brew/Library/Homebrew/sandbox.rb

require "erb"
require "tempfile"

class Sandbox
  SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze

  def self.available?
    OS.mac? && File.executable?(SANDBOX_EXEC)
  end

  def self.test?
    return false unless available?
    !ARGV.no_sandbox?
  end

  def self.print_sandbox_message
    unless @printed_sandbox_message
      ohai "Using the sandbox"
      @printed_sandbox_message = true
    end
  end

  def initialize
    @profile = SandboxProfile.new
  end

  def record_log(file)
    @logfile = file
  end

  def add_rule(rule)
    @profile.add_rule(rule)
  end

  def allow_write(path, options = {})
    add_rule :allow => true, :operation => "file-write*", :filter => path_filter(path, options[:type])
  end

  def deny_write(path, options = {})
    add_rule :allow => false, :operation => "file-write*", :filter => path_filter(path, options[:type])
  end

  def allow_write_path(path)
    allow_write path, :type => :subpath
  end

  def deny_write_path(path)
    deny_write path, :type => :subpath
  end

  def allow_write_temp_and_cache
    allow_write_path "/private/tmp"
    allow_write_path "/private/var/tmp"
    allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", :type => :regex
    allow_write_path HOMEBREW_TEMP
    allow_write_path HOMEBREW_CACHE
  end

  def allow_write_cellar(formula)
    allow_write_path formula.rack
    allow_write_path formula.etc
    allow_write_path formula.var
  end

  # Xcode projects expect access to certain cache/archive dirs.
  def allow_write_xcode
    allow_write_path "/Users/#{ENV["USER"]}/Library/Developer/Xcode/DerivedData/"
  end

  def allow_write_log(formula)
    allow_write_path formula.logs
  end

  def deny_write_homebrew_library
    deny_write_path HOMEBREW_LIBRARY
    deny_write_path HOMEBREW_REPOSITORY/".git"
    deny_write HOMEBREW_BREW_FILE
  end

  def exec(*args)
    seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
    seatbelt.write(@profile.dump)
    seatbelt.close
    @start = Time.now
    safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
  rescue
    @failed = true
    raise
  ensure
    seatbelt.unlink
    sleep 0.1 # wait for a bit to let syslog catch up the latest events.
    syslog_args = %W[
      -F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)
      -k Time ge #{@start.to_i}
      -k Message S deny
      -k Sender kernel
      -o
      -k Time ge #{@start.to_i}
      -k Message S deny
      -k Sender sandboxd
    ]
    logs = Utils.popen_read("syslog", *syslog_args)

    # These messages are confusing and non-fatal, so don't report them.
    logs = logs.lines.reject{ |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join

    unless logs.empty?
      if @logfile
        log = open(@logfile, "w")
        log.write logs
        log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
        log.close
      end

      if @failed && ARGV.verbose?
        ohai "Sandbox log"
        puts logs
        $stdout.flush # without it, brew test-bot would fail to catch the log
      end
    end
  end

  private

  def expand_realpath(path)
    raise unless path.absolute?
    path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
  end

  def path_filter(path, type)
    case type
    when :regex        then "regex \#\"#{path}\""
    when :subpath      then "subpath \"#{expand_realpath(Pathname.new(path))}\""
    when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""
    end
  end

  class SandboxProfile
    SEATBELT_ERB = <<-EOS.undent
      (version 1)
      (debug deny) ; log all denied operations to /var/log/system.log
      <%= rules.join("\n") %>
      (allow file-write*
          (literal "/dev/ptmx")
          (literal "/dev/dtracehelper")
          (literal "/dev/null")
          (literal "/dev/zero")
          (regex #"^/dev/fd/[0-9]+$")
          (regex #"^/dev/ttys?[0-9]*$")
          )
      (deny file-write*) ; deny non-whitelist file write operations
      (allow process-exec
          (literal "/bin/ps")
          (with no-sandbox)
          ) ; allow certain processes running without sandbox
      (allow default) ; allow everything else
    EOS

    attr_reader :rules

    def initialize
      @rules = []
    end

    def add_rule(rule)
      s = "("
      s << (rule[:allow] ? "allow": "deny")
      s << " #{rule[:operation]}"
      s << " (#{rule[:filter]})" if rule[:filter]
      s << " (with #{rule[:modifier]})" if rule[:modifier]
      s << ")"
      @rules << s
    end

    def dump
      ERB.new(SEATBELT_ERB).result(binding)
    end
  end
end
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`require "erb"`
			`require "tempfile"`

			`class Sandbox`
			`SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze`

			`def self.available?`
			`OS.mac? && File.executable?(SANDBOX_EXEC)`
			`end`

sandbox: add test? method. Simplify checking if we’re going to sandbox a test with `Sandbox.test?`. 2016-08-14 17:33:05 +01:00			`def self.test?`
			`return false unless available?`
			`!ARGV.no_sandbox?`
			`end`

print sandbox message Closes Homebrew/homebrew#42293. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-07-31 17:53:42 +08:00			`def self.print_sandbox_message`
			`unless @printed_sandbox_message`
			`ohai "Using the sandbox"`
			`@printed_sandbox_message = true`
auto disable sandbox for interactive shell Closes Homebrew/homebrew#38792. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-07-21 14:47:37 +08:00			`end`
			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def initialize`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`@profile = SandboxProfile.new`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`end`

sandbox: record log Closes Homebrew/homebrew#38711. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-16 21:41:59 +08:00			`def record_log(file)`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`@logfile = file`
sandbox: record log Closes Homebrew/homebrew#38711. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-16 21:41:59 +08:00			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def add_rule(rule)`
			`@profile.add_rule(rule)`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`def allow_write(path, options = {})`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`add_rule :allow => true, :operation => "file-write*", :filter => path_filter(path, options[:type])`
			`end`

Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`def deny_write(path, options = {})`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`add_rule :allow => false, :operation => "file-write*", :filter => path_filter(path, options[:type])`
			`end`

			`def allow_write_path(path)`
			`allow_write path, :type => :subpath`
			`end`

			`def deny_write_path(path)`
			`deny_write path, :type => :subpath`
			`end`

			`def allow_write_temp_and_cache`
			`allow_write_path "/private/tmp"`
sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`allow_write_path "/private/var/tmp"`
sandbox: redesign API 2015-04-13 18:05:15 +08:00			`allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", :type => :regex`
			`allow_write_path HOMEBREW_TEMP`
			`allow_write_path HOMEBREW_CACHE`
			`end`

			`def allow_write_cellar(formula)`
			`allow_write_path formula.rack`
			`allow_write_path formula.etc`
			`allow_write_path formula.var`
			`end`

sandbox: permit /var/tmp & DerivedData Long term it would be nice to sandbox everything that writes to DerivedData but it is essentially a cache directory of sorts. The downside of allowing stuff to write there particularly is that DerivedData is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using installations very quickly, you can chew your disk space up. Closes Homebrew/homebrew#43276. Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com> 2015-08-25 17:34:52 +01:00			`# Xcode projects expect access to certain cache/archive dirs.`
			`def allow_write_xcode`
			`allow_write_path "/Users/#{ENV["USER"]}/Library/Developer/Xcode/DerivedData/"`
			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def allow_write_log(formula)`
Add Formula#logs 2015-04-25 22:07:06 -04:00			`allow_write_path formula.logs`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`

sandbox: add deny_write_homebrew_library method 2015-04-23 12:33:54 +08:00			`def deny_write_homebrew_library`
			`deny_write_path HOMEBREW_LIBRARY`
			`deny_write_path HOMEBREW_REPOSITORY/".git"`
			`deny_write HOMEBREW_BREW_FILE`
			`end`

preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`def exec(*args)`
Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)`
			`seatbelt.write(@profile.dump)`
			`seatbelt.close`
			`@start = Time.now`
			`safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args`
			`rescue`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`@failed = true`
Core files style updates. Closes Homebrew/homebrew#42354. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com> 2015-08-03 13:09:07 +01:00			`raise`
			`ensure`
			`seatbelt.unlink`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`sleep 0.1 # wait for a bit to let syslog catch up the latest events.`
			`syslog_args = %W[`
			`-F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)`
			`-k Time ge #{@start.to_i}`
			`-k Message S deny`
			`-k Sender kernel`
			`-o`
			`-k Time ge #{@start.to_i}`
			`-k Message S deny`
			`-k Sender sandboxd`
			`]`
			`logs = Utils.popen_read("syslog", *syslog_args)`
Don't report .pyc file writes in sandbox logs These are never fatal and often confusing. Fixes #683. 2016-08-11 00:22:18 -07:00
			`# These messages are confusing and non-fatal, so don't report them.`
			`logs = logs.lines.reject{ \|l\| l.match(/^.Python\(\d+\) deny file-write.pyc$/) }.join`

sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`unless logs.empty?`
			`if @logfile`
			`log = open(@logfile, "w")`
			`log.write logs`
			`log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"`
			`log.close`
			`end`

			`if @failed && ARGV.verbose?`
			`ohai "Sandbox log"`
			`puts logs`
sandbox: fix log problem for brew test-bot 2015-08-29 18:59:08 +08:00			`$stdout.flush # without it, brew test-bot would fail to catch the log`
sandbox: better log output * use syslog filter instead of grep. * output sandbox log to stdout when verbose and failed. * output nothing if sandbox log is empty. Closes Homebrew/homebrew#43325. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-08-28 17:30:14 +08:00			`end`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`end`
			`end`

			`private`

			`def expand_realpath(path)`
			`raise unless path.absolute?`
			`path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename`
			`end`

sandbox: redesign API 2015-04-13 18:05:15 +08:00			`def path_filter(path, type)`
			`case type`
			`when :regex then "regex \#\"#{path}\""`
			`when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""`
			`when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""`
			`end`
			`end`

preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`class SandboxProfile`
			`SEATBELT_ERB = <<-EOS.undent`
			`(version 1)`
			`(debug deny) ; log all denied operations to /var/log/system.log`
			`<%= rules.join("\n") %>`
			`(allow file-write*`
sandbox: fix the rules 1. `script` (used to fake the tty) requires write access to /dev/ptmx and /dev/ttys* 2. sandbox profile only accepts `[0-9]` instead of `\d`. 2015-05-10 17:39:53 +08:00			`(literal "/dev/ptmx")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(literal "/dev/dtracehelper")`
			`(literal "/dev/null")`
sandbox: allow writing to /dev/zero Closes Homebrew/homebrew#43344. 2015-08-27 21:25:27 -07:00			`(literal "/dev/zero")`
sandbox: fix the rules 1. `script` (used to fake the tty) requires write access to /dev/ptmx and /dev/ttys* 2. sandbox profile only accepts `[0-9]` instead of `\d`. 2015-05-10 17:39:53 +08:00			`(regex #"^/dev/fd/[0-9]+$")`
			`(regex #"^/dev/ttys?[0-9]*$")`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`)`
			`(deny file-write*) ; deny non-whitelist file write operations`
sandbox: allow certain processes running without sandbox 2015-09-15 11:46:56 +08:00			`(allow process-exec`
			`(literal "/bin/ps")`
			`(with no-sandbox)`
			`) ; allow certain processes running without sandbox`
preliminary write control only sandbox Closes Homebrew/homebrew#38361. Signed-off-by: Xu Cheng <xucheng@me.com> 2015-04-09 17:42:54 +08:00			`(allow default) ; allow everything else`
			`EOS`

			`attr_reader :rules`

			`def initialize`
			`@rules = []`
			`end`

			`def add_rule(rule)`
			`s = "("`
			`s << (rule[:allow] ? "allow": "deny")`
			`s << " #{rule[:operation]}"`
			`s << " (#{rule[:filter]})" if rule[:filter]`
			`s << " (with #{rule[:modifier]})" if rule[:modifier]`
			`s << ")"`
			`@rules << s`
			`end`

			`def dump`
			`ERB.new(SEATBELT_ERB).result(binding)`
			`end`
			`end`
			`end`