Class: Sandbox

Inherits:

Object

• Object
• Sandbox

Defined in:

Library/Homebrew/sandbox.rb

Defined Under Namespace

Classes: SandboxProfile

Constant Summary

SANDBOX_EXEC =

"/usr/bin/sandbox-exec".freeze

Class Method Summary

• .available? ⇒ Boolean
• .formula?(_formula) ⇒ Boolean
• .test? ⇒ Boolean

Instance Method Summary

• #add_rule(rule) ⇒ Object
• #allow_write(path, options = {}) ⇒ Object
• #allow_write_cellar(formula) ⇒ Object
• #allow_write_log(formula) ⇒ Object
• #allow_write_path(path) ⇒ Object
• #allow_write_temp_and_cache ⇒ Object
• #allow_write_xcode ⇒ Object

  Xcode projects expect access to certain cache/archive dirs.

• #deny_write(path, options = {}) ⇒ Object
• #deny_write_homebrew_repository ⇒ Object
• #deny_write_path(path) ⇒ Object
• #exec(*args) ⇒ Object
• #initialize ⇒ Sandbox constructor

  A new instance of Sandbox.

• #record_log(file) ⇒ Object

Constructor Details

#initialize ⇒ Sandbox

# File 'Library/Homebrew/sandbox.rb', line 21

def initialize
  @profile = SandboxProfile.new
end

Class Method Details

.available? ⇒ Boolean

# File 'Library/Homebrew/sandbox.rb', line 7

def self.available?
  OS.mac? && OS::Mac.version >= "10.6" && File.executable?(SANDBOX_EXEC)
end

.formula?(_formula) ⇒ Boolean

# File 'Library/Homebrew/sandbox.rb', line 11

def self.formula?(_formula)
  return false unless available?
  !ARGV.no_sandbox?
end

.test? ⇒ Boolean

# File 'Library/Homebrew/sandbox.rb', line 16

def self.test?
  return false unless available?
  !ARGV.no_sandbox?
end

Instance Method Details

#add_rule(rule) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 29

def add_rule(rule)
  @profile.add_rule(rule)
end

#allow_write(path, options = {}) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 33

def allow_write(path, options = {})
  add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])
end

#allow_write_cellar(formula) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 57

def allow_write_cellar(formula)
  allow_write_path formula.rack
  allow_write_path formula.etc
  allow_write_path formula.var
end

#allow_write_log(formula) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 68

def allow_write_log(formula)
  allow_write_path formula.logs
end

#allow_write_path(path) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 41

def allow_write_path(path)
  allow_write path, type: :subpath
end

#allow_write_temp_and_cache ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 49

def allow_write_temp_and_cache
  allow_write_path "/private/tmp"
  allow_write_path "/private/var/tmp"
  allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
  allow_write_path HOMEBREW_TEMP
  allow_write_path HOMEBREW_CACHE
end

#allow_write_xcode ⇒ Object

Xcode projects expect access to certain cache/archive dirs.

# File 'Library/Homebrew/sandbox.rb', line 64

def allow_write_xcode
  allow_write_path "/Users/#{ENV["USER"]}/Library/Developer"
end

#deny_write(path, options = {}) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 37

def deny_write(path, options = {})
  add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])
end

#deny_write_homebrew_repository ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 72

def deny_write_homebrew_repository
  deny_write HOMEBREW_BREW_FILE
  if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
    deny_write_path HOMEBREW_REPOSITORY
  else
    deny_write_path HOMEBREW_LIBRARY
    deny_write_path HOMEBREW_REPOSITORY/".git"
  end
end

#deny_write_path(path) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 45

def deny_write_path(path)
  deny_write path, type: :subpath
end

#exec(*args) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 82

def exec(*args)
  seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
  seatbelt.write(@profile.dump)
  seatbelt.close
  @start = Time.now
  safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
rescue
  @failed = true
  raise
ensure
  seatbelt.unlink
  sleep 0.1 # wait for a bit to let syslog catch up the latest events.
  syslog_args = %W[
    -F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)
    -k Time ge #{@start.to_i}
    -k Message S deny
    -k Sender kernel
    -o
    -k Time ge #{@start.to_i}
    -k Message S deny
    -k Sender sandboxd
  ]
  logs = Utils.popen_read("syslog", *syslog_args)

  # These messages are confusing and non-fatal, so don't report them.
  logs = logs.lines.reject { |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join

  unless logs.empty?
    if @logfile
      log = open(@logfile, "w")
      log.write logs
      log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
      log.close
    end

    if @failed && ARGV.verbose?
      ohai "Sandbox log"
      puts logs
      $stdout.flush # without it, brew test-bot would fail to catch the log
    end
  end
end

#record_log(file) ⇒ Object

# File 'Library/Homebrew/sandbox.rb', line 25

def record_log(file)
  @logfile = file
end