github/ouch
1
1
Fork 0
mirror of https://github.com/ouch-org/ouch.git synced 2025-07-19 08:00:31 +00:00
Code Issues 15 Packages Projects Releases Wiki Activity

add disable-sandbox option

Browse Source
This commit is contained in:
valoq 2025-07-12 16:58:21 +02:00
parent 6ccc7a3972
commit 7f0d1e72ec
No known key found for this signature in database
GPG Key ID: 19F09A0FB865CBD8
5 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/cli/args.rs
View File

@ -49,6 +49,10 @@ pub struct CliArgs {
#[arg(short = 'c', long, global = true)] #[arg(short = 'c', long, global = true)]
pub threads: Option<usize>, pub threads: Option<usize>,
/// Disable the sandbox feature
#[arg(long, global = true)]
pub no_sandbox: bool,
// Ouch and claps subcommands // Ouch and claps subcommands
#[command(subcommand)] #[command(subcommand)]
pub cmd: Subcommand, pub cmd: Subcommand,

4
src/commands/decompress.rs
View File

@ -328,9 +328,11 @@ fn execute_decompression(
//if !input_is_stdin && options.remove { //if !input_is_stdin && options.remove {
//permit write access to input_file_path //permit write access to input_file_path
//} else { //} else {
landlock::init_sandbox(&[output_dir]);
//} //}
//landlock::init_sandbox(&[output_dir]);
if is_smart_unpack { if is_smart_unpack {
return smart_unpack(unpack_fn, output_dir, output_file_path, question_policy); return smart_unpack(unpack_fn, output_dir, output_file_path, question_policy);
} }

3
src/commands/list.rs
View File

@ -23,13 +23,14 @@ pub fn list_archive_contents(
list_options: ListOptions, list_options: ListOptions,
question_policy: QuestionPolicy, question_policy: QuestionPolicy,
password: Option<&[u8]>, password: Option<&[u8]>,
disable_sandbox: bool,
) -> crate::Result<()> { ) -> crate::Result<()> {
//rar uses a temporary file which needs to be defined early to be permitted in landlock //rar uses a temporary file which needs to be defined early to be permitted in landlock
let mut temp_file = tempfile::NamedTempFile::new()?; let mut temp_file = tempfile::NamedTempFile::new()?;
// Initialize landlock sandbox with write access restricted to /tmp/<tmp_file> as required by some formats // Initialize landlock sandbox with write access restricted to /tmp/<tmp_file> as required by some formats
landlock::init_sandbox(&[temp_file.path()]); landlock::init_sandbox(&[temp_file.path()], disable_sandbox);
let reader = fs::File::open(archive_path)?; let reader = fs::File::open(archive_path)?;

2
src/commands/mod.rs
View File

@ -257,7 +257,9 @@ pub fn run(
args.password args.password
.as_deref() .as_deref()
.map(|str| <[u8] as ByteSlice>::from_os_str(str).expect("convert password to bytes failed")), .map(|str| <[u8] as ByteSlice>::from_os_str(str).expect("convert password to bytes failed")),
args.no_sandbox,
)?; )?;
} }
Ok(()) Ok(())

7
src/utils/landlock.rs
View File

@ -77,10 +77,15 @@ fn restrict_paths(hierarchies: &[&str]) -> Result<RestrictionStatus, MyRestrictE
/// Restricts the process to only access the given hierarchies using Landlock, if supported. /// Restricts the process to only access the given hierarchies using Landlock, if supported.
/// Accepts multiple allowed directories as &[&Path]. /// Accepts multiple allowed directories as &[&Path].
pub fn init_sandbox(allowed_dirs: &[&Path]) { pub fn init_sandbox(allowed_dirs: &[&Path], disable_sandbox: bool) {
// if std::env::var("CI").is_ok() { // if std::env::var("CI").is_ok() {
// return; // return;
// } // }
if disable_sandbox {
println!("Sandbox feature disabled via --no-sandbox flag.");
// warn!("Security Process isolation disabled");
return;
}
if is_landlock_supported() { if is_landlock_supported() {
let paths: Vec<&str> = allowed_dirs let paths: Vec<&str> = allowed_dirs