metalbear-co · infiniteregrets · Oct 6, 2022 · Oct 6, 2022 · Oct 6, 2022 · Oct 6, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how
 
 ### Added
 - Release CI: add extensions as artifacts, closes [[#355](https://github.com/metalbear-co/mirrord/issues/355)]
+- mirrord-cli: added a SIP protection check for macos binaries [[#412](https://github.com/metalbear-co/mirrord/issues/412)]
 
 ### Changed
 - Remote operations that fail logged on `info` level instead of `error` because having a file not found, connection failed, etc can be part of a valid successful flow.
@@ -18,6 +19,7 @@ Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how
 ### Fixed
 - `getaddrinfo` now uses [`trust-dns-resolver`](https://docs.rs/trust-dns-resolver/latest/trust_dns_resolver/) when resolving DNS (previously it would do a `getaddrinfo` call in mirrord-agent that could result in incompatibility between the mirrored pod and the user environments).
 - Support clusters running Istio. Closes [[#485](https://github.com/metalbear-co/mirrord/issues/485)].
+- Fixed unused dependencies issue, closes [[#494](https://github.com/metalbear-co/mirrord/issues/494)]
 
 ## 3.0.11-alpha
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/mirrord-agent/Cargo.toml b/mirrord-agent/Cargo.toml
@@ -30,7 +30,7 @@ tracing.workspace = true
 tracing-subscriber.workspace = true
 tokio-stream.workspace = true
 thiserror.workspace = true
-trust-dns-resolver.worspace = true
+trust-dns-resolver.workspace = true
 num-traits = "0.2"
 bollard = "0.13"
 tokio-util.workspace = true

diff --git a/mirrord-cli/Cargo.toml b/mirrord-cli/Cargo.toml
@@ -22,6 +22,8 @@ clap.workspace = true
 tracing.workspace = true
 rand.workspace = true
 tracing-subscriber.workspace = true
+regex = "1.6.0"
+which = "4.3.0"
 exec = "0.3"
 anyhow.workspace = true
 reqwest.workspace = true

diff --git a/mirrord-cli/src/main.rs b/mirrord-cli/src/main.rs
@@ -11,9 +11,11 @@ use config::*;
 use exec::execvp;
 use mirrord_auth::AuthConfig;
 use rand::distributions::{Alphanumeric, DistString};
+use regex::RegexSet;
 use semver::Version;
 use tracing::{debug, error, info, warn};
 use tracing_subscriber::{fmt, prelude::*, registry, EnvFilter};
+use which::which;
 
 mod config;
 
@@ -93,11 +95,44 @@ fn add_to_preload(path: &str) -> Result<()> {
     }
 }
 
+#[cfg(target_os = "macos")]
+fn sip_check(binary_path: &str) -> Result<()> {
+    info!("Checking SIP status");
+    let sip_set = RegexSet::new(&[
+        r"/System/.*",
+        r"/bin/.*",
+        r"/sbin/.*",
+        r"/usr/.*",
+        r"/var/.*",
+        r"/Applications/.*",
+    ])?;
+    let complete_path = which(binary_path)?;
+
+    let sliced_path = complete_path.to_str().ok_or_else(|| {
+        anyhow!(
+            "Failed to convert path to string: {}",
+            binary_path.to_string()
+        )
+    })?;
+
+    if sip_set.is_match(sliced_path) {
+        println!("[WARNING]: Provided binary: {:?} is located in a SIP directory. mirrord might fail to load into it.
+        >> for more info visit https://support.apple.com/en-us/HT204899", binary_path);
+    }
+
+    Ok(())
+}
+
 fn exec(args: &ExecArgs) -> Result<()> {
     info!(
         "Launching {:?} with arguments {:?}",
         args.binary, args.binary_args
     );
+
+    if cfg!(target_os = "macos") {
+        sip_check(&args.binary)?;
+    }
+
     if !(args.no_tcp_outgoing || args.no_udp_outgoing) && args.no_remote_dns {
         warn!("TCP/UDP outgoing enabled without remote DNS might cause issues when local machine has IPv6 enabled but remote cluster doesn't")
     }
@@ -107,7 +142,6 @@ fn exec(args: &ExecArgs) -> Result<()> {
     }
 
     if let Some(pod) = &args.pod_name {
-        // TODO: do we need a print here or just a log is fine?
         println!("[WARNING]: DEPRECATED - `--pod-name` is deprecated, consider using `--target instead.\nDeprecated since: [28/09/2022] | Scheduled removal: [28/10/2022]");
         std::env::set_var("MIRRORD_AGENT_IMPERSONATED_POD_NAME", pod);
     }

diff --git a/mirrord-layer/Cargo.toml b/mirrord-layer/Cargo.toml
@@ -37,7 +37,7 @@ bytes.workspace = true
 tokio-stream.workspace = true
 tokio-util.workspace = true
 thiserror.workspace = true
-trust-dns-resolver.worspace = true
+trust-dns-resolver.workspace = true
 rand = "0.8"
 regex = "1"
 errno = "0.2"

diff --git a/mirrord-protocol/Cargo.toml b/mirrord-protocol/Cargo.toml
@@ -17,6 +17,6 @@ edition.workspace = true
 actix-codec.workspace = true
 bytes.workspace = true
 thiserror.workspace = true
-trust-dns-resolver.worspace = true
+trust-dns-resolver.workspace = true
 serde = { version = "1", features = ["derive"] }
 bincode =  { version = "2.0.0-rc.1", features = ["serde"] }
diff --git a/tests/Cargo.toml b/tests/Cargo.toml
@@ -12,7 +12,7 @@ doctest = false
 k8s-openapi.workspace = true
 kube.workspace = true
 reqwest.workspace = true
-tokio.workspace = true
+trust-dns-resolver.workspace = true
 serde_json.workspace = true
 mirrord = { artifact = "bin", bin = true, path = "../mirrord-cli" }
 serde = "1"