add disable-sandbox option

2025-07-18 23:50:35 +00:00 · 2025-07-12 16:58:21 +02:00 · 2025-07-12 16:58:21 +02:00 · 7f0d1e72ec
commit 7f0d1e72ec
parent 6ccc7a3972
5 changed files with 18 additions and 4 deletions
--- a/src/cli/args.rs
+++ b/src/cli/args.rs
@ -49,6 +49,10 @@ pub struct CliArgs {
    #[arg(short = 'c', long, global = true)]
    pub threads: Option<usize>,

+    /// Disable the sandbox feature
+    #[arg(long, global = true)]
+    pub no_sandbox: bool,
+
    // Ouch and claps subcommands
    #[command(subcommand)]
    pub cmd: Subcommand,
--- a/src/commands/decompress.rs
+++ b/src/commands/decompress.rs
@ -328,10 +328,12 @@ fn execute_decompression(
    //if !input_is_stdin && options.remove {
        //permit write access to input_file_path
    //} else {
-        landlock::init_sandbox(&[output_dir]);
    //}
    
-     if is_smart_unpack {
+    //landlock::init_sandbox(&[output_dir]);
+    
+
+    if is_smart_unpack {
        return smart_unpack(unpack_fn, output_dir, output_file_path, question_policy);
    }

--- a/src/commands/list.rs
+++ b/src/commands/list.rs
@ -23,13 +23,14 @@ pub fn list_archive_contents(
    list_options: ListOptions,
    question_policy: QuestionPolicy,
    password: Option<&[u8]>,
+    disable_sandbox: bool,
 ) -> crate::Result<()> {

    //rar uses a temporary file which needs to be defined early to be permitted in landlock
    let mut temp_file = tempfile::NamedTempFile::new()?;

    // Initialize landlock sandbox with write access restricted to /tmp/<tmp_file> as required by some formats
-    landlock::init_sandbox(&[temp_file.path()]);
+    landlock::init_sandbox(&[temp_file.path()], disable_sandbox);

    let reader = fs::File::open(archive_path)?;

--- a/src/commands/mod.rs
+++ b/src/commands/mod.rs
@ -257,7 +257,9 @@ pub fn run(
                    args.password
                        .as_deref()
                        .map(|str| <[u8] as ByteSlice>::from_os_str(str).expect("convert password to bytes failed")),
+                    args.no_sandbox,
                )?;
+
            }

            Ok(())
--- a/src/utils/landlock.rs
+++ b/src/utils/landlock.rs
@ -77,10 +77,15 @@ fn restrict_paths(hierarchies: &[&str]) -> Result<RestrictionStatus, MyRestrictE

 /// Restricts the process to only access the given hierarchies using Landlock, if supported.
 /// Accepts multiple allowed directories as &[&Path].
-pub fn init_sandbox(allowed_dirs: &[&Path]) {
+pub fn init_sandbox(allowed_dirs: &[&Path], disable_sandbox: bool) {
    // if std::env::var("CI").is_ok() {
    //    return;
    // }
+    if disable_sandbox {
+        println!("Sandbox feature disabled via --no-sandbox flag.");
+        // warn!("Security Process isolation disabled");
+        return;
+    }

    if is_landlock_supported() {
        let paths: Vec<&str> = allowed_dirs