Class: Sandbox Private

Inherits:

Object

• Object
• Sandbox

Defined in:

extend/os/mac/sandbox.rb,
sandbox.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Helper class for running a sub-process inside of a sandboxed environment.

Class Method Summary

• .available? ⇒ Boolean private

Instance Method Summary

• #add_rule(allow:, operation:, filter: nil, modifier: nil) ⇒ void private
• #allow_all_network ⇒ void private
• #allow_cvs ⇒ void private
• #allow_fossil ⇒ void private
• #allow_network(path:, type: :literal) ⇒ void private
• #allow_write(path:, type: :literal) ⇒ void private
• #allow_write_cellar(formula) ⇒ void private
• #allow_write_log(formula) ⇒ void private
• #allow_write_path(path) ⇒ void private
• #allow_write_temp_and_cache ⇒ void private
• #allow_write_xcode ⇒ void private

  Xcode projects expect access to certain cache/archive dirs.

• #deny_all_network ⇒ void private
• #deny_all_network_except_pipe(path) ⇒ void private
• #deny_network(path:, type: :literal) ⇒ void private
• #deny_write(path:, type: :literal) ⇒ void private
• #deny_write_homebrew_repository ⇒ void private
• #deny_write_path(path) ⇒ void private
• #exec(*args) ⇒ void private
• #initialize ⇒ void constructor private
• #record_log(file) ⇒ void private

Constructor Details

#initialize ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'sandbox.rb', line 20

def initialize
  @profile = T.let(SandboxProfile.new, SandboxProfile)
  @failed = T.let(false, T::Boolean)
end

Class Method Details

.available? ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Boolean)

# File 'extend/os/mac/sandbox.rb', line 6

def self.available?
  File.executable?(SANDBOX_EXEC)
end

Instance Method Details

#add_rule(allow:, operation:, filter: nil, modifier: nil) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• allow (Boolean)
• operation (String)
• filter (String, nil) (defaults to: nil)
• modifier (String, nil) (defaults to: nil)

# File 'sandbox.rb', line 31

def add_rule(allow:, operation:, filter: nil, modifier: nil)
  rule = SandboxRule.new(allow:, operation:, filter:, modifier:)
  @profile.add_rule(rule)
end

#allow_all_network ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 118

def allow_all_network
  add_rule allow: true, operation: "network*"
end

#allow_cvs ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 67

def allow_cvs
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.cvspass"
end

#allow_fossil ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 72

def allow_fossil
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil"
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil-journal"
end

#allow_network(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 108

def allow_network(path:, type: :literal)
  add_rule allow: true, operation: "network*", filter: path_filter(path, type)
end

#allow_write(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 37

def allow_write(path:, type: :literal)
  add_rule allow: true, operation: "file-write*", filter: path_filter(path, type)
  add_rule allow: true, operation: "file-write-setugid", filter: path_filter(path, type)
end

#allow_write_cellar(formula) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• formula (Formula)

# File 'sandbox.rb', line 78

def allow_write_cellar(formula)
  allow_write_path formula.rack
  allow_write_path formula.etc
  allow_write_path formula.var
end

#allow_write_log(formula) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• formula (Formula)

# File 'sandbox.rb', line 92

def allow_write_log(formula)
  allow_write_path formula.logs
end

#allow_write_path(path) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)

# File 'sandbox.rb', line 48

def allow_write_path(path)
  allow_write path:, type: :subpath
end

#allow_write_temp_and_cache ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 58

def allow_write_temp_and_cache
  allow_write_path "/private/tmp"
  allow_write_path "/private/var/tmp"
  allow_write path: "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
  allow_write_path HOMEBREW_TEMP
  allow_write_path HOMEBREW_CACHE
end

#allow_write_xcode ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Xcode projects expect access to certain cache/archive dirs.

# File 'sandbox.rb', line 86

def allow_write_xcode
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/Library/Developer"
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/Library/Caches/org.swift.swiftpm"
end

#deny_all_network ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 123

def deny_all_network
  add_rule allow: false, operation: "network*"
end

#deny_all_network_except_pipe(path) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)

# File 'sandbox.rb', line 128

def deny_all_network_except_pipe(path)
  deny_all_network
  allow_network path:, type: :literal
end

#deny_network(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 113

def deny_network(path:, type: :literal)
  add_rule allow: false, operation: "network*", filter: path_filter(path, type)
end

#deny_write(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 43

def deny_write(path:, type: :literal)
  add_rule allow: false, operation: "file-write*", filter: path_filter(path, type)
end

#deny_write_homebrew_repository ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 97

def deny_write_homebrew_repository
  deny_write path: HOMEBREW_BREW_FILE
  if HOMEBREW_PREFIX.to_s == HOMEBREW_REPOSITORY.to_s
    deny_write_path HOMEBREW_LIBRARY
    deny_write_path HOMEBREW_REPOSITORY/".git"
  else
    deny_write_path HOMEBREW_REPOSITORY
  end
end

#deny_write_path(path) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)

# File 'sandbox.rb', line 53

def deny_write_path(path)
  deny_write path:, type: :subpath
end

#exec(*args) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• args (String, Pathname)

# File 'sandbox.rb', line 134

def exec(*args)
  seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
  seatbelt.write(@profile.dump)
  seatbelt.close
  @start = T.let(Time.now, T.nilable(Time))

  begin
    command = [SANDBOX_EXEC, "-f", seatbelt.path, *args]
    # Start sandbox in a pseudoterminal to prevent access of the parent terminal.
    PTY.spawn(*command) do |r, w, pid|
      # Set the PTY's window size to match the parent terminal.
      # Some formula tests are sensitive to the terminal size and fail if this is not set.
      winch = proc do |_sig|
        w.winsize = if $stdout.tty?
          # We can only use IO#winsize if the IO object is a TTY.
          $stdout.winsize
        else
          # Otherwise, default to tput, if available.
          # This relies on ncurses rather than the system's ioctl.
          [Utils.popen_read("tput", "lines").to_i, Utils.popen_read("tput", "cols").to_i]
        end
      end

      write_to_pty = proc do
        # Don't hang if stdin is not able to be used - throw EIO instead.
        old_ttin = trap(:TTIN, "IGNORE")

        # Update the window size whenever the parent terminal's window size changes.
        old_winch = trap(:WINCH, &winch)
        winch.call(nil)

        stdin_thread = Thread.new do
          IO.copy_stream($stdin, w)
        rescue Errno::EIO
          # stdin is unavailable - move on.
        end

        r.each_char { |c| print(c) }

        Process.wait(pid)
      ensure
        stdin_thread&.kill
        trap(:TTIN, old_ttin)
        trap(:WINCH, old_winch)
      end

      if $stdin.tty?
        # If stdin is a TTY, use io.raw to set stdin to a raw, passthrough
        # mode while we copy the input/output of the process spawned in the
        # PTY. After we've finished copying to/from the PTY process, io.raw
        # will restore the stdin TTY to its original state.
        begin
          # Ignore SIGTTOU as setting raw mode will hang if the process is in the background.
          old_ttou = trap(:TTOU, "IGNORE")
          $stdin.raw(&write_to_pty)
        ensure
          trap(:TTOU, old_ttou)
        end
      else
        write_to_pty.call
      end
    end
    raise ErrorDuringExecution.new(command, status: $CHILD_STATUS) unless $CHILD_STATUS.success?
  rescue
    @failed = true
    raise
  ensure
    seatbelt.unlink
    sleep 0.1 # wait for a bit to let syslog catch up the latest events.
    syslog_args = [
      "-F", "$((Time)(local)) $(Sender)[$(PID)]: $(Message)",
      "-k", "Time", "ge", @start.to_i.to_s,
      "-k", "Message", "S", "deny",
      "-k", "Sender", "kernel",
      "-o",
      "-k", "Time", "ge", @start.to_i.to_s,
      "-k", "Message", "S", "deny",
      "-k", "Sender", "sandboxd"
    ]
    logs = Utils.popen_read("syslog", *syslog_args)

    # These messages are confusing and non-fatal, so don't report them.
    logs = logs.lines.grep_v(/^.*Python\(\d+\) deny file-write.*pyc$/).join

    unless logs.empty?
      if @logfile
        File.open(@logfile, "w") do |log|
          log.write logs
          log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
        end
      end

      if @failed && Homebrew::EnvConfig.verbose?
        ohai "Sandbox Log", logs
        $stdout.flush # without it, brew test-bot would fail to catch the log
      end
    end
  end
end

#record_log(file) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• file (String, Pathname)

# File 'sandbox.rb', line 26

def record_log(file)
  @logfile = T.let(file, T.nilable(T.any(String, Pathname)))
end