Skip to content

cli: fix genpolicy crash on Darwin #2133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sespiros wants to merge 1 commit into
base: main
Choose a base branch
from
Open

cli: fix genpolicy crash on Darwin #2133

sespiros wants to merge 1 commit into from

Conversation

@sespiros
Copy link
Contributor

@sespiros sespiros commented Jan 26, 2026

/dev/stdin is passed to genpolicy when called from contrast cli as a way to both a) silence genpolicy from outputting to stdout and b) retrieve genpolicy's output back through stdin. This causes a crash on Darwin like so:

time=2026-01-21T11:56:10.495+02:00 level=DEBUG msg="called Result::unwrap() on an Err value: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }"

This is due to architectural differences between Linux and Darwin when attempting to write to /dev/stdin when passed via a pipe. Minimal reproducer to run on Darwin and Linux:

echo "test" | python3 -c 'open("/dev/stdin", "w")'

@sespiros
cli: fix genpolicy crash on Darwin
75c3ca9 
/dev/stdin is passed to genpolicy when called from contrast cli
as a way to both a) silence genpolicy from outputting to stdout and
b) retrieve genpolicy's output back through stdin. This causes
a crash on Darwin like so:

time=2026-01-21T11:56:10.495+02:00 level=DEBUG msg="called `Result::unwrap()`
on an `Err` value: Os { code: 13, kind: PermissionDenied, message: \"Permission denied\" }"

This is due to architectural differences between Linux and Darwin
when attempting to write to /dev/stdin when passed via a pipe.
Minimal reproducer to run on Darwin and Linux:

echo "test" | python3 -c 'open("/dev/stdin", "w")'

Signed-off-by: Spyros Seimenis <sse@edgeless.systems>
@sespiros sespiros requested a review from burgerdev January 26, 2026 13:51
@sespiros sespiros added the no changelog PRs not listed in the release notes label Jan 26, 2026
@sespiros sespiros mentioned this pull request Jan 26, 2026
Closed
burgerdev
burgerdev reviewed Jan 26, 2026
View reviewed changes
Copy link
Member

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you have a chance to consider my comment on the original PR?

disable yaml output when --base64-out or --raw-out are present, because outputting both (or all 3) does not make any sense.

I'd say this has a good chance of being accepted upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@burgerdev burgerdev burgerdev left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no changelog PRs not listed in the release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sespiros @burgerdev