mlux 1.14.1

A rich Markdown viewer for modern terminals
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

//! Fork-based sandboxed primitives.
//!
//! Provides generic fork+sandbox+IPC building blocks used by the
//! [`crate::renderer`] orchestration layer. This module contains no
//! domain-specific logic (no Markdown, no Typst, no tile rendering).

mod process;
mod sandbox;

use std::path::PathBuf;

use anyhow::{Context, Result};
use serde::{Deserialize, Serialize, de::DeserializeOwned};

use crate::log::{LogBuffer, LogEntry};

pub use process::ChildProcess;
pub(crate) use process::{TypedReader, TypedWriter};

/// Sandbox policy for a forked child.
pub(crate) enum SandboxConfig {
    /// No filesystem/network restrictions.
    Disabled,
    /// Apply Landlock: restrict filesystem to listed read scopes, deny all network.
    Enforce {
        /// Base path for document access (expanded to git root by sandbox layer).
        read_base: Option<PathBuf>,
        /// Additional read-allowed directories (e.g. font dirs), used as-is.
        extra_read_dirs: Vec<PathBuf>,
    },
}

impl SandboxConfig {
    /// Maximum restriction: Landlock with no read scopes allowed.
    pub(crate) fn deny_all() -> Self {
        SandboxConfig::Enforce {
            read_base: None,
            extra_read_dirs: Vec::new(),
        }
    }
}

/// Fork a child with typed channels, applying sandbox before `child_fn` runs.
///
/// This is the general-purpose fork primitive of `fork_sandbox`.
/// If `sandbox` is `Enforce`, Landlock is applied before `child_fn` runs.
pub(crate) fn fork_sandboxed<Req, Resp, F>(
    sandbox: SandboxConfig,
    child_fn: F,
) -> Result<(TypedWriter<Req>, TypedReader<Resp>, ChildProcess)>
where
    Req: Serialize + DeserializeOwned,
    Resp: Serialize + DeserializeOwned,
    F: FnOnce(TypedReader<Req>, TypedWriter<Resp>),
{
    process::fork_with_channels(move |req_rx, resp_tx| {
        if let SandboxConfig::Enforce {
            ref read_base,
            ref extra_read_dirs,
        } = sandbox
            && let Err(e) = sandbox::enforce_sandbox(read_base.as_deref(), extra_read_dirs)
        {
            log::warn!("child: sandbox failed: {e:#}");
        }
        child_fn(req_rx, resp_tx);
    })
}

/// Result from a forked child: either a computed value or a panic notification.
/// Both variants carry the child's log entries for forwarding to the parent.
#[derive(Serialize, Deserialize)]
enum ComputeResult<T> {
    Ok { value: T, logs: Vec<LogEntry> },
    Panicked { logs: Vec<LogEntry> },
}

/// Fork a sandboxed child that computes a value and returns it.
///
/// The child applies the sandbox policy, runs `f()`, sends the result via IPC,
/// and exits. Panics in `f` are caught; child log entries are forwarded in both cases.
pub(crate) fn fork_compute<T, F>(sandbox: SandboxConfig, log_buffer: &LogBuffer, f: F) -> Result<T>
where
    T: Serialize + DeserializeOwned,
    F: FnOnce() -> T,
{
    let log_buf = log_buffer.clone();
    let (_, mut rx, mut child) =
        fork_sandboxed::<(), ComputeResult<T>, _>(sandbox, move |_req_rx, mut resp_tx| {
            // Discard log entries inherited from the parent via fork COW.
            // Without this, drain() would include pre-fork entries, causing
            // duplicates when the parent re-ingests them.
            log_buf.drain();
            match std::panic::catch_unwind(std::panic::AssertUnwindSafe(f)) {
                Ok(value) => {
                    let logs = log_buf.drain();
                    let _ = resp_tx.send(&ComputeResult::Ok { value, logs });
                }
                Err(_) => {
                    log::error!("child: fork_compute panicked");
                    let logs = log_buf.drain();
                    let _ = resp_tx.send(&ComputeResult::<T>::Panicked { logs });
                }
            }
        })?;
    let result = rx.recv().context("fork_compute: child failed")?;
    match result {
        ComputeResult::Ok { value, logs } => {
            for entry in logs {
                log_buffer.push(entry);
            }
            child.wait()?;
            Ok(value)
        }
        ComputeResult::Panicked { logs } => {
            for entry in logs {
                log_buffer.push(entry);
            }
            child.wait()?;
            anyhow::bail!("fork_compute: child panicked")
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    /// Convenience wrapper for tests: `fork_compute` with no sandbox.
    fn fork_compute_nosandbox<T, F>(log_buffer: &LogBuffer, f: F) -> Result<T>
    where
        T: Serialize + DeserializeOwned,
        F: FnOnce() -> T,
    {
        fork_compute(SandboxConfig::Disabled, log_buffer, f)
    }

    #[test]
    fn fork_compute_ok_returns_value() {
        let log_buf = LogBuffer::new(16);
        let result = fork_compute_nosandbox(&log_buf, || 42u64);
        assert_eq!(result.unwrap(), 42);
    }

    #[test]
    fn fork_compute_panic_returns_error() {
        let log_buf = LogBuffer::new(16);
        let result = fork_compute_nosandbox::<String, _>(&log_buf, || {
            panic!("deliberate test panic");
        });
        let err = result.unwrap_err();
        assert!(
            format!("{err:#}").contains("panicked"),
            "expected panic error, got: {err:#}"
        );
    }
}