chore: move pre_main_hardening() utility into its own crate (#4403)
This commit is contained in:
Michael Bolin
GitHub
9
codex-rs/Cargo.lock
generated
9
codex-rs/Cargo.lock
generated
@@ -692,12 +692,12 @@ dependencies = [
|
|||||||
"codex-exec",
|
"codex-exec",
|
||||||
"codex-login",
|
"codex-login",
|
||||||
"codex-mcp-server",
|
"codex-mcp-server",
|
||||||
|
"codex-process-hardening",
|
||||||
"codex-protocol",
|
"codex-protocol",
|
||||||
"codex-protocol-ts",
|
"codex-protocol-ts",
|
||||||
"codex-responses-api-proxy",
|
"codex-responses-api-proxy",
|
||||||
"codex-tui",
|
"codex-tui",
|
||||||
"ctor 0.5.0",
|
"ctor 0.5.0",
|
||||||
"libc",
|
|
||||||
"owo-colors",
|
"owo-colors",
|
||||||
"predicates",
|
"predicates",
|
||||||
"pretty_assertions",
|
"pretty_assertions",
|
||||||
@@ -949,6 +949,13 @@ dependencies = [
|
|||||||
"wiremock",
|
"wiremock",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
[[package]]
|
||||||
|
name = "codex-process-hardening"
|
||||||
|
version = "0.0.0"
|
||||||
|
dependencies = [
|
||||||
|
"libc",
|
||||||
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "codex-protocol"
|
name = "codex-protocol"
|
||||||
version = "0.0.0"
|
version = "0.0.0"
|
||||||
|
|||||||
@@ -16,6 +16,7 @@ members = [
|
|||||||
"mcp-server",
|
"mcp-server",
|
||||||
"mcp-types",
|
"mcp-types",
|
||||||
"ollama",
|
"ollama",
|
||||||
|
"process-hardening",
|
||||||
"protocol",
|
"protocol",
|
||||||
"protocol-ts",
|
"protocol-ts",
|
||||||
"rmcp-client",
|
"rmcp-client",
|
||||||
@@ -49,10 +50,11 @@ codex-login = { path = "login" }
|
|||||||
codex-mcp-client = { path = "mcp-client" }
|
codex-mcp-client = { path = "mcp-client" }
|
||||||
codex-mcp-server = { path = "mcp-server" }
|
codex-mcp-server = { path = "mcp-server" }
|
||||||
codex-ollama = { path = "ollama" }
|
codex-ollama = { path = "ollama" }
|
||||||
|
codex-process-hardening = { path = "process-hardening" }
|
||||||
codex-protocol = { path = "protocol" }
|
codex-protocol = { path = "protocol" }
|
||||||
codex-rmcp-client = { path = "rmcp-client" }
|
|
||||||
codex-protocol-ts = { path = "protocol-ts" }
|
codex-protocol-ts = { path = "protocol-ts" }
|
||||||
codex-responses-api-proxy = { path = "responses-api-proxy" }
|
codex-responses-api-proxy = { path = "responses-api-proxy" }
|
||||||
|
codex-rmcp-client = { path = "rmcp-client" }
|
||||||
codex-tui = { path = "tui" }
|
codex-tui = { path = "tui" }
|
||||||
codex-utils-readiness = { path = "utils/readiness" }
|
codex-utils-readiness = { path = "utils/readiness" }
|
||||||
core_test_support = { path = "core/tests/common" }
|
core_test_support = { path = "core/tests/common" }
|
||||||
@@ -83,8 +85,8 @@ dirs = "6"
|
|||||||
dotenvy = "0.15.7"
|
dotenvy = "0.15.7"
|
||||||
env-flags = "0.1.1"
|
env-flags = "0.1.1"
|
||||||
env_logger = "0.11.5"
|
env_logger = "0.11.5"
|
||||||
eventsource-stream = "0.2.3"
|
|
||||||
escargot = "0.5"
|
escargot = "0.5"
|
||||||
|
eventsource-stream = "0.2.3"
|
||||||
futures = "0.3"
|
futures = "0.3"
|
||||||
icu_decimal = "2.0.0"
|
icu_decimal = "2.0.0"
|
||||||
icu_locale_core = "2.0.0"
|
icu_locale_core = "2.0.0"
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ codex-core = { workspace = true }
|
|||||||
codex-exec = { workspace = true }
|
codex-exec = { workspace = true }
|
||||||
codex-login = { workspace = true }
|
codex-login = { workspace = true }
|
||||||
codex-mcp-server = { workspace = true }
|
codex-mcp-server = { workspace = true }
|
||||||
|
codex-process-hardening = { workspace = true }
|
||||||
codex-protocol = { workspace = true }
|
codex-protocol = { workspace = true }
|
||||||
codex-protocol-ts = { workspace = true }
|
codex-protocol-ts = { workspace = true }
|
||||||
codex-responses-api-proxy = { workspace = true }
|
codex-responses-api-proxy = { workspace = true }
|
||||||
@@ -43,15 +44,6 @@ tokio = { workspace = true, features = [
|
|||||||
tracing = { workspace = true }
|
tracing = { workspace = true }
|
||||||
tracing-subscriber = { workspace = true }
|
tracing-subscriber = { workspace = true }
|
||||||
|
|
||||||
[target.'cfg(target_os = "linux")'.dependencies]
|
|
||||||
libc = { workspace = true }
|
|
||||||
|
|
||||||
[target.'cfg(target_os = "android")'.dependencies]
|
|
||||||
libc = { workspace = true }
|
|
||||||
|
|
||||||
[target.'cfg(target_os = "macos")'.dependencies]
|
|
||||||
libc = { workspace = true }
|
|
||||||
|
|
||||||
[dev-dependencies]
|
[dev-dependencies]
|
||||||
assert_cmd = { workspace = true }
|
assert_cmd = { workspace = true }
|
||||||
predicates = { workspace = true }
|
predicates = { workspace = true }
|
||||||
|
|||||||
@@ -23,7 +23,6 @@ use std::path::PathBuf;
|
|||||||
use supports_color::Stream;
|
use supports_color::Stream;
|
||||||
|
|
||||||
mod mcp_cmd;
|
mod mcp_cmd;
|
||||||
mod pre_main_hardening;
|
|
||||||
|
|
||||||
use crate::mcp_cmd::McpCli;
|
use crate::mcp_cmd::McpCli;
|
||||||
use crate::proto::ProtoCli;
|
use crate::proto::ProtoCli;
|
||||||
@@ -213,14 +212,7 @@ fn pre_main_hardening() {
|
|||||||
};
|
};
|
||||||
|
|
||||||
if secure_mode == "1" {
|
if secure_mode == "1" {
|
||||||
#[cfg(any(target_os = "linux", target_os = "android"))]
|
codex_process_hardening::pre_main_hardening();
|
||||||
crate::pre_main_hardening::pre_main_hardening_linux();
|
|
||||||
|
|
||||||
#[cfg(target_os = "macos")]
|
|
||||||
crate::pre_main_hardening::pre_main_hardening_macos();
|
|
||||||
|
|
||||||
#[cfg(windows)]
|
|
||||||
crate::pre_main_hardening::pre_main_hardening_windows();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Always clear this env var so child processes don't inherit it.
|
// Always clear this env var so child processes don't inherit it.
|
||||||
|
|||||||
21
codex-rs/process-hardening/Cargo.toml
Normal file
21
codex-rs/process-hardening/Cargo.toml
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
[package]
|
||||||
|
edition = "2024"
|
||||||
|
name = "codex-process-hardening"
|
||||||
|
version = { workspace = true }
|
||||||
|
|
||||||
|
[lib]
|
||||||
|
name = "codex_process_hardening"
|
||||||
|
path = "src/lib.rs"
|
||||||
|
|
||||||
|
[lints]
|
||||||
|
workspace = true
|
||||||
|
|
||||||
|
[dependencies]
|
||||||
|
[target.'cfg(target_os = "linux")'.dependencies]
|
||||||
|
libc = { workspace = true }
|
||||||
|
|
||||||
|
[target.'cfg(target_os = "android")'.dependencies]
|
||||||
|
libc = { workspace = true }
|
||||||
|
|
||||||
|
[target.'cfg(target_os = "macos")'.dependencies]
|
||||||
|
libc = { workspace = true }
|
||||||
@@ -1,3 +1,19 @@
|
|||||||
|
/// This is designed to be called pre-main() (using `#[ctor::ctor]`) to perform
|
||||||
|
/// various process hardening steps, such as
|
||||||
|
/// - disabling core dumps
|
||||||
|
/// - disabling ptrace attach on Linux and macOS.
|
||||||
|
/// - removing dangerous environment variables such as LD_PRELOAD and DYLD_*
|
||||||
|
pub fn pre_main_hardening() {
|
||||||
|
#[cfg(any(target_os = "linux", target_os = "android"))]
|
||||||
|
pre_main_hardening_linux();
|
||||||
|
|
||||||
|
#[cfg(target_os = "macos")]
|
||||||
|
pre_main_hardening_macos();
|
||||||
|
|
||||||
|
#[cfg(windows)]
|
||||||
|
pre_main_hardening_windows();
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(any(target_os = "linux", target_os = "android"))]
|
#[cfg(any(target_os = "linux", target_os = "android"))]
|
||||||
const PRCTL_FAILED_EXIT_CODE: i32 = 5;
|
const PRCTL_FAILED_EXIT_CODE: i32 = 5;
|
||||||
|
|
||||||
Reference in New Issue
Block a user