brew/Library/Homebrew/sandbox.rb

require "erb"
require "tempfile"

class Sandbox
  SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze

  def self.available?
    OS.mac? && File.executable?(SANDBOX_EXEC)
  end

  def self.formula?(_formula)
    return false unless available?

    !ARGV.no_sandbox?
  end

  def self.test?
    return false unless available?

    !ARGV.no_sandbox?
  end

  def initialize
    @profile = SandboxProfile.new
  end

  def record_log(file)
    @logfile = file
  end

  def add_rule(rule)
    @profile.add_rule(rule)
  end

  def allow_write(path, options = {})
    add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])
  end

  def deny_write(path, options = {})
    add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])
  end

  def allow_write_path(path)
    allow_write path, type: :subpath
  end

  def deny_write_path(path)
    deny_write path, type: :subpath
  end

  def allow_write_temp_and_cache
    allow_write_path "/private/tmp"
    allow_write_path "/private/var/tmp"
    allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
    allow_write_path HOMEBREW_TEMP
    allow_write_path HOMEBREW_CACHE
  end

  def allow_cvs
    allow_write_path "/Users/#{ENV["USER"]}/.cvspass"
  end

  def allow_fossil
    allow_write_path "/Users/#{ENV["USER"]}/.fossil"
    allow_write_path "/Users/#{ENV["USER"]}/.fossil-journal"
  end

  def allow_write_cellar(formula)
    allow_write_path formula.rack
    allow_write_path formula.etc
    allow_write_path formula.var
  end

  # Xcode projects expect access to certain cache/archive dirs.
  def allow_write_xcode
    allow_write_path "/Users/#{ENV["USER"]}/Library/Developer"
  end

  def allow_write_log(formula)
    allow_write_path formula.logs
  end

  def deny_write_homebrew_repository
    deny_write HOMEBREW_BREW_FILE
    if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
      deny_write_path HOMEBREW_REPOSITORY
    else
      deny_write_path HOMEBREW_LIBRARY
      deny_write_path HOMEBREW_REPOSITORY/".git"
    end
  end

  def exec(*args)
    seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
    seatbelt.write(@profile.dump)
    seatbelt.close
    @start = Time.now
    safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
  rescue
    @failed = true
    raise
  ensure
    seatbelt.unlink
    sleep 0.1 # wait for a bit to let syslog catch up the latest events.
    syslog_args = %W[
      -F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)
      -k Time ge #{@start.to_i}
      -k Message S deny
      -k Sender kernel
      -o
      -k Time ge #{@start.to_i}
      -k Message S deny
      -k Sender sandboxd
    ]
    logs = Utils.popen_read("syslog", *syslog_args)

    # These messages are confusing and non-fatal, so don't report them.
    logs = logs.lines.reject { |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join

    unless logs.empty?
      if @logfile
        File.open(@logfile, "w") do |log|
          log.write logs
          log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
        end
      end

      if @failed && ARGV.verbose?
        ohai "Sandbox log"
        puts logs
        $stdout.flush # without it, brew test-bot would fail to catch the log
      end
    end
  end

  private

  def expand_realpath(path)
    raise unless path.absolute?

    path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
  end

  def path_filter(path, type)
    case type
    when :regex        then "regex \#\"#{path}\""
    when :subpath      then "subpath \"#{expand_realpath(Pathname.new(path))}\""
    when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""
    end
  end

  class SandboxProfile
    SEATBELT_ERB = <<~ERB.freeze
      (version 1)
      (debug deny) ; log all denied operations to /var/log/system.log
      <%= rules.join("\n") %>
      (allow file-write*
          (literal "/dev/ptmx")
          (literal "/dev/dtracehelper")
          (literal "/dev/null")
          (literal "/dev/random")
          (literal "/dev/zero")
          (regex #"^/dev/fd/[0-9]+$")
          (regex #"^/dev/ttys?[0-9]*$")
          )
      (deny file-write*) ; deny non-whitelist file write operations
      (allow process-exec
          (literal "/bin/ps")
          (with no-sandbox)
          ) ; allow certain processes running without sandbox
      (allow default) ; allow everything else
    ERB

    attr_reader :rules

    def initialize
      @rules = []
    end

    def add_rule(rule)
      s = "("
      s << (rule[:allow] ? "allow" : "deny")
      s << " #{rule[:operation]}"
      s << " (#{rule[:filter]})" if rule[:filter]
      s << " (with #{rule[:modifier]})" if rule[:modifier]
      s << ")"
      @rules << s
    end

    def dump
      ERB.new(SEATBELT_ERB).result(binding)
    end
  end
end
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`require "erb"`
			`require "tempfile"`

			`class Sandbox`
			`SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze`

			`def self.available?`
Deprecate macOS versions below Mavericks And remove all dead/unneeded code. 2019-01-26 17:13:14 +00:00			`OS.mac? && File.executable?(SANDBOX_EXEC)`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

sandbox: sandbox all taps by default. We've been doing this in `brew test-bot`, for our CI and for homebrew/core long enough that this is a reasonable default that provides more protection to our users of non-homebrew/core taps. 2017-07-14 17:00:06 +01:00			`def self.formula?(_formula)`
sandbox: add formula? method and sandbox core. Add a new `Sandbox.formula?` method to see if a given formula should be sandboxed. Use the formula to check its tap against a list of pre-approved taps where we know every formula builds under the sandbox (currently just homebrew/core). 2016-08-14 17:34:54 +01:00			`return false unless available?`
Update to RuboCop 0.59.1. 2018-09-17 02:45:00 +02:00
sandbox: sandbox all taps by default. We've been doing this in `brew test-bot`, for our CI and for homebrew/core long enough that this is a reasonable default that provides more protection to our users of non-homebrew/core taps. 2017-07-14 17:00:06 +01:00			`!ARGV.no_sandbox?`
sandbox: add formula? method and sandbox core. Add a new `Sandbox.formula?` method to see if a given formula should be sandboxed. Use the formula to check its tap against a list of pre-approved taps where we know every formula builds under the sandbox (currently just homebrew/core). 2016-08-14 17:34:54 +01:00			`end`

sandbox: add test? method. Simplify checking if we’re going to sandbox a test with `Sandbox.test?`. 2016-08-14 17:33:05 +01:00			`def self.test?`
			`return false unless available?`
Update to RuboCop 0.59.1. 2018-09-17 02:45:00 +02:00
sandbox: add test? method. Simplify checking if we’re going to sandbox a test with `Sandbox.test?`. 2016-08-14 17:33:05 +01:00			`!ARGV.no_sandbox?`
			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def initialize`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`@profile = SandboxProfile.new`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

sandbox: record log Closes Homebrew/homebrew#38711. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-16 21:41:59 +08:00			`def record_log(file)`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`@logfile = file`
sandbox: record log Closes Homebrew/homebrew#38711. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-16 21:41:59 +08:00			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def add_rule(rule)`
			`@profile.add_rule(rule)`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`def allow_write(path, options = {})`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`def deny_write(path, options = {})`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

			`def allow_write_path(path)`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`allow_write path, type: :subpath`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

			`def deny_write_path(path)`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`deny_write path, type: :subpath`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

			`def allow_write_temp_and_cache`
			`allow_write_path "/private/tmp"`
sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`allow_write_path "/private/var/tmp"`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`allow_write_path HOMEBREW_TEMP`
			`allow_write_path HOMEBREW_CACHE`
			`end`

Separate staging from download. 2018-07-01 23:35:29 +02:00			`def allow_cvs`
			`allow_write_path "/Users/#{ENV["USER"]}/.cvspass"`
			`end`

			`def allow_fossil`
			`allow_write_path "/Users/#{ENV["USER"]}/.fossil"`
			`allow_write_path "/Users/#{ENV["USER"]}/.fossil-journal"`
			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def allow_write_cellar(formula)`
			`allow_write_path formula.rack`
			`allow_write_path formula.etc`
			`allow_write_path formula.var`
			`end`

sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`# Xcode projects expect access to certain cache/archive dirs.`
			`def allow_write_xcode`
sandbox: loosen restriction around Xcode caching It doesn't really need to be as tight as it is currently, certainly outside brew you can write to here without any special privileges beside being the user, and being so can tight can cause issues on clean systems or systems where Xcode hasn't been used before as exposed by https://github.com/Homebrew/homebrew-core/issues/4892. Closes https://github.com/Homebrew/homebrew-core/issues/4892. 2016-09-22 05:11:41 +01:00			`allow_write_path "/Users/#{ENV["USER"]}/Library/Developer"`
sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def allow_write_log(formula)`
Add Formula#logs 2015-04-25 22:07:06 -04:00			`allow_write_path formula.logs`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

sandbox: tweak HOMEBREW_REPOSITORY handling. If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the default) then we can block access to the whole of HOMEBREW_REPOSITORY rather than just the HOMEBREW_LIBRARY and `.git`. 2016-09-23 08:26:49 +01:00			`def deny_write_homebrew_repository`
sandbox: add deny_write_homebrew_library method 2015-04-23 12:33:54 +08:00			`deny_write HOMEBREW_BREW_FILE`
sandbox: tweak HOMEBREW_REPOSITORY handling. If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the default) then we can block access to the whole of HOMEBREW_REPOSITORY rather than just the HOMEBREW_LIBRARY and `.git`. 2016-09-23 08:26:49 +01:00			`if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s`
			`deny_write_path HOMEBREW_REPOSITORY`
			`else`
			`deny_write_path HOMEBREW_LIBRARY`
			`deny_write_path HOMEBREW_REPOSITORY/".git"`
			`end`
sandbox: add deny_write_homebrew_library method 2015-04-23 12:33:54 +08:00			`end`

preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`def exec(*args)`
Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)`
			`seatbelt.write(@profile.dump)`
			`seatbelt.close`
			`@start = Time.now`
			`safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args`
			`rescue`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`@failed = true`
Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`raise`
			`ensure`
			`seatbelt.unlink`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`sleep 0.1 # wait for a bit to let syslog catch up the latest events.`
			`syslog_args = %W[`
			`-F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)`
			`-k Time ge #{@start.to_i}`
			`-k Message S deny`
			`-k Sender kernel`
			`-o`
			`-k Time ge #{@start.to_i}`
			`-k Message S deny`
			`-k Sender sandboxd`
			`]`
			`logs = Utils.popen_read("syslog", *syslog_args)`
Don't report .pyc file writes in sandbox logs These are never fatal and often confusing. Fixes #683. 2016-08-11 00:22:18 -07:00
			`# These messages are confusing and non-fatal, so don't report them.`
rubocop --auto-correct all remaining files. But remove some manual `.freeze`s on constants that shouldn't be constants. 2016-09-17 15:17:27 +01:00			`logs = logs.lines.reject { \|l\| l.match(/^.Python\(\d+\) deny file-write.pyc$/) }.join`
Don't report .pyc file writes in sandbox logs These are never fatal and often confusing. Fixes #683. 2016-08-11 00:22:18 -07:00
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`unless logs.empty?`
			`if @logfile`
RuboCop 0.53.0 manual fixes. 2018-03-07 16:14:55 +00:00			`File.open(@logfile, "w") do \|log\|`
			`log.write logs`
			`log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"`
			`end`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`end`

			`if @failed && ARGV.verbose?`
			`ohai "Sandbox log"`
			`puts logs`
sandbox: fix log problem for brew test-bot 2015-08-29 18:59:08 +08:00			`$stdout.flush # without it, brew test-bot would fail to catch the log`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`end`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`
			`end`

			`private`

			`def expand_realpath(path)`
			`raise unless path.absolute?`
Update to RuboCop 0.59.1. 2018-09-17 02:45:00 +02:00
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename`
			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def path_filter(path, type)`
			`case type`
			`when :regex then "regex \#\"#{path}\""`
			`when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""`
			`when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""`
			`end`
			`end`

preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`class SandboxProfile`
Use more descriptive heredoc names. 2018-07-11 15:17:40 +02:00			`SEATBELT_ERB = <<~ERB.freeze`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(version 1)`
			`(debug deny) ; log all denied operations to /var/log/system.log`
			`<%= rules.join("\n") %>`
			`(allow file-write*`
sandbox: fix the rules 1. `script` (used to fake the tty) requires write access to /dev/ptmx and /dev/ttys* 2. sandbox profile only accepts `[0-9]` instead of `\d`. 2015-05-10 17:39:53 +08:00			`(literal "/dev/ptmx")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(literal "/dev/dtracehelper")`
			`(literal "/dev/null")`
sandbox: allow write access to /dev/random This avoids build failure for `root6`. MacPorts currently avoids the failure with a patch, as their sandbox doesn't yet allow write access to `/dev/random` either: https://github.com/macports/macports-ports/blob/7792b2c5655f9d2adb979434a242cc3ac60fea40/science/root6/Portfile#L73-L75 https://github.com/macports/macports-ports/blob/7792b2c5655f9d2adb979434a242cc3ac60fea40/science/root6/files/patch-disable-hsimple-macro.diff The relevant code where `/dev/random` is opened with `O_WRONLY` is here: https://github.com/root-project/root/blob/15673deba5a0cb73d90ae8f36d7b010f65b5e96e/interpreter/cling/lib/Utils/PlatformPosix.cpp#L63-L82 2017-07-11 01:47:36 -07:00			`(literal "/dev/random")`
sandbox: allow writing to /dev/zero Closes Homebrew/homebrew#43344. 2015-08-27 21:25:27 -07:00			`(literal "/dev/zero")`
sandbox: fix the rules 1. `script` (used to fake the tty) requires write access to /dev/ptmx and /dev/ttys* 2. sandbox profile only accepts `[0-9]` instead of `\d`. 2015-05-10 17:39:53 +08:00			`(regex #"^/dev/fd/[0-9]+$")`
			`(regex #"^/dev/ttys?[0-9]*$")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`)`
			`(deny file-write*) ; deny non-whitelist file write operations`
sandbox: allow certain processes running without sandbox 2015-09-15 11:46:56 +08:00			`(allow process-exec`
			`(literal "/bin/ps")`
			`(with no-sandbox)`
			`) ; allow certain processes running without sandbox`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(allow default) ; allow everything else`
Use more descriptive heredoc names. 2018-07-11 15:17:40 +02:00			`ERB`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00
			`attr_reader :rules`

			`def initialize`
			`@rules = []`
			`end`

			`def add_rule(rule)`
			`s = "("`
Rubocop: automatic rule fixes. 2017-09-24 19:24:46 +01:00			`s << (rule[:allow] ? "allow" : "deny")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`s << " #{rule[:operation]}"`
			`s << " (#{rule[:filter]})" if rule[:filter]`
			`s << " (with #{rule[:modifier]})" if rule[:modifier]`
			`s << ")"`
			`@rules << s`
			`end`

			`def dump`
			`ERB.new(SEATBELT_ERB).result(binding)`
			`end`
			`end`
			`end`