem read sandbox exception")
.long("allow-read")
.value_name("PATH")
.value_hint(ValueHint::FilePath)
.action(ArgAction::Append),
Arg::new("allow-write")
.help("Add filesystem write sandbox exception")
.long("allow-write")
.value_name("PATH")
.value_hint(ValueHint::FilePath)
.action(ArgAction::Append),
Arg::new("allow-run")
.help("Add filesystem execute sandbox exception")
.long("allow-run")
.value_name("PATH")
.value_hint(ValueHint::FilePath)
.action(ArgAction::Append),
Arg::new("allow-env")
.help("Add environment variable access sandbox exception")
.long("allow-env")
.value_name("ENV_VAR")
.num_args(0..=1)
.default_missing_value("*")
.action(ArgAction::Append),
Arg::new("allow-net")
.help("Add network access sandbox exception")
.long("allow-net")
.action(ArgAction::SetTrue),
Arg::new("strict")
.help("Do not add any default sandbox exceptions")
.long("strict")
.action(ArgAction::SetTrue),
Arg::new("cmd").help("Command to be executed").value_name("CMD").required(true),
Arg::new("args")
.help("Command arguments")
.value_name("ARG")
.trailing_var_arg(true)
.allow_hyphen_values(true)
.action(ArgAction::Append),
]),
)
app = app
.subcommand(
Command::new("sandbox").hide(true).about("Run an application in a sandbox").args(
&[
Arg::new("allow-read")
.help("Add filesystem read sandbox exception")
.long("allow-read")
.value_name("PATH")
.value_hint(ValueHint::FilePath)
.action(ArgAction::Append),
Arg::new("allow-write")
.help("Add filesystem write sandbox exception")
.long("allow-write")
.value_name("PATH")
.value_hint(ValueHint::FilePath)
.action(ArgAction::Append),
Arg::new("allow-run")
.help("Add filesystem execute sandbox exception")
.long("allow-run")
.value_name("PATH")
.value_hint(ValueHint::FilePath)
.action(ArgAction::Append),
Arg::new("allow-env")
.help("Add environment variable access sandbox exception")
.long("allow-env")
.value_name("ENV_VAR")
.num_args(0..=1)
.default_missing_value("*")
.action(ArgAction::Append),
Arg::new("allow-net")
.help("Add network access sandbox exception")
.long("allow-net")
.action(ArgAction::SetTrue),
Arg::new("strict")
.help("Do not add any default sandbox exceptions")
.long("strict")
.action(ArgAction::SetTrue),
Arg::new("cmd")
.help("Command to be executed")
.value_name("CMD")
.required(true),
Arg::new("args")
.help("Command arguments")
.value_name("ARG")
.trailing_var_arg(true)
.allow_hyphen_values(true)
.action(ArgAction::Append),
],
),
)
.subcommand(
Command::new("parse-sandboxed")
.args(&[
Arg::new("depfile")
.value_name("DEPENDENCY_FILE")
.required(true)
.help("Canonical dependency file path"),
Arg::new("display-path")
.value_name("DISPLAY_PATH")
.required(true)
.help("Dependency file display path"),
Arg::new("type")
.long("type")
.value_name("TYPE")
.help("Dependency file type used (default: auto)")
.value_parser(PossibleValuesParser::new(parse::lockfile_types(true))),
Arg::new("generate-lockfile")
.long("generate-lockfile")
.help("Whether lockfile generation should be performed")
.action(ArgAction::SetTrue),
Arg::new("skip-sandbox")
.long("skip-sandbox")
.help("Skip sandbox initialization")
.action(ArgAction::SetTrue),
])
.about("Run lockfile generation inside sandbox and write it to STDOUT")
.hide(true),
);
}

#[cfg(feature = "selfmanage")]
Expand Down
1 change: 1 addition & 0 deletions cli/src/bin/phylum.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,7 @@ async fn handle_commands() -> CommandResult {
},
"version" => handle_version(&app_name, &ver),
"parse" => parse::handle_parse(sub_matches),
#[cfg(unix)]
"parse-sandboxed" => parse::handle_parse_sandboxed(sub_matches),
"ping" => handle_ping(Spinner::wrap(api).await?).await,
"project" => {
Expand Down
Loading

0 comments on commit 56496cd

Please sign in to comment.