feat: Implement antivirus detection on macOS

Having this enabled will make every initial binary launch slower.

We check this by seeing if we have the "Developer Tool" execution policy
grant, or if SIP Filesystem Protections are disabled.

Author: madsmtm

Cargo.lock

@@ -24,6 +24,7 @@ anstyle = "1.0.11"
 anyhow = "1.0.98"
 base64 = "0.22.1"
 blake3 = "1.8.2"
+block2 = "0.6.1"
 build-rs = { version = "0.3.1", path = "crates/build-rs" }
 cargo = { path = "" }
 cargo-credential = { version = "0.4.2", path = "credential/cargo-credential" }
@@ -69,6 +70,7 @@ libgit2-sys = "0.18.2"
 libloading = "0.8.8"
 memchr = "2.7.5"
 miow = "0.6.0"
+objc2 = "0.6.2"
 opener = "0.8.2"
 openssl = "0.10.73"
 openssl-sys = "0.9.109"
@@ -251,6 +253,11 @@ features = [
   "Win32_System_Threading",
 ]
 
+[target.'cfg(target_vendor = "apple")'.dependencies]
+block2.workspace = true # For ExecutionPolicy framework interaction
+objc2.workspace = true # For ExecutionPolicy framework interaction
+libc.workspace = true
+
 [dev-dependencies]
 annotate-snippets = { workspace = true, features = ["testing-colors"] }
 cargo-test-support.workspace = true

Cargo.toml

@@ -55,7 +55,7 @@ use crate::ops;
 use crate::ops::resolve::{SpecsAndResolvedFeatures, WorkspaceResolve};
 use crate::util::context::{GlobalContext, WarningHandling};
 use crate::util::interning::InternedString;
-use crate::util::{CargoResult, StableHasher};
+use crate::util::{CargoResult, StableHasher, detect_antivirus};
 
 mod compile_filter;
 pub use compile_filter::{CompileFilter, FilterRule, LibRule};
@@ -556,6 +556,22 @@ where `<compatible-ver>` is the latest version supporting rustc {rustc_version}"
         }
     }
 
+    // TODO(madsmtm): Add some sort of option for this.
+    if false {
+        // TODO(madsmtm): Maybe only do this when we have above a certain
+        // number of build scripts or test binaries to run?
+
+        // TODO(madsmtm): We probably don't want to do this check when doing
+        // `cargo install`?
+
+        // TODO(madsmtm): Consider only warning once every X days.
+
+        if let Err(err) = detect_antivirus::detect_and_report(gctx) {
+            // Errors in this detection are not fatal.
+            tracing::error!("failed detecting whether binaries may be slow to run: {err}");
+        }
+    }
+
     let bcx = BuildContext::new(
         ws,
         pkg_set,

src/cargo/ops/cargo_compile/mod.rs

@@ -0,0 +1,185 @@
+//! Utilities for using a dynamically loaded ExecutionPolicy.framework.
+//!
+//! ExecutionPolicy is only available since macOS 10.15, while Rust's
+//! minimum supported version for host tooling is macOS 10.12:
+//! https://doc.rust-lang.org/rustc/platform-support/apple-darwin.html#host-tooling
+//!
+//! For this reason, we must load the framework dynamically instead of linking
+//! it statically - which gets a bit more involved.
+//!
+//! See <https://docs.rs/objc2-execution-policy> for a safer interface that
+//! can be used if support for lower macOS versions are dropped (or once Rust
+//! gains better support for weak linking).
+//!
+//! NOTE: `addPolicyExceptionForURL:error:` probably isn't relevant for us,
+//! that is more used for e.g. allowing running a recently downloaded binary
+//! (and requires that you already have developer tool authorization).
+
+use std::cell::Cell;
+use std::ffi::{CStr, c_void};
+use std::marker::PhantomData;
+use std::rc::Rc;
+
+use anyhow::Context;
+use block2::{DynBlock, RcBlock};
+use objc2::ffi::NSInteger;
+use objc2::rc::Retained;
+use objc2::runtime::{AnyClass, Bool, NSObject};
+use objc2::{available, msg_send};
+
+use crate::CargoResult;
+
+/// A handle to the dynamically loaded ExecutionPolicy framework.
+#[derive(Debug)]
+pub struct ExecutionPolicyHandle(*mut c_void);
+
+impl ExecutionPolicyHandle {
+    /// Dynamically load the ExecutionPolicy framework, and return None if it
+    /// isn't available.
+    pub fn open() -> CargoResult<Option<Self>> {
+        let path = c"/System/Library/Frameworks/ExecutionPolicy.framework/ExecutionPolicy";
+
+        let handle = unsafe { libc::dlopen(path.as_ptr(), libc::RTLD_LAZY | libc::RTLD_LOCAL) };
+
+        if handle.is_null() {
+            // SAFETY: `dlerror` is safe to call.
+            let err = unsafe { libc::dlerror() };
+            let err = if err.is_null() {
+                None
+            } else {
+                // SAFETY: The error is a valid C string.
+                Some(unsafe { CStr::from_ptr(err) })
+            };
+
+            // The framework was introduced in macOS 10.15+ / Mac Catalyst 13.0+.
+            if available!(macos = 10.15, ios = 13.0) {
+                Err(anyhow::format_err!(
+                    "failed loading ExecutionPolicy.framework: {err:?}"
+                ))
+            } else {
+                // The framework is not available on macOS 10.14 and below
+                // (which also means that the antivirus doesn't exist yet, so
+                // nothing for us to detect and warn against).
+                Ok(None)
+            }
+        } else {
+            Ok(Some(Self(handle)))
+        }
+    }
+}
+
+impl Drop for ExecutionPolicyHandle {
+    fn drop(&mut self) {
+        // SAFETY: The handle is valid.
+        let _ = unsafe { libc::dlclose(self.0) };
+        // Ignore errors when closing. This is also what `libloading` does:
+        // https://docs.rs/libloading/0.8.6/src/libloading/os/unix/mod.rs.html#374
+    }
+}
+
+/// A  that interacts with the system via XPC.
+///
+/// See [`objc2_execution_policy::EPDeveloperTool`] for details.
+///
+/// [`objc2_execution_policy::EPDeveloperTool`]: https://docs.rs/objc2-execution-policy/0.3.1/objc2_execution_policy/struct.EPDeveloperTool.html
+#[derive(Debug)]
+pub struct EPDeveloperTool<'handle> {
+    _handle: PhantomData<&'handle ExecutionPolicyHandle>,
+    obj: Retained<NSObject>,
+}
+
+impl<'handle> EPDeveloperTool<'handle> {
+    /// Call `+[EPDeveloperTool new]` to get a new handle.
+    pub fn new(_handle: &'handle ExecutionPolicyHandle) -> CargoResult<Self> {
+        // Dynamically query the class (loading the framework with dlopen
+        // above should have made this available).
+        let cls =
+            AnyClass::get(c"EPDeveloperTool").context("failed finding `EPDeveloperTool` class")?;
+
+        // SAFETY: The signature of +[EPDeveloperTool new] is correct and
+        // the method is safe to call.
+        let obj: Option<Retained<NSObject>> = unsafe { msg_send![cls, new] };
+
+        // Null can happen in OOM situations, and maybe if failing to connect
+        // via. XPC to the required services.
+        let obj = obj.context("failed allocating and initializing `EPDeveloperTool` instance")?;
+
+        let _handle = PhantomData;
+        Ok(Self { _handle, obj })
+    }
+
+    /// Call `-[EPDeveloperTool authorizationStatus]`.
+    pub fn authorization_status(&self) -> EPDeveloperToolStatus {
+        // SAFETY: -[EPDeveloperTool authorizationStatus] correctly
+        // returns EPDeveloperToolStatus and the method is safe to call.
+        let status: NSInteger = unsafe { msg_send![&*self.obj, authorizationStatus] };
+        EPDeveloperToolStatus(status)
+    }
+
+    /// Call `requestDeveloperToolAccessWithCompletionHandler:` and get the
+    /// result.
+    ////
+    /// This allows the user to more easily see which application needs to be
+    /// allowed (but _is_ also requesting higher privileges, so we need to be
+    /// clear in messaging around that).
+    pub fn request_access(&self) -> CargoResult<bool> {
+        // Wrapper to make the signature easier to write.
+        fn inner(obj: &NSObject, block: &DynBlock<dyn Fn(Bool) + 'static>) {
+            // SAFETY:
+            // - The method is safe to call, and we provide a correctly typed
+            //   block, and constrain the signature to be void / unit return.
+            // - No Send/Sync requirements are needed, because the block is
+            //   not marked @Sendable in Swift.
+            // - The 'static requirement on the block is needed because the
+            //   block is marked as @escaping in Swift. Note that the fact
+            //   that the API is annotated as such is kind of weird, there
+            //   isn't really a way that it could call this block on the
+            //   current thread later (which is what a lone @escaping means).
+            unsafe { msg_send![obj, requestDeveloperToolAccessWithCompletionHandler: block] }
+        }
+
+        let result = Rc::new(Cell::new(None));
+        let result_clone = result.clone();
+        let block = RcBlock::new(move |granted: Bool| result_clone.set(Some(granted.as_bool())));
+        inner(&self.obj, &block);
+        result.get().context("failed getting result of -[EPDeveloperTool requestDeveloperToolAccessWithCompletionHandler:]")
+    }
+}
+
+/// The Developer Tool status of the process.
+#[repr(transparent)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
+pub struct EPDeveloperToolStatus(pub NSInteger);
+
+impl EPDeveloperToolStatus {
+    #[doc(alias = "EPDeveloperToolStatusNotDetermined")]
+    pub const NOT_DETERMINED: Self = Self(0);
+    #[doc(alias = "EPDeveloperToolStatusRestricted")]
+    pub const RESTRICTED: Self = Self(1);
+    #[doc(alias = "EPDeveloperToolStatusDenied")]
+    pub const DENIED: Self = Self(2);
+    #[doc(alias = "EPDeveloperToolStatusAuthorized")]
+    pub const AUTHORIZED: Self = Self(3);
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn does_not_crash() {
+        let Some(handle) = ExecutionPolicyHandle::open().unwrap() else {
+            return;
+        };
+
+        let developer_tool = EPDeveloperTool::new(&handle).unwrap();
+
+        let _ = developer_tool.authorization_status();
+
+        // Test that requesting access doesn't crash either. This might be
+        // slightly annoying for macOS Cargo developers if they _really_ don't
+        // want their terminal to show up in their Developer Tools settings,
+        // but in that case we should probably reconsider this feature.
+        let _ = developer_tool.request_access().unwrap();
+    }
+}