Monorepo for Tangled
tangled.org
1package sandboxexec
2
3import (
4 "context"
5 "fmt"
6 "os"
7
8 "github.com/urfave/cli/v3"
9)
10
11// Command returns the hidden sandbox-exec subcommand used by LandlockBackend.
12//
13// landlock_restrict_self only restricts the calling OS thread, so it cannot be
14// called from a goroutine (the Go scheduler may migrate the goroutine across
15// threads). The workaround is to re-exec the knot binary with this subcommand,
16// which runs single-threaded before the Go runtime starts its thread pool,
17// applies the ruleset, then exec's into the target git process.
18func Command() *cli.Command {
19 return &cli.Command{
20 Name: "sandbox-exec",
21 Hidden: true,
22 Usage: "apply landlock sandbox and exec into git (internal use only)",
23 Action: Run,
24 Flags: []cli.Flag{
25 &cli.StringSliceFlag{
26 Name: "repo-path",
27 Usage: "repository path(s) to allow read/write access to",
28 },
29 },
30 }
31}
32
33func Run(ctx context.Context, cmd *cli.Command) error {
34 repoPaths := cmd.StringSlice("repo-path")
35 gitArgs := cmd.Args().Slice()
36
37 if len(gitArgs) == 0 {
38 fmt.Fprintln(os.Stderr, "sandbox-exec: no command specified after --")
39 os.Exit(1)
40 }
41
42 return applyAndExec(repoPaths, gitArgs)
43}