From 641fed630236e62457dbd61a674f5329b753f534 Mon Sep 17 00:00:00 2001
From: Wolf Vollprecht <w.vollprecht@gmail.com>
Date: Sat, 30 Nov 2024 09:29:03 +0100
Subject: [PATCH] guard impl and add shim

---
 crates/rattler_sandbox/src/lib.rs             | 110 +++++-------------
 crates/rattler_sandbox/src/sandbox/mod.rs     |  80 +++++++++++++
 .../src/{ => sandbox}/sandbox.rs              |   0
 .../src/{ => sandbox}/tokio.rs                |   0
 crates/rattler_sandbox/src/sandbox_shim.rs    |   3 +
 5 files changed, 113 insertions(+), 80 deletions(-)
 create mode 100644 crates/rattler_sandbox/src/sandbox/mod.rs
 rename crates/rattler_sandbox/src/{ => sandbox}/sandbox.rs (100%)
 rename crates/rattler_sandbox/src/{ => sandbox}/tokio.rs (100%)
 create mode 100644 crates/rattler_sandbox/src/sandbox_shim.rs

diff --git a/crates/rattler_sandbox/src/lib.rs b/crates/rattler_sandbox/src/lib.rs
index d9a4b2662..01e55a26d 100644
--- a/crates/rattler_sandbox/src/lib.rs
+++ b/crates/rattler_sandbox/src/lib.rs
@@ -1,81 +1,31 @@
-use birdcage::process::Command;
-use birdcage::{Birdcage, Sandbox};
-use clap::Parser;
-
+// A shim for the sandbox that is used on non-supported platforms
+#[cfg(not(any(
+    all(target_os = "linux", target_arch = "x86_64"),
+    all(target_os = "linux", target_arch = "aarch64"),
+    all(target_os = "macos", target_arch = "x86_64"),
+    all(target_os = "macos", target_arch = "aarch64"),
+)))]
+mod sandbox_shim;
+#[cfg(not(any(
+    all(target_os = "linux", target_arch = "x86_64"),
+    all(target_os = "linux", target_arch = "aarch64"),
+    all(target_os = "macos", target_arch = "x86_64"),
+    all(target_os = "macos", target_arch = "aarch64"),
+)))]
+pub use sandbox_shim::*;
+
+/// The actual implementation of the sandbox that is used on supported platforms
+#[cfg(any(
+    all(target_os = "linux", target_arch = "x86_64"),
+    all(target_os = "linux", target_arch = "aarch64"),
+    all(target_os = "macos", target_arch = "x86_64"),
+    all(target_os = "macos", target_arch = "aarch64"),
+))]
 pub mod sandbox;
-#[cfg(feature = "tokio")]
-pub mod tokio;
-
-pub use sandbox::{sandboxed_command, Exception};
-
-#[derive(clap::Parser)]
-struct Opts {
-    #[clap(long)]
-    fs_exec_and_read: Option<Vec<String>>,
-
-    #[clap(long)]
-    fs_write_and_read: Option<Vec<String>>,
-
-    #[clap(long)]
-    fs_read: Option<Vec<String>>,
-
-    #[clap(long)]
-    network: bool,
-
-    #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
-    args: Vec<String>,
-}
-
-// This function checks if the current executable should execute as a sandboxed process
-pub fn init() {
-    let mut args = std::env::args().collect::<Vec<String>>();
-    // Remove the first `__sandbox_trampoline__` argument
-    args.remove(1);
-    let opts = Opts::parse_from(args.iter());
-    // Allow access to our test executable.
-    let mut sandbox = Birdcage::new();
-
-    if let Some(fs_exec_and_read) = opts.fs_exec_and_read {
-        for path in fs_exec_and_read {
-            let _ = sandbox.add_exception(birdcage::Exception::ExecuteAndRead(path.into()));
-        }
-    }
-
-    if let Some(fs_read) = opts.fs_read {
-        for path in fs_read {
-            let _ = sandbox.add_exception(birdcage::Exception::Read(path.into()));
-        }
-    }
-
-    if let Some(fs_write_and_read) = opts.fs_write_and_read {
-        for path in fs_write_and_read {
-            let _ = sandbox.add_exception(birdcage::Exception::WriteAndRead(path.into()));
-        }
-    }
-    if let Some((exe, args)) = opts.args.split_first() {
-        // Initialize the sandbox; by default everything is prohibited.
-        let mut command = Command::new(exe);
-        command.args(args);
-
-        let mut child = sandbox.spawn(command).unwrap();
-
-        let status = child.wait().unwrap();
-        std::process::exit(status.code().unwrap());
-    } else {
-        panic!("No executable provided");
-    }
-}
-
-pub fn init_sandbox() {
-    // TODO ideally we check that we are single threaded, but birdcage will also check it later on
-
-    if std::env::args().any(|arg| arg == "__sandbox_trampoline__") {
-        // This is a sandboxed process
-        println!("Running in sandbox mode");
-        // Initialize the sandbox
-        init();
-    } else {
-        // This is the main process
-        println!("Running in main process mode");
-    }
-}
+#[cfg(any(
+    all(target_os = "linux", target_arch = "x86_64"),
+    all(target_os = "linux", target_arch = "aarch64"),
+    all(target_os = "macos", target_arch = "x86_64"),
+    all(target_os = "macos", target_arch = "aarch64"),
+))]
+pub use sandbox::*;
diff --git a/crates/rattler_sandbox/src/sandbox/mod.rs b/crates/rattler_sandbox/src/sandbox/mod.rs
new file mode 100644
index 000000000..9df3ebba9
--- /dev/null
+++ b/crates/rattler_sandbox/src/sandbox/mod.rs
@@ -0,0 +1,80 @@
+use birdcage::process::Command;
+use birdcage::{Birdcage, Sandbox};
+use clap::Parser;
+
+pub mod sandbox;
+#[cfg(feature = "tokio")]
+pub mod tokio;
+
+pub use sandbox::{sandboxed_command, Exception};
+
+#[derive(clap::Parser)]
+struct Opts {
+    #[clap(long)]
+    fs_exec_and_read: Option<Vec<String>>,
+
+    #[clap(long)]
+    fs_write_and_read: Option<Vec<String>>,
+
+    #[clap(long)]
+    fs_read: Option<Vec<String>>,
+
+    #[clap(long)]
+    network: bool,
+
+    #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+    args: Vec<String>,
+}
+
+// This function checks if the current executable should execute as a sandboxed process
+pub fn init() {
+    let mut args = std::env::args().collect::<Vec<String>>();
+    // Remove the first `__sandbox_trampoline__` argument
+    args.remove(1);
+    let opts = Opts::parse_from(args.iter());
+    // Allow access to our test executable.
+    let mut sandbox = Birdcage::new();
+
+    if let Some(fs_exec_and_read) = opts.fs_exec_and_read {
+        for path in fs_exec_and_read {
+            let _ = sandbox.add_exception(birdcage::Exception::ExecuteAndRead(path.into()));
+        }
+    }
+
+    if let Some(fs_read) = opts.fs_read {
+        for path in fs_read {
+            let _ = sandbox.add_exception(birdcage::Exception::Read(path.into()));
+        }
+    }
+
+    if let Some(fs_write_and_read) = opts.fs_write_and_read {
+        for path in fs_write_and_read {
+            let _ = sandbox.add_exception(birdcage::Exception::WriteAndRead(path.into()));
+        }
+    }
+    if let Some((exe, args)) = opts.args.split_first() {
+        // Initialize the sandbox; by default everything is prohibited.
+        let mut command = Command::new(exe);
+        command.args(args);
+
+        let mut child = sandbox.spawn(command).unwrap();
+
+        let status = child.wait().unwrap();
+        std::process::exit(status.code().unwrap());
+    } else {
+        panic!("No executable provided");
+    }
+}
+
+pub fn init_sandbox() {
+    // TODO ideally we check that we are single threaded, but birdcage will also check it later on
+    if std::env::args().any(|arg| arg == "__sandbox_trampoline__") {
+        // This is a sandboxed process
+        eprintln!("Running in sandbox mode");
+        // Initialize the sandbox
+        init();
+    } else {
+        // This is the main process
+        eprintln!("Running in main process mode");
+    }
+}
diff --git a/crates/rattler_sandbox/src/sandbox.rs b/crates/rattler_sandbox/src/sandbox/sandbox.rs
similarity index 100%
rename from crates/rattler_sandbox/src/sandbox.rs
rename to crates/rattler_sandbox/src/sandbox/sandbox.rs
diff --git a/crates/rattler_sandbox/src/tokio.rs b/crates/rattler_sandbox/src/sandbox/tokio.rs
similarity index 100%
rename from crates/rattler_sandbox/src/tokio.rs
rename to crates/rattler_sandbox/src/sandbox/tokio.rs
diff --git a/crates/rattler_sandbox/src/sandbox_shim.rs b/crates/rattler_sandbox/src/sandbox_shim.rs
new file mode 100644
index 000000000..0f8e316c4
--- /dev/null
+++ b/crates/rattler_sandbox/src/sandbox_shim.rs
@@ -0,0 +1,3 @@
+pub fn init() {
+    panic!("Sandbox is not supported on this platform");
+}