Restrict namespace arguments to Linux

tun2proxy · Apr 7, 2024 · 7d3c48a · 7d3c48a
1 parent 80675ef
commit 7d3c48a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/src/args.rs b/src/args.rs
@@ -25,17 +25,21 @@ pub struct Args {
 
     /// Create a tun interface in a newly created unprivileged namespace
     /// while maintaining proxy connectivity via the global network namespace.
+    #[cfg(target_os = "linux")]
     #[arg(long)]
     pub unshare: bool,
 
     /// File descriptor for UNIX datagram socket meant to transfer
     /// network sockets from global namespace to the new one.
     /// See `unshare(1)`, `namespaces(7)`, `sendmsg(2)`, `unix(7)`.
-    #[arg(long, value_name = "fd")]
+    #[cfg(target_os = "linux")]
+    #[arg(long, value_name = "fd", hide(true))]
     pub socket_transfer_fd: Option<i32>,
 
-    /// Specify a command to run with root-like capabilities in the new namespace.
+    /// Specify a command to run with root-like capabilities in the new namespace
+    /// when using `--unshare`.
     /// This could be useful to start additional daemons, e.g. `openvpn` instance.
+    #[cfg(target_os = "linux")]
     #[arg(requires = "unshare")]
     pub admin_command: Vec<OsString>,
 
@@ -91,8 +95,11 @@ impl Default for Args {
             proxy: ArgProxy::default(),
             tun: None,
             tun_fd: None,
+            #[cfg(target_os = "linux")]
             unshare: false,
+            #[cfg(target_os = "linux")]
             socket_transfer_fd: None,
+            #[cfg(target_os = "linux")]
             admin_command: Vec::new(),
             ipv6_enabled: false,
             setup,

diff --git a/src/bin/main.rs b/src/bin/main.rs
@@ -13,14 +13,15 @@ async fn main() -> Result<(), BoxError> {
     let join_handle = tokio::spawn({
         let shutdown_token = shutdown_token.clone();
         async move {
+            #[cfg(target_os = "linux")]
             if args.unshare && args.socket_transfer_fd.is_none() {
-                #[cfg(target_os = "linux")]
                 if let Err(err) = namespace_proxy_main(args, shutdown_token).await {
                     log::error!("namespace proxy error: {}", err);
                 }
-                #[cfg(not(target_os = "linux"))]
-                log::error!("Your platform doesn't support unprivileged namespaces");
-            } else if let Err(err) = tun2proxy::desktop_run_async(args, shutdown_token).await {
+                return;
+            }
+
+            if let Err(err) = tun2proxy::desktop_run_async(args, shutdown_token).await {
                 log::error!("main loop error: {}", err);
             }
         }

diff --git a/src/desktop_api.rs b/src/desktop_api.rs
@@ -149,6 +149,7 @@ pub async fn desktop_run_async(args: Args, shutdown_token: tokio_util::sync::Can
             run_ip_util(format!("-6 route delete 80::/1 dev {}", tproxy_args.tun_name));
         }
 
+        #[cfg(target_os = "linux")]
         if setup && args.unshare {
             // New namespace doesn't have any other routing device by default
             // So our `tun` device should act as such to make space for other proxies.
@@ -166,6 +167,7 @@ pub async fn desktop_run_async(args: Args, shutdown_token: tokio_util::sync::Can
         }
     }
 
+    #[cfg(target_os = "linux")]
     let mut admin_command_args = args.admin_command.iter();
     if let Some(command) = admin_command_args.next() {
         let child = tokio::process::Command::new(command)