Class: Sandbox::SandboxProfile

Inherits:
Object
  • Object
show all
Defined in:
brew/Library/Homebrew/sandbox.rb

Constant Summary collapse

SEATBELT_ERB =
<<~ERB
  (version 1)
  (debug deny) ; log all denied operations to /var/log/system.log
  <%= rules.join("\n") %>
  (allow file-write*
      (literal "/dev/ptmx")
      (literal "/dev/dtracehelper")
      (literal "/dev/null")
      (literal "/dev/random")
      (literal "/dev/zero")
      (regex #"^/dev/fd/[0-9]+$")
      (regex #"^/dev/ttys?[0-9]*$")
      )
  (deny file-write*) ; deny non-whitelist file write operations
  (allow process-exec
      (literal "/bin/ps")
      (with no-sandbox)
      ) ; allow certain processes running without sandbox
  (allow default) ; allow everything else
ERB

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSandboxProfile

Returns a new instance of SandboxProfile



178
179
180
# File 'brew/Library/Homebrew/sandbox.rb', line 178

def initialize
  @rules = []
end

Instance Attribute Details

#rulesObject (readonly)

Returns the value of attribute rules



176
177
178
# File 'brew/Library/Homebrew/sandbox.rb', line 176

def rules
  @rules
end

Instance Method Details

#add_rule(rule) ⇒ Object



182
183
184
185
186
187
188
189
190
# File 'brew/Library/Homebrew/sandbox.rb', line 182

def add_rule(rule)
  s = +"("
  s << (rule[:allow] ? "allow" : "deny")
  s << " #{rule[:operation]}"
  s << " (#{rule[:filter]})" if rule[:filter]
  s << " (with #{rule[:modifier]})" if rule[:modifier]
  s << ")"
  @rules << s.freeze
end

#dumpObject



192
193
194
# File 'brew/Library/Homebrew/sandbox.rb', line 192

def dump
  ERB.new(SEATBELT_ERB).result(binding)
end