hardcoded sandbox experiment

prefix-dev · Nov 11, 2024 · 3558d02 · 3558d02
1 parent 26309bb
commit 3558d02
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 1 deletion.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -142,6 +142,7 @@ rattler_shell = { version = "0.22.5", default-features = false, features = ["sys
 rattler_solve = { version = "1.2.0", default-features = false, features = ["resolvo", "serde"] }
 rattler_virtual_packages = { version = "1.1.8", default-features = false }
 rattler_package_streaming = { version = "0.22.11", default-features = false }
+rattler_sandbox = { path = "../rattler/crates/rattler_sandbox", features = ["tokio"] }
 lazy_static = "1.5.0"
 
 [dev-dependencies]

diff --git a/src/main.rs b/src/main.rs
@@ -18,6 +18,8 @@ use tempfile::tempdir;
 
 #[tokio::main]
 async fn main() -> miette::Result<()> {
+    rattler_sandbox::init_sandbox();
+
     let app = App::parse();
     let log_handler = if !app.is_tui() {
         Some(

diff --git a/src/script.rs b/src/script.rs
@@ -764,7 +764,33 @@ async fn run_process_with_replacements(
     cwd: &Path,
     replacements: &HashMap<String, String>,
 ) -> Result<std::process::Output, std::io::Error> {
-    let mut command = tokio::process::Command::new(args[0]);
+    let temp_folder = std::env::var("TMPDIR").ok();
+
+    let mut sandbox_exceptions = vec![
+        rattler_sandbox::Exception::Read("/".to_string()),
+        rattler_sandbox::Exception::ExecuteAndRead("/bin/".to_string()),
+        rattler_sandbox::Exception::ExecuteAndRead("/usr/bin/".to_string()),
+        rattler_sandbox::Exception::ExecuteAndRead("/Users/wolfv/.pixi/".to_string()),
+        rattler_sandbox::Exception::ExecuteAndRead(
+            cwd.parent().unwrap().to_string_lossy().to_string(),
+        ),
+        rattler_sandbox::Exception::ReadAndWrite(
+            cwd.parent().unwrap().to_string_lossy().to_string(),
+        ),
+        // conda compiler activation writes to this tmp folder
+        rattler_sandbox::Exception::ReadAndWrite("/tmp".to_string()),
+        // configure command for curl seems to want to write to this temp folder
+        rattler_sandbox::Exception::ReadAndWrite("/var/tmp".to_string()),
+    ];
+
+    if let Some(temp_folder) = temp_folder {
+        // the is the temp folder from TMPDIR
+        sandbox_exceptions.push(rattler_sandbox::Exception::ReadAndWrite(
+            temp_folder.to_string(),
+        ))
+    }
+
+    let mut command = rattler_sandbox::tokio::sandboxed_command(args[0], &sandbox_exceptions);
     command
         .current_dir(cwd)
         .args(&args[1..])