From 03f3fa88bb12efaea295b55267f5404caaf2ef15 Mon Sep 17 00:00:00 2001 From: Rudi Grinberg Date: Wed, 10 Aug 2022 13:26:16 -0500 Subject: [PATCH] feature: sandbox cinaps actions Signed-off-by: Rudi Grinberg ps-id: b87ebe4c-10dc-4357-a41a-942fc04ccce7 --- CHANGES.md | 2 ++ src/dune_rules/cinaps.ml | 8 +++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 5509205f7d2..1abc581881c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12,6 +12,8 @@ - Do not ignore rules marked `(promote (until-clean))` when `--ignore-promoted-rules` (or `-p`) is passed. (#6010, fixes #4401, @emillon) +- Cinaps actions are now sandboxed by default (#6062, @rgrinberg) + 3.4.1 (26-07-2022) ------------------ diff --git a/src/dune_rules/cinaps.ml b/src/dune_rules/cinaps.ml index d1bd0497ef1..641a03b433e 100644 --- a/src/dune_rules/cinaps.ml +++ b/src/dune_rules/cinaps.ml @@ -80,8 +80,14 @@ let gen_rules sctx t ~dir ~scope = let cinaps_exe = Path.Build.relative cinaps_dir (name ^ ".exe") in let* () = (* Ask cinaps to produce a .ml file to build *) + let sandbox = + let project = Scope.project scope in + if Dune_project.dune_version project >= (3, 5) then + Sandbox_config.needs_sandboxing + else Sandbox_config.default + in Super_context.add_rule sctx ~loc:t.loc ~dir - (Command.run ~dir:(Path.build dir) prog + (Command.run ~dir:(Path.build dir) prog ~sandbox [ A "-staged" ; Target cinaps_ml ; Deps (List.map cinapsed_files ~f:Path.build)