From 7f0d1e72ec9192391e7cae4f517b3db9d4490133 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Sat, 12 Jul 2025 16:58:21 +0200
Subject: [PATCH] add disable-sandbox option

---
 src/cli/args.rs            | 4 ++++
 src/commands/decompress.rs | 6 ++++--
 src/commands/list.rs       | 3 ++-
 src/commands/mod.rs        | 2 ++
 src/utils/landlock.rs      | 7 ++++++-
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/cli/args.rs b/src/cli/args.rs
index b28156c..69021d3 100644
--- a/src/cli/args.rs
+++ b/src/cli/args.rs
@@ -49,6 +49,10 @@ pub struct CliArgs {
     #[arg(short = 'c', long, global = true)]
     pub threads: Option<usize>,
 
+    /// Disable the sandbox feature
+    #[arg(long, global = true)]
+    pub no_sandbox: bool,
+
     // Ouch and claps subcommands
     #[command(subcommand)]
     pub cmd: Subcommand,
diff --git a/src/commands/decompress.rs b/src/commands/decompress.rs
index b94e45f..16af3dd 100644
--- a/src/commands/decompress.rs
+++ b/src/commands/decompress.rs
@@ -328,10 +328,12 @@ fn execute_decompression(
     //if !input_is_stdin && options.remove {
         //permit write access to input_file_path
     //} else {
-        landlock::init_sandbox(&[output_dir]);
     //}
     
-     if is_smart_unpack {
+    //landlock::init_sandbox(&[output_dir]);
+    
+
+    if is_smart_unpack {
         return smart_unpack(unpack_fn, output_dir, output_file_path, question_policy);
     }
 
diff --git a/src/commands/list.rs b/src/commands/list.rs
index df6494a..e5c1e0d 100644
--- a/src/commands/list.rs
+++ b/src/commands/list.rs
@@ -23,13 +23,14 @@ pub fn list_archive_contents(
     list_options: ListOptions,
     question_policy: QuestionPolicy,
     password: Option<&[u8]>,
+    disable_sandbox: bool,
 ) -> crate::Result<()> {
 
     //rar uses a temporary file which needs to be defined early to be permitted in landlock
     let mut temp_file = tempfile::NamedTempFile::new()?;
 
     // Initialize landlock sandbox with write access restricted to /tmp/<tmp_file> as required by some formats
-    landlock::init_sandbox(&[temp_file.path()]);
+    landlock::init_sandbox(&[temp_file.path()], disable_sandbox);
 
     let reader = fs::File::open(archive_path)?;
 
diff --git a/src/commands/mod.rs b/src/commands/mod.rs
index 4a81d85..b4aa4d5 100644
--- a/src/commands/mod.rs
+++ b/src/commands/mod.rs
@@ -257,7 +257,9 @@ pub fn run(
                     args.password
                         .as_deref()
                         .map(|str| <[u8] as ByteSlice>::from_os_str(str).expect("convert password to bytes failed")),
+                    args.no_sandbox,
                 )?;
+
             }
 
             Ok(())
diff --git a/src/utils/landlock.rs b/src/utils/landlock.rs
index f20b1d9..2c28723 100644
--- a/src/utils/landlock.rs
+++ b/src/utils/landlock.rs
@@ -77,10 +77,15 @@ fn restrict_paths(hierarchies: &[&str]) -> Result<RestrictionStatus, MyRestrictE
 
 /// Restricts the process to only access the given hierarchies using Landlock, if supported.
 /// Accepts multiple allowed directories as &[&Path].
-pub fn init_sandbox(allowed_dirs: &[&Path]) {
+pub fn init_sandbox(allowed_dirs: &[&Path], disable_sandbox: bool) {
     // if std::env::var("CI").is_ok() {
     //    return;
     // }
+    if disable_sandbox {
+        println!("Sandbox feature disabled via --no-sandbox flag.");
+        // warn!("Security Process isolation disabled");
+        return;
+    }
 
     if is_landlock_supported() {
         let paths: Vec<&str> = allowed_dirs