make ldd / where features optional

2025-11-03 16:41:38 +11:00 · 2025-11-03 16:41:38 +11:00 · ab083b07e4
commit ab083b07e4
parent 5766b0cdfe
3 changed files with 29 additions and 14 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -1,25 +1,28 @@
 mod parse;
 mod types;
-use std::{collections::VecDeque, path::PathBuf, str::FromStr};

 use anyhow::{Context, Result, anyhow};
-use elb_dl::{DependencyTree, DynamicLoader, glibc};
 use landlock::{
    ABI, Access, AccessFs, AccessNet, BitFlags, Compatible, NetPort, Ruleset, RulesetAttr,
    RulesetCreatedAttr, Scope, make_bitflags, path_beneath_rules,
 };

+#[cfg(feature = "ldd")]
+use elb_dl::{DependencyTree, DynamicLoader, glibc};
+#[cfg(feature = "ldd")]
+use std::{collections::VecDeque, path::PathBuf, str::FromStr};
+
 fn main() -> Result<()> {
    let opts = parse::parse_args()?;
    if opts.exec.is_empty() {
        // print help
        eprintln!(
            "
-yoke -- simple command sandboxer
+yoke -- simple sandboxer

 use: yoke [ruletype] [space separated rules] -- [command]

-rule types
+rules 
 ------------
    filesystem:
        --fs | -f [access]=/path:/another/path 
@ -39,7 +42,8 @@ rule types
    allow sending signals to other processes:
        --signals | -k

-    resolve process dependencies and add to sandbox:
+    resolve process dependencies and add to sandbox
+    (with `ldd` feature):
        --ldd | -l

    unsandbox:
@ -47,7 +51,7 @@ rule types
        --no-tcp | -nt


-specifiers
+access specifiers
 ------------
    fs:
        r - read
@ -165,7 +169,11 @@ examples
    }

    // locate our executable
+    #[cfg(feature = "which")]
    let fullpath = which::which(&opts.exec[0]).context("finding executable")?;
+    #[cfg(not(feature = "which"))]
+    let fullpath = &opts.exec[0];
+
    // add executeable as read+execute
    if !opts.unsandbox.fs {
        ruleset = ruleset.add_rules(path_beneath_rules(
@ -175,12 +183,10 @@ examples
    }

    // if requested, trace dependencies and add as read+execute
+    #[cfg(feature = "ldd")]
    if opts.ldd {
        let loader = DynamicLoader::options()
            .search_dirs(glibc::get_hard_coded_search_dirs(None)?)
-            .search_dirs(glibc::get_search_dirs(
-                PathBuf::from_str("/").context("finding root")?,
-            )?)
            .new_loader();
        let mut tree = DependencyTree::new();
        let mut queue = VecDeque::new();
--- a/src/parse.rs
+++ b/src/parse.rs
@ -1,5 +1,5 @@
 use crate::types::{Direction, Permissions, Yoke};
-use anyhow::{anyhow, Context, Result};
+use anyhow::{Context, Result, anyhow};
 use std::{collections::HashMap, path::PathBuf, str::FromStr};

 #[derive(PartialEq)]
@ -145,12 +145,15 @@ pub fn parse_args() -> Result<Yoke> {
                cur_arg = Unset;
                yoke.retain_env = true;
            }
+
+            #[cfg(feature = "ldd")]
            "--ldd" | "-l" => {
                collect_args(&mut yoke, &collector, &cur_arg)?;
                collector.clear();
                cur_arg = Unset;
                yoke.ldd = true;
            }
+
            "--no-fs" | "-nf" => {
                collect_args(&mut yoke, &collector, &cur_arg)?;
                collector.clear();