It’s not uncommon to use `/var/${USER}` as a home directory, especially
for shared or CLI-only users.
This fixes an issue where a formula that requires `xcodebuild` is
`brew install`ed from such a shared or CLI-only user account.
In that case, `xcodebuild` would fail because it is denied writing to
`/var/${USER}/Library/Developer/Xcode`.
For details, see: https://gist.github.com/claui/17cd89f8f6b4094ac704f142ea811fd8
Suggested-by: Bo Anderson <mail@boanderson.me>
Combined with https://github.com/Homebrew/homebrew-test-bot/pull/247
this will test Homebrew's use of frozen strings in CI. After this we
will then enable it for Homebrew developers and eventually all Homebrew
users.
We've been doing this in `brew test-bot`, for our CI and for
homebrew/core long enough that this is a reasonable default that
provides more protection to our users of non-homebrew/core taps.
If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the
default) then we can block access to the whole of HOMEBREW_REPOSITORY
rather than just the HOMEBREW_LIBRARY and `.git`.
Although `sandbox-exec` is available in 10.5, it has very limit
support on the DSL for sandbox profile file(.sb file). Therefore,
sandbox for Homebrew on 10.5 is broken.
Closes#735.
Signed-off-by: Xu Cheng <git@xuc.me>
Add a new `Sandbox.formula?` method to see if a given formula should be
sandboxed. Use the formula to check its tap against a list of
pre-approved taps where we know every formula builds under the sandbox
(currently just homebrew/core).
Also enables sandbox for --interactive and --debug use of install
and test, using automatic retention.
Closes#66.
Signed-off-by: Andrew Janke <andrew@apjanke.net>
* use syslog filter instead of grep.
* output sandbox log to stdout when verbose and failed.
* output nothing if sandbox log is empty.
ClosesHomebrew/homebrew#43325.
Signed-off-by: Xu Cheng <xucheng@me.com>
Long term it would be nice to sandbox everything that writes to DerivedData
but it is essentially a cache directory of sorts.
The downside of allowing stuff to write there particularly is that DerivedData
is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using
installations very quickly, you can chew your disk space up.
ClosesHomebrew/homebrew#43276.
Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com>
