2024-04-24 20:36:57 -04:00
|
|
|
# typed: strict
|
2019-04-19 15:38:03 +09:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2015-04-09 17:42:54 +08:00
|
|
|
require "erb"
|
2021-08-24 14:29:17 +01:00
|
|
|
require "io/console"
|
|
|
|
|
require "pty"
|
2015-04-09 17:42:54 +08:00
|
|
|
require "tempfile"
|
|
|
|
|
|
2020-08-19 07:02:01 +02:00
|
|
|
# Helper class for running a sub-process inside of a sandboxed environment.
|
2015-04-09 17:42:54 +08:00
|
|
|
class Sandbox
|
2019-04-19 15:38:03 +09:00
|
|
|
SANDBOX_EXEC = "/usr/bin/sandbox-exec"
|
2020-08-19 07:02:01 +02:00
|
|
|
private_constant :SANDBOX_EXEC
|
2015-04-09 17:42:54 +08:00
|
|
|
|
2020-10-20 12:03:48 +02:00
|
|
|
sig { returns(T::Boolean) }
|
2015-04-09 17:42:54 +08:00
|
|
|
def self.available?
|
2022-11-20 14:27:28 -08:00
|
|
|
false
|
2015-04-09 17:42:54 +08:00
|
|
|
end
|
|
|
|
|
|
2020-10-20 12:03:48 +02:00
|
|
|
sig { void }
|
2015-04-13 18:05:15 +08:00
|
|
|
def initialize
|
2024-04-24 20:36:57 -04:00
|
|
|
@profile = T.let(SandboxProfile.new, SandboxProfile)
|
|
|
|
|
@failed = T.let(false, T::Boolean)
|
2015-04-13 18:05:15 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(file: T.any(String, Pathname)).void }
|
2015-04-16 21:41:59 +08:00
|
|
|
def record_log(file)
|
2024-04-24 20:36:57 -04:00
|
|
|
@logfile = T.let(file, T.nilable(T.any(String, Pathname)))
|
2015-04-16 21:41:59 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(allow: T::Boolean, operation: String, filter: T.nilable(String), modifier: T.nilable(String)).void }
|
|
|
|
|
def add_rule(allow:, operation:, filter: nil, modifier: nil)
|
|
|
|
|
rule = SandboxRule.new(allow:, operation:, filter:, modifier:)
|
2015-04-13 18:05:15 +08:00
|
|
|
@profile.add_rule(rule)
|
2015-04-09 17:42:54 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(path: T.any(String, Pathname), type: Symbol).void }
|
|
|
|
|
def allow_write(path:, type: :literal)
|
|
|
|
|
add_rule allow: true, operation: "file-write*", filter: path_filter(path, type)
|
|
|
|
|
add_rule allow: true, operation: "file-write-setugid", filter: path_filter(path, type)
|
2024-07-13 15:58:41 -04:00
|
|
|
add_rule allow: true, operation: "file-write-mode", filter: path_filter(path, type)
|
2015-04-13 18:05:15 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(path: T.any(String, Pathname), type: Symbol).void }
|
|
|
|
|
def deny_write(path:, type: :literal)
|
|
|
|
|
add_rule allow: false, operation: "file-write*", filter: path_filter(path, type)
|
2015-04-13 18:05:15 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(path: T.any(String, Pathname)).void }
|
2015-04-13 18:05:15 +08:00
|
|
|
def allow_write_path(path)
|
2024-04-24 20:36:57 -04:00
|
|
|
allow_write path:, type: :subpath
|
2015-04-13 18:05:15 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(path: T.any(String, Pathname)).void }
|
2015-04-13 18:05:15 +08:00
|
|
|
def deny_write_path(path)
|
2024-04-24 20:36:57 -04:00
|
|
|
deny_write path:, type: :subpath
|
2015-04-13 18:05:15 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { void }
|
2015-04-13 18:05:15 +08:00
|
|
|
def allow_write_temp_and_cache
|
|
|
|
|
allow_write_path "/private/tmp"
|
2015-08-25 17:34:52 +01:00
|
|
|
allow_write_path "/private/var/tmp"
|
2024-04-24 20:36:57 -04:00
|
|
|
allow_write path: "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
|
2015-04-13 18:05:15 +08:00
|
|
|
allow_write_path HOMEBREW_TEMP
|
|
|
|
|
allow_write_path HOMEBREW_CACHE
|
|
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { void }
|
2018-07-01 23:35:29 +02:00
|
|
|
def allow_cvs
|
2020-11-23 17:31:17 +01:00
|
|
|
allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.cvspass"
|
2018-07-01 23:35:29 +02:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { void }
|
2018-07-01 23:35:29 +02:00
|
|
|
def allow_fossil
|
2020-11-23 17:31:17 +01:00
|
|
|
allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil"
|
|
|
|
|
allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil-journal"
|
2018-07-01 23:35:29 +02:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(formula: Formula).void }
|
2015-04-13 18:05:15 +08:00
|
|
|
def allow_write_cellar(formula)
|
|
|
|
|
allow_write_path formula.rack
|
|
|
|
|
allow_write_path formula.etc
|
|
|
|
|
allow_write_path formula.var
|
|
|
|
|
end
|
|
|
|
|
|
2015-08-25 17:34:52 +01:00
|
|
|
# Xcode projects expect access to certain cache/archive dirs.
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { void }
|
2015-08-25 17:34:52 +01:00
|
|
|
def allow_write_xcode
|
2020-11-23 17:31:17 +01:00
|
|
|
allow_write_path "#{Dir.home(ENV.fetch("USER"))}/Library/Developer"
|
2024-01-12 15:37:24 +01:00
|
|
|
allow_write_path "#{Dir.home(ENV.fetch("USER"))}/Library/Caches/org.swift.swiftpm"
|
2015-08-25 17:34:52 +01:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(formula: Formula).void }
|
2015-04-13 18:05:15 +08:00
|
|
|
def allow_write_log(formula)
|
2015-04-25 22:07:06 -04:00
|
|
|
allow_write_path formula.logs
|
2015-04-09 17:42:54 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { void }
|
2016-09-23 08:26:49 +01:00
|
|
|
def deny_write_homebrew_repository
|
2024-04-24 20:36:57 -04:00
|
|
|
deny_write path: HOMEBREW_BREW_FILE
|
2020-11-09 20:09:16 +11:00
|
|
|
if HOMEBREW_PREFIX.to_s == HOMEBREW_REPOSITORY.to_s
|
2016-09-23 08:26:49 +01:00
|
|
|
deny_write_path HOMEBREW_LIBRARY
|
|
|
|
|
deny_write_path HOMEBREW_REPOSITORY/".git"
|
2020-11-09 20:09:16 +11:00
|
|
|
else
|
|
|
|
|
deny_write_path HOMEBREW_REPOSITORY
|
2016-09-23 08:26:49 +01:00
|
|
|
end
|
2015-04-23 12:33:54 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-13 00:21:34 -04:00
|
|
|
sig { params(path: T.any(String, Pathname), type: Symbol).void }
|
|
|
|
|
def allow_network(path:, type: :literal)
|
|
|
|
|
add_rule allow: true, operation: "network*", filter: path_filter(path, type)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
sig { params(path: T.any(String, Pathname), type: Symbol).void }
|
|
|
|
|
def deny_network(path:, type: :literal)
|
|
|
|
|
add_rule allow: false, operation: "network*", filter: path_filter(path, type)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
sig { void }
|
|
|
|
|
def allow_all_network
|
|
|
|
|
add_rule allow: true, operation: "network*"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
sig { void }
|
|
|
|
|
def deny_all_network
|
|
|
|
|
add_rule allow: false, operation: "network*"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
sig { params(path: T.any(String, Pathname)).void }
|
|
|
|
|
def deny_all_network_except_pipe(path)
|
|
|
|
|
deny_all_network
|
|
|
|
|
allow_network path:, type: :literal
|
|
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(args: T.any(String, Pathname)).void }
|
2015-04-09 17:42:54 +08:00
|
|
|
def exec(*args)
|
2015-08-03 13:09:07 +01:00
|
|
|
seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
|
|
|
|
|
seatbelt.write(@profile.dump)
|
|
|
|
|
seatbelt.close
|
2024-04-24 20:36:57 -04:00
|
|
|
@start = T.let(Time.now, T.nilable(Time))
|
2020-11-23 17:31:17 +01:00
|
|
|
|
|
|
|
|
begin
|
2021-08-24 14:29:17 +01:00
|
|
|
command = [SANDBOX_EXEC, "-f", seatbelt.path, *args]
|
2021-08-24 14:46:00 +01:00
|
|
|
# Start sandbox in a pseudoterminal to prevent access of the parent terminal.
|
2023-04-03 17:34:39 -07:00
|
|
|
PTY.spawn(*command) do |r, w, pid|
|
2021-09-07 09:44:58 -07:00
|
|
|
# Set the PTY's window size to match the parent terminal.
|
|
|
|
|
# Some formula tests are sensitive to the terminal size and fail if this is not set.
|
|
|
|
|
winch = proc do |_sig|
|
|
|
|
|
w.winsize = if $stdout.tty?
|
|
|
|
|
# We can only use IO#winsize if the IO object is a TTY.
|
|
|
|
|
$stdout.winsize
|
|
|
|
|
else
|
|
|
|
|
# Otherwise, default to tput, if available.
|
|
|
|
|
# This relies on ncurses rather than the system's ioctl.
|
|
|
|
|
[Utils.popen_read("tput", "lines").to_i, Utils.popen_read("tput", "cols").to_i]
|
2021-09-01 16:06:07 +01:00
|
|
|
end
|
2021-09-07 09:44:58 -07:00
|
|
|
end
|
2021-08-25 19:56:12 +01:00
|
|
|
|
2021-09-07 09:44:58 -07:00
|
|
|
write_to_pty = proc do
|
2022-01-25 16:22:00 +00:00
|
|
|
# Don't hang if stdin is not able to be used - throw EIO instead.
|
|
|
|
|
old_ttin = trap(:TTIN, "IGNORE")
|
|
|
|
|
|
2021-09-07 11:15:06 -07:00
|
|
|
# Update the window size whenever the parent terminal's window size changes.
|
|
|
|
|
old_winch = trap(:WINCH, &winch)
|
|
|
|
|
winch.call(nil)
|
2021-09-06 22:27:43 -07:00
|
|
|
|
2022-01-25 16:22:00 +00:00
|
|
|
stdin_thread = Thread.new do
|
|
|
|
|
IO.copy_stream($stdin, w)
|
|
|
|
|
rescue Errno::EIO
|
|
|
|
|
# stdin is unavailable - move on.
|
|
|
|
|
end
|
2021-08-25 19:56:12 +01:00
|
|
|
|
2021-09-07 11:15:06 -07:00
|
|
|
r.each_char { |c| print(c) }
|
2021-08-25 19:56:12 +01:00
|
|
|
|
2021-09-07 11:15:06 -07:00
|
|
|
Process.wait(pid)
|
|
|
|
|
ensure
|
|
|
|
|
stdin_thread&.kill
|
2022-01-25 16:22:00 +00:00
|
|
|
trap(:TTIN, old_ttin)
|
2021-09-07 11:15:06 -07:00
|
|
|
trap(:WINCH, old_winch)
|
2021-09-07 09:44:58 -07:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if $stdin.tty?
|
2021-09-07 19:49:01 -07:00
|
|
|
# If stdin is a TTY, use io.raw to set stdin to a raw, passthrough
|
|
|
|
|
# mode while we copy the input/output of the process spawned in the
|
|
|
|
|
# PTY. After we've finished copying to/from the PTY process, io.raw
|
|
|
|
|
# will restore the stdin TTY to its original state.
|
2022-01-25 16:22:00 +00:00
|
|
|
begin
|
|
|
|
|
# Ignore SIGTTOU as setting raw mode will hang if the process is in the background.
|
|
|
|
|
old_ttou = trap(:TTOU, "IGNORE")
|
|
|
|
|
$stdin.raw(&write_to_pty)
|
|
|
|
|
ensure
|
|
|
|
|
trap(:TTOU, old_ttou)
|
|
|
|
|
end
|
2021-09-06 22:27:43 -07:00
|
|
|
else
|
|
|
|
|
write_to_pty.call
|
|
|
|
|
end
|
2021-08-24 14:29:17 +01:00
|
|
|
end
|
|
|
|
|
raise ErrorDuringExecution.new(command, status: $CHILD_STATUS) unless $CHILD_STATUS.success?
|
2020-11-23 17:31:17 +01:00
|
|
|
rescue
|
|
|
|
|
@failed = true
|
|
|
|
|
raise
|
|
|
|
|
ensure
|
|
|
|
|
seatbelt.unlink
|
|
|
|
|
sleep 0.1 # wait for a bit to let syslog catch up the latest events.
|
2021-08-13 13:49:52 +01:00
|
|
|
syslog_args = [
|
|
|
|
|
"-F", "$((Time)(local)) $(Sender)[$(PID)]: $(Message)",
|
|
|
|
|
"-k", "Time", "ge", @start.to_i.to_s,
|
|
|
|
|
"-k", "Message", "S", "deny",
|
|
|
|
|
"-k", "Sender", "kernel",
|
|
|
|
|
"-o",
|
|
|
|
|
"-k", "Time", "ge", @start.to_i.to_s,
|
|
|
|
|
"-k", "Message", "S", "deny",
|
|
|
|
|
"-k", "Sender", "sandboxd"
|
2020-11-23 17:31:17 +01:00
|
|
|
]
|
|
|
|
|
logs = Utils.popen_read("syslog", *syslog_args)
|
|
|
|
|
|
|
|
|
|
# These messages are confusing and non-fatal, so don't report them.
|
2023-12-27 13:00:48 -08:00
|
|
|
logs = logs.lines.grep_v(/^.*Python\(\d+\) deny file-write.*pyc$/).join
|
2020-11-23 17:31:17 +01:00
|
|
|
|
|
|
|
|
unless logs.empty?
|
|
|
|
|
if @logfile
|
|
|
|
|
File.open(@logfile, "w") do |log|
|
|
|
|
|
log.write logs
|
|
|
|
|
log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
|
|
|
|
|
end
|
2018-03-07 16:14:55 +00:00
|
|
|
end
|
2015-08-28 17:30:14 +08:00
|
|
|
|
2020-11-23 17:31:17 +01:00
|
|
|
if @failed && Homebrew::EnvConfig.verbose?
|
2020-07-29 17:31:11 -04:00
|
|
|
ohai "Sandbox Log", logs
|
2020-11-23 17:31:17 +01:00
|
|
|
$stdout.flush # without it, brew test-bot would fail to catch the log
|
|
|
|
|
end
|
2015-08-28 17:30:14 +08:00
|
|
|
end
|
2015-04-09 17:42:54 +08:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2024-07-13 14:39:53 -04:00
|
|
|
# @api private
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(path: T.any(String, Pathname), type: Symbol).returns(String) }
|
2015-04-13 18:05:15 +08:00
|
|
|
def path_filter(path, type)
|
2024-07-31 12:10:51 -04:00
|
|
|
invalid_char = ['"', "'", "(", ")", "\n", "\\"].find do |c|
|
2024-07-13 14:39:53 -04:00
|
|
|
path.to_s.include?(c)
|
|
|
|
|
end
|
|
|
|
|
raise ArgumentError, "Invalid character #{invalid_char} in path: #{path}" if invalid_char
|
|
|
|
|
|
2015-04-13 18:05:15 +08:00
|
|
|
case type
|
2024-04-24 20:36:57 -04:00
|
|
|
when :regex then "regex #\"#{path}\""
|
|
|
|
|
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
|
|
|
|
|
when :literal then "literal \"#{expand_realpath(Pathname.new(path))}\""
|
|
|
|
|
else raise ArgumentError, "Invalid path filter type: #{type}"
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2024-07-13 14:39:53 -04:00
|
|
|
private
|
|
|
|
|
|
|
|
|
|
sig { params(path: Pathname).returns(Pathname) }
|
|
|
|
|
def expand_realpath(path)
|
|
|
|
|
raise unless path.absolute?
|
|
|
|
|
|
|
|
|
|
path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
|
|
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
class SandboxRule
|
|
|
|
|
sig { returns(T::Boolean) }
|
|
|
|
|
attr_reader :allow
|
|
|
|
|
|
|
|
|
|
sig { returns(String) }
|
|
|
|
|
attr_reader :operation
|
|
|
|
|
|
|
|
|
|
sig { returns(T.nilable(String)) }
|
|
|
|
|
attr_reader :filter
|
|
|
|
|
|
|
|
|
|
sig { returns(T.nilable(String)) }
|
|
|
|
|
attr_reader :modifier
|
|
|
|
|
|
|
|
|
|
sig { params(allow: T::Boolean, operation: String, filter: T.nilable(String), modifier: T.nilable(String)).void }
|
|
|
|
|
def initialize(allow:, operation:, filter:, modifier:)
|
|
|
|
|
@allow = allow
|
|
|
|
|
@operation = operation
|
|
|
|
|
@filter = filter
|
|
|
|
|
@modifier = modifier
|
2015-04-13 18:05:15 +08:00
|
|
|
end
|
|
|
|
|
end
|
2024-04-24 20:36:57 -04:00
|
|
|
private_constant :SandboxRule
|
2015-04-13 18:05:15 +08:00
|
|
|
|
2020-08-19 07:02:01 +02:00
|
|
|
# Configuration profile for a sandbox.
|
2015-04-09 17:42:54 +08:00
|
|
|
class SandboxProfile
|
2019-04-19 15:38:03 +09:00
|
|
|
SEATBELT_ERB = <<~ERB
|
2015-04-09 17:42:54 +08:00
|
|
|
(version 1)
|
|
|
|
|
(debug deny) ; log all denied operations to /var/log/system.log
|
|
|
|
|
<%= rules.join("\n") %>
|
|
|
|
|
(allow file-write*
|
2015-05-10 17:39:53 +08:00
|
|
|
(literal "/dev/ptmx")
|
2015-04-09 17:42:54 +08:00
|
|
|
(literal "/dev/dtracehelper")
|
|
|
|
|
(literal "/dev/null")
|
2017-07-11 01:47:36 -07:00
|
|
|
(literal "/dev/random")
|
2015-08-27 21:25:27 -07:00
|
|
|
(literal "/dev/zero")
|
2015-05-10 17:39:53 +08:00
|
|
|
(regex #"^/dev/fd/[0-9]+$")
|
2019-10-07 14:51:33 +01:00
|
|
|
(regex #"^/dev/tty[a-z0-9]*$")
|
2015-04-09 17:42:54 +08:00
|
|
|
)
|
2020-06-06 19:12:12 +01:00
|
|
|
(deny file-write*) ; deny non-allowlist file write operations
|
2024-07-13 16:28:17 -04:00
|
|
|
(deny file-write-setugid) ; deny non-allowlist file write SUID/SGID operations
|
2024-07-13 15:23:39 -04:00
|
|
|
(deny file-write-mode) ; deny non-allowlist file write mode operations
|
2015-09-15 11:46:56 +08:00
|
|
|
(allow process-exec
|
|
|
|
|
(literal "/bin/ps")
|
|
|
|
|
(with no-sandbox)
|
|
|
|
|
) ; allow certain processes running without sandbox
|
2015-04-09 17:42:54 +08:00
|
|
|
(allow default) ; allow everything else
|
2018-07-11 15:17:40 +02:00
|
|
|
ERB
|
2015-04-09 17:42:54 +08:00
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { returns(T::Array[String]) }
|
2015-04-09 17:42:54 +08:00
|
|
|
attr_reader :rules
|
|
|
|
|
|
2020-10-20 12:03:48 +02:00
|
|
|
sig { void }
|
2015-04-09 17:42:54 +08:00
|
|
|
def initialize
|
2024-04-24 20:36:57 -04:00
|
|
|
@rules = T.let([], T::Array[String])
|
2015-04-09 17:42:54 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { params(rule: SandboxRule).void }
|
2015-04-09 17:42:54 +08:00
|
|
|
def add_rule(rule)
|
2019-04-18 17:33:02 +09:00
|
|
|
s = +"("
|
2024-04-24 20:36:57 -04:00
|
|
|
s << (rule.allow ? "allow" : "deny")
|
|
|
|
|
s << " #{rule.operation}"
|
|
|
|
|
s << " (#{rule.filter})" if rule.filter
|
|
|
|
|
s << " (with #{rule.modifier})" if rule.modifier
|
2015-04-09 17:42:54 +08:00
|
|
|
s << ")"
|
2019-04-18 17:33:02 +09:00
|
|
|
@rules << s.freeze
|
2015-04-09 17:42:54 +08:00
|
|
|
end
|
|
|
|
|
|
2024-04-24 20:36:57 -04:00
|
|
|
sig { returns(String) }
|
2015-04-09 17:42:54 +08:00
|
|
|
def dump
|
|
|
|
|
ERB.new(SEATBELT_ERB).result(binding)
|
|
|
|
|
end
|
|
|
|
|
end
|
2020-08-19 07:02:01 +02:00
|
|
|
private_constant :SandboxProfile
|
2015-04-09 17:42:54 +08:00
|
|
|
end
|
2022-11-20 14:27:28 -08:00
|
|
|
|
|
|
|
|
require "extend/os/sandbox"
|
