feat: allow optionally disabling Swift sandbox (#2587)

carlocab · szokeasaurusrex · web-flow · commit 8fc580a00ad3 · 2025-07-16T16:16:12.000+02:00
If `cargo` is invoked inside a sandbox on Darwin, the build will fail
when it invokes `swift`. This is because `swift` builds within its own
sandbox by default, but nested sandboxes are not allowed on Darwin.

This is the case, for example, when building `sentry-cli` inside
Homebrew.

For builds that already happen inside a sandbox, allow setting an
environment variable `SWIFT_DISABLE_SANDBOX` which then results in
`swift` being invoked with `--disable-sandbox` to enable the build to
succeed.

---------

Co-authored-by: Daniel Szoke &lt;daniel.szoke@sentry.io&gt;
Co-authored-by: Daniel Szoke &lt;7881302+szokeasaurusrex@users.noreply.github.com&gt;
diff --git a/apple-catalog-parsing/build.rs b/apple-catalog-parsing/build.rs
@@ -2,6 +2,9 @@ use std::env;
 use std::process::Command;
 
 fn main() {
+    /// Environment variable to disable Swift sandboxing.
+    const SWIFT_DISABLE_SANDBOX: &str = "SWIFT_DISABLE_SANDBOX";
+
     let target = env::var("TARGET").expect("TARGET is set for build scripts");
     let mut target_bits = target.split('-');
 
@@ -20,21 +23,34 @@ fn main() {
 
     println!("cargo:rerun-if-changed=native/swift/AssetCatalogParser");
 
+    // Allow swift to be run with `--disable-sandbox` in case cargo has been invoked inside a
+    // sandbox already. Nested sandboxes are not allowed on Darwin.
+    println!("cargo:rerun-if-env-changed={SWIFT_DISABLE_SANDBOX}");
+
     let out_dir = env::var("OUT_DIR").expect("OUT_DIR is set for build scripts");
 
     // Compile Swift code
     let status = Command::new("swift")
-        .args([
-            "build",
-            "-c",
-            "release",
-            "--package-path",
-            "native/swift/AssetCatalogParser",
-            "--scratch-path",
-            &format!("{out_dir}/swift-scratch"),
-            "--triple",
-            &format!("{arch}-apple-macosx10.12"),
-        ])
+        .args(
+            [
+                "build",
+                "-c",
+                "release",
+                "--package-path",
+                "native/swift/AssetCatalogParser",
+                "--scratch-path",
+                &format!("{out_dir}/swift-scratch"),
+                "--triple",
+                &format!("{arch}-apple-macosx10.12"),
+            ]
+            .into_iter()
+            .chain(
+                env::var(SWIFT_DISABLE_SANDBOX)
+                    .ok()
+                    .filter(|s| s == "1")
+                    .map(|_| "--disable-sandbox"),
+            ),
+        )
         .status()
         .expect("Failed to compile SPM");
 
