allow output dir

valoq · valoq · commit ae5fed30410a · 2025-06-28T19:26:15.000+02:00
diff --git a/src/main.rs b/src/main.rs
@@ -11,6 +11,8 @@ pub mod sandbox;
 
 use std::{env, path::PathBuf};
 
+use log::{error, warn, info};
+
 use cli::CliArgs;
 use once_cell::sync::Lazy;
 
@@ -45,37 +47,44 @@ fn main() {
 fn run() -> Result<()> {
     let (args, skip_questions_positively, file_visibility_policy) = CliArgs::parse_and_validate_args()?;
 
-    // check args if case A: "decompress -d <outputdir>" or case B: "decompress -r" is used
-    //if true
-    //Case A:
-    // write_dirs = outputdir
-    //Case B:
-    // write_dir = inputdir
+    // Get the output dir if specified, else use current dir
+    let working_dir = args.output_dir
+        .clone()
+        .unwrap_or_else(|| env::current_dir().unwrap_or_default());
 
-    //init_sandbox( write_dirs );
-    init_sandbox();
+    // restrict filesystem access to working_dir;
+    init_sandbox(&working_dir);
 
     commands::run(args, skip_questions_positively, file_visibility_policy)
 }
 
 // init_sandbox( write_dirs
-fn init_sandbox() {
+fn init_sandbox(allowed_dir: &Path) {
 
-    if utils::landlock_support::is_landlock_supported() {
-        println!("Landlock is supported and can be enabled.");
+    if std::env::var("CI").is_ok() {
+       warn!("Landlock sandboxing is disabled in CI environments.");
+       return;
+    }
 
-        let working_dir = get_current_working_dir().expect("Cannot get current working dir");
-        let path_str = working_dir.to_str().expect("Cannot convert path");
-        let status = sandbox::restrict_paths(&[path_str]).expect("failed to build the ruleset");
 
+    if utils::landlock_support::is_landlock_supported() {
+        info!("Landlock is supported and can be enabled.");
+
+        let path_str = allowed_dir.to_str().expect("Cannot convert path");
+        match sandbox::restrict_paths(&[path_str]) {
+            Ok(status) => {
+                if !status.is_restricted() {
+                    warn!("Landlock restriction was not successfully applied.");
+                }
+            }
+            Err(e) => {
+                error!("Failed to build the Landlock ruleset: {e}");
+                std::process::exit(EXIT_FAILURE);
+            }
+        }
     } else {
-        println!("Landlock is NOT supported on this platform or kernel (<5.19).");
+        warn!("Landlock is NOT supported on this platform or kernel (<5.19).");
     }
 
-    // todos:
-    // check status and report error or warning if landlock restriction failed
 }
 
-fn get_current_working_dir() -> std::io::Result<PathBuf> {
-    env::current_dir()
-}
