Class: Sandbox

Inherits:
Object
  • Object
show all
Defined in:
Library/Homebrew/sandbox.rb

Defined Under Namespace

Classes: SandboxProfile

Constant Summary collapse

SANDBOX_EXEC =
"/usr/bin/sandbox-exec".freeze

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSandbox

Returns a new instance of Sandbox



21
22
23
# File 'Library/Homebrew/sandbox.rb', line 21

def initialize
  @profile = SandboxProfile.new
end

Class Method Details

.available?Boolean

Returns:

  • (Boolean)


7
8
9
# File 'Library/Homebrew/sandbox.rb', line 7

def self.available?
  OS.mac? && OS::Mac.version >= "10.6" && File.executable?(SANDBOX_EXEC)
end

.formula?(_formula) ⇒ Boolean

Returns:

  • (Boolean)


11
12
13
14
# File 'Library/Homebrew/sandbox.rb', line 11

def self.formula?(_formula)
  return false unless available?
  !ARGV.no_sandbox?
end

.test?Boolean

Returns:

  • (Boolean)


16
17
18
19
# File 'Library/Homebrew/sandbox.rb', line 16

def self.test?
  return false unless available?
  !ARGV.no_sandbox?
end

Instance Method Details

#add_rule(rule) ⇒ Object



29
30
31
# File 'Library/Homebrew/sandbox.rb', line 29

def add_rule(rule)
  @profile.add_rule(rule)
end

#allow_write(path, options = {}) ⇒ Object



33
34
35
# File 'Library/Homebrew/sandbox.rb', line 33

def allow_write(path, options = {})
  add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])
end

#allow_write_cellar(formula) ⇒ Object



57
58
59
60
61
# File 'Library/Homebrew/sandbox.rb', line 57

def allow_write_cellar(formula)
  allow_write_path formula.rack
  allow_write_path formula.etc
  allow_write_path formula.var
end

#allow_write_log(formula) ⇒ Object



68
69
70
# File 'Library/Homebrew/sandbox.rb', line 68

def allow_write_log(formula)
  allow_write_path formula.logs
end

#allow_write_path(path) ⇒ Object



41
42
43
# File 'Library/Homebrew/sandbox.rb', line 41

def allow_write_path(path)
  allow_write path, type: :subpath
end

#allow_write_temp_and_cacheObject



49
50
51
52
53
54
55
# File 'Library/Homebrew/sandbox.rb', line 49

def allow_write_temp_and_cache
  allow_write_path "/private/tmp"
  allow_write_path "/private/var/tmp"
  allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
  allow_write_path HOMEBREW_TEMP
  allow_write_path HOMEBREW_CACHE
end

#allow_write_xcodeObject

Xcode projects expect access to certain cache/archive dirs.



64
65
66
# File 'Library/Homebrew/sandbox.rb', line 64

def allow_write_xcode
  allow_write_path "/Users/#{ENV["USER"]}/Library/Developer"
end

#deny_write(path, options = {}) ⇒ Object



37
38
39
# File 'Library/Homebrew/sandbox.rb', line 37

def deny_write(path, options = {})
  add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])
end

#deny_write_homebrew_repositoryObject



72
73
74
75
76
77
78
79
80
# File 'Library/Homebrew/sandbox.rb', line 72

def deny_write_homebrew_repository
  deny_write HOMEBREW_BREW_FILE
  if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
    deny_write_path HOMEBREW_REPOSITORY
  else
    deny_write_path HOMEBREW_LIBRARY
    deny_write_path HOMEBREW_REPOSITORY/".git"
  end
end

#deny_write_path(path) ⇒ Object



45
46
47
# File 'Library/Homebrew/sandbox.rb', line 45

def deny_write_path(path)
  deny_write path, type: :subpath
end

#exec(*args) ⇒ Object



82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# File 'Library/Homebrew/sandbox.rb', line 82

def exec(*args)
  seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
  seatbelt.write(@profile.dump)
  seatbelt.close
  @start = Time.now
  safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
rescue
  @failed = true
  raise
ensure
  seatbelt.unlink
  sleep 0.1 # wait for a bit to let syslog catch up the latest events.
  syslog_args = %W[
    -F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)
    -k Time ge #{@start.to_i}
    -k Message S deny
    -k Sender kernel
    -o
    -k Time ge #{@start.to_i}
    -k Message S deny
    -k Sender sandboxd
  ]
  logs = Utils.popen_read("syslog", *syslog_args)

  # These messages are confusing and non-fatal, so don't report them.
  logs = logs.lines.reject { |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join

  unless logs.empty?
    if @logfile
      log = open(@logfile, "w")
      log.write logs
      log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
      log.close
    end

    if @failed && ARGV.verbose?
      ohai "Sandbox log"
      puts logs
      $stdout.flush # without it, brew test-bot would fail to catch the log
    end
  end
end

#record_log(file) ⇒ Object



25
26
27
# File 'Library/Homebrew/sandbox.rb', line 25

def record_log(file)
  @logfile = file
end