brew/Library/Homebrew/sandbox.rb

# typed: true
# frozen_string_literal: true

require "erb"
require "io/console"
require "pty"
require "tempfile"

# Helper class for running a sub-process inside of a sandboxed environment.
#
# @api private
class Sandbox
  extend T::Sig

  SANDBOX_EXEC = "/usr/bin/sandbox-exec"
  private_constant :SANDBOX_EXEC

  sig { returns(T::Boolean) }
  def self.available?
    OS.mac? && File.executable?(SANDBOX_EXEC)
  end

  sig { void }
  def initialize
    @profile = SandboxProfile.new
  end

  def record_log(file)
    @logfile = file
  end

  def add_rule(rule)
    @profile.add_rule(rule)
  end

  def allow_write(path, options = {})
    add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])
  end

  def deny_write(path, options = {})
    add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])
  end

  def allow_write_path(path)
    allow_write path, type: :subpath
  end

  def deny_write_path(path)
    deny_write path, type: :subpath
  end

  def allow_write_temp_and_cache
    allow_write_path "/private/tmp"
    allow_write_path "/private/var/tmp"
    allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
    allow_write_path HOMEBREW_TEMP
    allow_write_path HOMEBREW_CACHE
  end

  def allow_cvs
    allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.cvspass"
  end

  def allow_fossil
    allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil"
    allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil-journal"
  end

  def allow_write_cellar(formula)
    allow_write_path formula.rack
    allow_write_path formula.etc
    allow_write_path formula.var
  end

  # Xcode projects expect access to certain cache/archive dirs.
  def allow_write_xcode
    allow_write_path "#{Dir.home(ENV.fetch("USER"))}/Library/Developer"
  end

  def allow_write_log(formula)
    allow_write_path formula.logs
  end

  def deny_write_homebrew_repository
    deny_write HOMEBREW_BREW_FILE
    if HOMEBREW_PREFIX.to_s == HOMEBREW_REPOSITORY.to_s
      deny_write_path HOMEBREW_LIBRARY
      deny_write_path HOMEBREW_REPOSITORY/".git"
    else
      deny_write_path HOMEBREW_REPOSITORY
    end
  end

  def exec(*args)
    seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
    seatbelt.write(@profile.dump)
    seatbelt.close
    @start = Time.now

    begin
      command = [SANDBOX_EXEC, "-f", seatbelt.path, *args]
      # Start sandbox in a pseudoterminal to prevent access of the parent terminal.
      T.unsafe(PTY).spawn(*command) do |r, w, pid|
        # Set the PTY's window size to match the parent terminal.
        # Some formula tests are sensitive to the terminal size and fail if this is not set.
        winch = proc do |_sig|
          w.winsize = if $stdout.tty?
            # We can only use IO#winsize if the IO object is a TTY.
            $stdout.winsize
          else
            # Otherwise, default to tput, if available.
            # This relies on ncurses rather than the system's ioctl.
            [Utils.popen_read("tput", "lines").to_i, Utils.popen_read("tput", "cols").to_i]
          end
        end

        write_to_pty = proc do
          begin
            # Update the window size whenever the parent terminal's window size changes.
            old_winch = trap(:WINCH, &winch)
            winch.call(nil)

            stdin_thread = Thread.new { IO.copy_stream($stdin, w) }

            r.each_char { |c| print(c) }

            Process.wait(pid)
          ensure
            stdin_thread&.kill
            trap(:WINCH, old_winch)
          end
        end

        if $stdin.tty?
          $stdin.raw(&write_to_pty)
        else
          write_to_pty.call
        end
      end
      raise ErrorDuringExecution.new(command, status: $CHILD_STATUS) unless $CHILD_STATUS.success?
    rescue
      @failed = true
      raise
    ensure
      seatbelt.unlink
      sleep 0.1 # wait for a bit to let syslog catch up the latest events.
      syslog_args = [
        "-F", "$((Time)(local)) $(Sender)[$(PID)]: $(Message)",
        "-k", "Time", "ge", @start.to_i.to_s,
        "-k", "Message", "S", "deny",
        "-k", "Sender", "kernel",
        "-o",
        "-k", "Time", "ge", @start.to_i.to_s,
        "-k", "Message", "S", "deny",
        "-k", "Sender", "sandboxd"
      ]
      logs = Utils.popen_read("syslog", *syslog_args)

      # These messages are confusing and non-fatal, so don't report them.
      logs = logs.lines.reject { |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join

      unless logs.empty?
        if @logfile
          File.open(@logfile, "w") do |log|
            log.write logs
            log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
          end
        end

        if @failed && Homebrew::EnvConfig.verbose?
          ohai "Sandbox Log", logs
          $stdout.flush # without it, brew test-bot would fail to catch the log
        end
      end
    end
  end

  private

  def expand_realpath(path)
    raise unless path.absolute?

    path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
  end

  def path_filter(path, type)
    case type
    when :regex        then "regex \#\"#{path}\""
    when :subpath      then "subpath \"#{expand_realpath(Pathname.new(path))}\""
    when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""
    end
  end

  # Configuration profile for a sandbox.
  class SandboxProfile
    extend T::Sig

    SEATBELT_ERB = <<~ERB
      (version 1)
      (debug deny) ; log all denied operations to /var/log/system.log
      <%= rules.join("\n") %>
      (allow file-write*
          (literal "/dev/ptmx")
          (literal "/dev/dtracehelper")
          (literal "/dev/null")
          (literal "/dev/random")
          (literal "/dev/zero")
          (regex #"^/dev/fd/[0-9]+$")
          (regex #"^/dev/tty[a-z0-9]*$")
          )
      (deny file-write*) ; deny non-allowlist file write operations
      (allow process-exec
          (literal "/bin/ps")
          (with no-sandbox)
          ) ; allow certain processes running without sandbox
      (allow default) ; allow everything else
    ERB

    attr_reader :rules

    sig { void }
    def initialize
      @rules = []
    end

    def add_rule(rule)
      s = +"("
      s << (rule[:allow] ? "allow" : "deny")
      s << " #{rule[:operation]}"
      s << " (#{rule[:filter]})" if rule[:filter]
      s << " (with #{rule[:modifier]})" if rule[:modifier]
      s << ")"
      @rules << s.freeze
    end

    def dump
      ERB.new(SEATBELT_ERB).result(binding)
    end
  end
  private_constant :SandboxProfile
end
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`# typed: true`
Add frozen_string_literal to all files. 2019-04-19 15:38:03 +09:00			`# frozen_string_literal: true`

preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`require "erb"`
sandbox: start sandbox in a pseudoterminal 2021-08-24 14:29:17 +01:00			`require "io/console"`
			`require "pty"`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`require "tempfile"`

Document `Sandbox`. 2020-08-19 07:02:01 +02:00			`# Helper class for running a sub-process inside of a sandboxed environment.`
			`#`
			`# @api private`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`class Sandbox`
Add more type signatures. 2020-10-20 12:03:48 +02:00			`extend T::Sig`

Add frozen_string_literal to all files. 2019-04-19 15:38:03 +09:00			`SANDBOX_EXEC = "/usr/bin/sandbox-exec"`
Document `Sandbox`. 2020-08-19 07:02:01 +02:00			`private_constant :SANDBOX_EXEC`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00
Add more type signatures. 2020-10-20 12:03:48 +02:00			`sig { returns(T::Boolean) }`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`def self.available?`
Deprecate macOS versions below Mavericks And remove all dead/unneeded code. 2019-01-26 17:13:14 +00:00			`OS.mac? && File.executable?(SANDBOX_EXEC)`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

Add more type signatures. 2020-10-20 12:03:48 +02:00			`sig { void }`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def initialize`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`@profile = SandboxProfile.new`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

sandbox: record log Closes Homebrew/homebrew#38711. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-16 21:41:59 +08:00			`def record_log(file)`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`@logfile = file`
sandbox: record log Closes Homebrew/homebrew#38711. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-16 21:41:59 +08:00			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def add_rule(rule)`
			`@profile.add_rule(rule)`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`def allow_write(path, options = {})`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`def deny_write(path, options = {})`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

			`def allow_write_path(path)`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`allow_write path, type: :subpath`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

			`def deny_write_path(path)`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`deny_write path, type: :subpath`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

			`def allow_write_temp_and_cache`
			`allow_write_path "/private/tmp"`
sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`allow_write_path "/private/var/tmp"`
rubocop --auto-correct all hash-rocket usage. 2016-09-17 15:32:44 +01:00			`allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`allow_write_path HOMEBREW_TEMP`
			`allow_write_path HOMEBREW_CACHE`
			`end`

Separate staging from download. 2018-07-01 23:35:29 +02:00			`def allow_cvs`
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.cvspass"`
Separate staging from download. 2018-07-01 23:35:29 +02:00			`end`

			`def allow_fossil`
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil"`
			`allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil-journal"`
Separate staging from download. 2018-07-01 23:35:29 +02:00			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def allow_write_cellar(formula)`
			`allow_write_path formula.rack`
			`allow_write_path formula.etc`
			`allow_write_path formula.var`
			`end`

sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`# Xcode projects expect access to certain cache/archive dirs.`
			`def allow_write_xcode`
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`allow_write_path "#{Dir.home(ENV.fetch("USER"))}/Library/Developer"`
sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def allow_write_log(formula)`
Add Formula#logs 2015-04-25 22:07:06 -04:00			`allow_write_path formula.logs`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

sandbox: tweak HOMEBREW_REPOSITORY handling. If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the default) then we can block access to the whole of HOMEBREW_REPOSITORY rather than just the HOMEBREW_LIBRARY and `.git`. 2016-09-23 08:26:49 +01:00			`def deny_write_homebrew_repository`
sandbox: add deny_write_homebrew_library method 2015-04-23 12:33:54 +08:00			`deny_write HOMEBREW_BREW_FILE`
rubocop: fix Style/NegatedIfElseCondition 2020-11-09 20:09:16 +11:00			`if HOMEBREW_PREFIX.to_s == HOMEBREW_REPOSITORY.to_s`
sandbox: tweak HOMEBREW_REPOSITORY handling. If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the default) then we can block access to the whole of HOMEBREW_REPOSITORY rather than just the HOMEBREW_LIBRARY and `.git`. 2016-09-23 08:26:49 +01:00			`deny_write_path HOMEBREW_LIBRARY`
			`deny_write_path HOMEBREW_REPOSITORY/".git"`
rubocop: fix Style/NegatedIfElseCondition 2020-11-09 20:09:16 +11:00			`else`
			`deny_write_path HOMEBREW_REPOSITORY`
sandbox: tweak HOMEBREW_REPOSITORY handling. If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the default) then we can block access to the whole of HOMEBREW_REPOSITORY rather than just the HOMEBREW_LIBRARY and `.git`. 2016-09-23 08:26:49 +01:00			`end`
sandbox: add deny_write_homebrew_library method 2015-04-23 12:33:54 +08:00			`end`

preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`def exec(*args)`
Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)`
			`seatbelt.write(@profile.dump)`
			`seatbelt.close`
			`@start = Time.now`
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00
			`begin`
sandbox: start sandbox in a pseudoterminal 2021-08-24 14:29:17 +01:00			`command = [SANDBOX_EXEC, "-f", seatbelt.path, *args]`
sandbox: add comment. 2021-08-24 14:46:00 +01:00			`# Start sandbox in a pseudoterminal to prevent access of the parent terminal.`
sandbox: start sandbox in a pseudoterminal 2021-08-24 14:29:17 +01:00			`T.unsafe(PTY).spawn(*command) do \|r, w, pid\|`
Fix style 2021-09-07 09:44:58 -07:00			`# Set the PTY's window size to match the parent terminal.`
			`# Some formula tests are sensitive to the terminal size and fail if this is not set.`
			`winch = proc do \|_sig\|`
			`w.winsize = if $stdout.tty?`
			`# We can only use IO#winsize if the IO object is a TTY.`
			`$stdout.winsize`
			`else`
			`# Otherwise, default to tput, if available.`
			`# This relies on ncurses rather than the system's ioctl.`
			`[Utils.popen_read("tput", "lines").to_i, Utils.popen_read("tput", "cols").to_i]`
sandbox: fallback to tput for winsize 2021-09-01 16:06:07 +01:00			`end`
Fix style 2021-09-07 09:44:58 -07:00			`end`
sandbox: restore old WINCH trap 2021-08-25 19:56:12 +01:00
Fix style 2021-09-07 09:44:58 -07:00			`write_to_pty = proc do`
Use raw block to return tty to proper state 2021-09-06 22:27:43 -07:00			`begin`
			`# Update the window size whenever the parent terminal's window size changes.`
			`old_winch = trap(:WINCH, &winch)`
			`winch.call(nil)`

			`stdin_thread = Thread.new { IO.copy_stream($stdin, w) }`
sandbox: restore old WINCH trap 2021-08-25 19:56:12 +01:00
Use raw block to return tty to proper state 2021-09-06 22:27:43 -07:00			`r.each_char { \|c\| print(c) }`
sandbox: restore old WINCH trap 2021-08-25 19:56:12 +01:00
Use raw block to return tty to proper state 2021-09-06 22:27:43 -07:00			`Process.wait(pid)`
			`ensure`
			`stdin_thread&.kill`
			`trap(:WINCH, old_winch)`
			`end`
Fix style 2021-09-07 09:44:58 -07:00			`end`

			`if $stdin.tty?`
			`$stdin.raw(&write_to_pty)`
Use raw block to return tty to proper state 2021-09-06 22:27:43 -07:00			`else`
			`write_to_pty.call`
			`end`
sandbox: start sandbox in a pseudoterminal 2021-08-24 14:29:17 +01:00			`end`
			`raise ErrorDuringExecution.new(command, status: $CHILD_STATUS) unless $CHILD_STATUS.success?`
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`rescue`
			`@failed = true`
			`raise`
			`ensure`
			`seatbelt.unlink`
			`sleep 0.1 # wait for a bit to let syslog catch up the latest events.`
Fix `brew style` 2021-08-13 13:49:52 +01:00			`syslog_args = [`
			`"-F", "$((Time)(local)) $(Sender)[$(PID)]: $(Message)",`
			`"-k", "Time", "ge", @start.to_i.to_s,`
			`"-k", "Message", "S", "deny",`
			`"-k", "Sender", "kernel",`
			`"-o",`
			`"-k", "Time", "ge", @start.to_i.to_s,`
			`"-k", "Message", "S", "deny",`
			`"-k", "Sender", "sandboxd"`
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`]`
			`logs = Utils.popen_read("syslog", *syslog_args)`

			`# These messages are confusing and non-fatal, so don't report them.`
			`logs = logs.lines.reject { \|l\| l.match(/^.Python\(\d+\) deny file-write.pyc$/) }.join`

			`unless logs.empty?`
			`if @logfile`
			`File.open(@logfile, "w") do \|log\|`
			`log.write logs`
			`log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"`
			`end`
RuboCop 0.53.0 manual fixes. 2018-03-07 16:14:55 +00:00			`end`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`if @failed && Homebrew::EnvConfig.verbose?`
capitalization fixes "curl" is the binary, while "cURL" is the umbrella project. 2020-07-29 17:31:11 -04:00			`ohai "Sandbox Log", logs`
Fix type errors in `Sandbox`. 2020-11-23 17:31:17 +01:00			`$stdout.flush # without it, brew test-bot would fail to catch the log`
			`end`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`end`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`
			`end`

			`private`

			`def expand_realpath(path)`
			`raise unless path.absolute?`
Update to RuboCop 0.59.1. 2018-09-17 02:45:00 +02:00
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename`
			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def path_filter(path, type)`
			`case type`
			`when :regex then "regex \#\"#{path}\""`
			`when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""`
			`when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""`
			`end`
			`end`

Document `Sandbox`. 2020-08-19 07:02:01 +02:00			`# Configuration profile for a sandbox.`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`class SandboxProfile`
Add more type signatures. 2020-10-20 12:03:48 +02:00			`extend T::Sig`

Add frozen_string_literal to all files. 2019-04-19 15:38:03 +09:00			`SEATBELT_ERB = <<~ERB`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(version 1)`
			`(debug deny) ; log all denied operations to /var/log/system.log`
			`<%= rules.join("\n") %>`
			`(allow file-write*`
sandbox: fix the rules 1. `script` (used to fake the tty) requires write access to /dev/ptmx and /dev/ttys* 2. sandbox profile only accepts `[0-9]` instead of `\d`. 2015-05-10 17:39:53 +08:00			`(literal "/dev/ptmx")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(literal "/dev/dtracehelper")`
			`(literal "/dev/null")`
sandbox: allow write access to /dev/random This avoids build failure for `root6`. MacPorts currently avoids the failure with a patch, as their sandbox doesn't yet allow write access to `/dev/random` either: https://github.com/macports/macports-ports/blob/7792b2c5655f9d2adb979434a242cc3ac60fea40/science/root6/Portfile#L73-L75 https://github.com/macports/macports-ports/blob/7792b2c5655f9d2adb979434a242cc3ac60fea40/science/root6/files/patch-disable-hsimple-macro.diff The relevant code where `/dev/random` is opened with `O_WRONLY` is here: https://github.com/root-project/root/blob/15673deba5a0cb73d90ae8f36d7b010f65b5e96e/interpreter/cling/lib/Utils/PlatformPosix.cpp#L63-L82 2017-07-11 01:47:36 -07:00			`(literal "/dev/random")`
sandbox: allow writing to /dev/zero Closes Homebrew/homebrew#43344. 2015-08-27 21:25:27 -07:00			`(literal "/dev/zero")`
sandbox: fix the rules 1. `script` (used to fake the tty) requires write access to /dev/ptmx and /dev/ttys* 2. sandbox profile only accepts `[0-9]` instead of `\d`. 2015-05-10 17:39:53 +08:00			`(regex #"^/dev/fd/[0-9]+$")`
sandbox: allow more TTYs. This is needed on Catalina. Fixes #6546 2019-10-07 14:51:33 +01:00			`(regex #"^/dev/tty[a-z0-9]*$")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`)`
Change occurrences of "whitelist" to "allowlist" 2020-06-06 19:12:12 +01:00			`(deny file-write*) ; deny non-allowlist file write operations`
sandbox: allow certain processes running without sandbox 2015-09-15 11:46:56 +08:00			`(allow process-exec`
			`(literal "/bin/ps")`
			`(with no-sandbox)`
			`) ; allow certain processes running without sandbox`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(allow default) ; allow everything else`
Use more descriptive heredoc names. 2018-07-11 15:17:40 +02:00			`ERB`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00
			`attr_reader :rules`

Add more type signatures. 2020-10-20 12:03:48 +02:00			`sig { void }`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`def initialize`
			`@rules = []`
			`end`

			`def add_rule(rule)`
Enable/fix optional Ruby frozen string literal usage Combined with https://github.com/Homebrew/homebrew-test-bot/pull/247 this will test Homebrew's use of frozen strings in CI. After this we will then enable it for Homebrew developers and eventually all Homebrew users. 2019-04-18 17:33:02 +09:00			`s = +"("`
Rubocop: automatic rule fixes. 2017-09-24 19:24:46 +01:00			`s << (rule[:allow] ? "allow" : "deny")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`s << " #{rule[:operation]}"`
			`s << " (#{rule[:filter]})" if rule[:filter]`
			`s << " (with #{rule[:modifier]})" if rule[:modifier]`
			`s << ")"`
Enable/fix optional Ruby frozen string literal usage Combined with https://github.com/Homebrew/homebrew-test-bot/pull/247 this will test Homebrew's use of frozen strings in CI. After this we will then enable it for Homebrew developers and eventually all Homebrew users. 2019-04-18 17:33:02 +09:00			`@rules << s.freeze`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

			`def dump`
			`ERB.new(SEATBELT_ERB).result(binding)`
			`end`
			`end`
Document `Sandbox`. 2020-08-19 07:02:01 +02:00			`private_constant :SandboxProfile`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`