Fix termination of sandboxed processes (#1400)

Subprocesses spawned inside a sandbox for extensions or lockfile generation would keep running when the CLI is killed, since signals were not propagated to the child process. This patch updates CLI to use Birdcage 0.8.0 which spawns a separate init process for PID 1 inside the PID namespace automatically terminating any child even if unresponsive. Closes #1370.
phylum-dev · Apr 22, 2024 · 760cefd · 760cefd
1 parent 297efcf
commit 760cefd
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `SPDX` SBOM registry determination from downloadLocation
 - `SPDX` parsing adding the described package as a dependency
 - `SPDX` parsing certain text files with optional package fields
+- Sandboxed processes sticking around after CLI is killed with a signal
 
 ## 6.2.0 - 2024-03-19
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/cli/Cargo.toml b/cli/Cargo.toml
@@ -64,7 +64,7 @@ once_cell = "1.12.0"
 deno_runtime = { version = "0.134.0" }
 deno_core = { version = "0.232.0" }
 deno_ast = { version = "0.31.2", features = ["transpiling"] }
-birdcage = { version = "0.7.0" }
+birdcage = { version = "0.8.1" }
 libc = "0.2.135"
 ignore = { version = "0.4.20", optional = true }
 uuid = "1.4.1"

diff --git a/cli/src/commands/parse.rs b/cli/src/commands/parse.rs
@@ -2,12 +2,13 @@
 
 use std::borrow::Cow;
 use std::path::{Path, PathBuf};
-use std::process::{Command, Stdio};
+use std::process::Command as StdCommand;
 use std::result::Result as StdResult;
 use std::str::FromStr;
 use std::{env, fs, io};
 
 use anyhow::{anyhow, Context, Result};
+use birdcage::process::{Command, Stdio};
 use birdcage::{Birdcage, Exception, Sandbox};
 use clap::ArgMatches;
 use phylum_lockfile::{LockfileFormat, ParseError, ParsedLockfile};
@@ -179,7 +180,9 @@ pub fn parse_depfile(
             false,
         )?;
         command.stderr(Stdio::inherit());
-        let output = command.output().map_err(anyhow::Error::from)?;
+        #[allow(clippy::useless_conversion)]
+        let mut std_command: StdCommand = command.into();
+        let output = std_command.output().map_err(anyhow::Error::from)?;
 
         if !output.status.success() {
             // Forward STDOUT to the user on failure.

diff --git a/cli/src/commands/sandbox.rs b/cli/src/commands/sandbox.rs
@@ -1,9 +1,9 @@
 //! Sandbox subcommand handling.
 
 use std::os::unix::process::ExitStatusExt;
-use std::process::Command;
 
 use anyhow::{anyhow, Result};
+use birdcage::process::Command;
 use birdcage::{Birdcage, Exception, Sandbox};
 use clap::ArgMatches;