Class: Sandbox Private

Inherits:

Object

• Object
• Sandbox

Defined in:

Library/Homebrew/sandbox.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Helper class for running a sub-process inside of a sandboxed environment.

Class Method Summary

• .available? ⇒ Boolean private

Instance Method Summary

• #add_rule(rule) ⇒ Object private
• #allow_cvs ⇒ Object private
• #allow_fossil ⇒ Object private
• #allow_write(path, options = {}) ⇒ Object private
• #allow_write_cellar(formula) ⇒ Object private
• #allow_write_log(formula) ⇒ Object private
• #allow_write_path(path) ⇒ Object private
• #allow_write_temp_and_cache ⇒ Object private
• #allow_write_xcode ⇒ Object private

  Xcode projects expect access to certain cache/archive dirs.

• #deny_write(path, options = {}) ⇒ Object private
• #deny_write_homebrew_repository ⇒ Object private
• #deny_write_path(path) ⇒ Object private
• #exec(*args) ⇒ Object private
• #initialize ⇒ Sandbox constructor private

  A new instance of Sandbox.

• #record_log(file) ⇒ Object private

Constructor Details

#initialize ⇒ Sandbox

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of Sandbox.

# File 'Library/Homebrew/sandbox.rb', line 18

def initialize
  @profile = SandboxProfile.new
end

Class Method Details

.available? ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

• (Boolean)

# File 'Library/Homebrew/sandbox.rb', line 14

def self.available?
  OS.mac? && File.executable?(SANDBOX_EXEC)
end

Instance Method Details

#add_rule(rule) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 26

def add_rule(rule)
  @profile.add_rule(rule)
end

#allow_cvs ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 54

def allow_cvs
  allow_write_path "#{Dir.home(ENV["USER"])}/.cvspass"
end

#allow_fossil ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 58

def allow_fossil
  allow_write_path "#{Dir.home(ENV["USER"])}/.fossil"
  allow_write_path "#{Dir.home(ENV["USER"])}/.fossil-journal"
end

#allow_write(path, options = {}) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 30

def allow_write(path, options = {})
  add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])
end

#allow_write_cellar(formula) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 63

def allow_write_cellar(formula)
  allow_write_path formula.rack
  allow_write_path formula.etc
  allow_write_path formula.var
end

#allow_write_log(formula) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 74

def allow_write_log(formula)
  allow_write_path formula.logs
end

#allow_write_path(path) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 38

def allow_write_path(path)
  allow_write path, type: :subpath
end

#allow_write_temp_and_cache ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 46

def allow_write_temp_and_cache
  allow_write_path "/private/tmp"
  allow_write_path "/private/var/tmp"
  allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
  allow_write_path HOMEBREW_TEMP
  allow_write_path HOMEBREW_CACHE
end

#allow_write_xcode ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Xcode projects expect access to certain cache/archive dirs.

# File 'Library/Homebrew/sandbox.rb', line 70

def allow_write_xcode
  allow_write_path "#{Dir.home(ENV["USER"])}/Library/Developer"
end

#deny_write(path, options = {}) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 34

def deny_write(path, options = {})
  add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])
end

#deny_write_homebrew_repository ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 78

def deny_write_homebrew_repository
  deny_write HOMEBREW_BREW_FILE
  if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
    deny_write_path HOMEBREW_REPOSITORY
  else
    deny_write_path HOMEBREW_LIBRARY
    deny_write_path HOMEBREW_REPOSITORY/".git"
  end
end

#deny_write_path(path) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 42

def deny_write_path(path)
  deny_write path, type: :subpath
end

#exec(*args) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 88

def exec(*args)
  seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
  seatbelt.write(@profile.dump)
  seatbelt.close
  @start = Time.now
  safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
rescue
  @failed = true
  raise
ensure
  seatbelt.unlink
  sleep 0.1 # wait for a bit to let syslog catch up the latest events.
  syslog_args = %W[
    -F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)
    -k Time ge #{@start.to_i}
    -k Message S deny
    -k Sender kernel
    -o
    -k Time ge #{@start.to_i}
    -k Message S deny
    -k Sender sandboxd
  ]
  logs = Utils.popen_read("syslog", *syslog_args)

  # These messages are confusing and non-fatal, so don't report them.
  logs = logs.lines.reject { |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join

  unless logs.empty?
    if @logfile
      File.open(@logfile, "w") do |log|
        log.write logs
        log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
      end
    end

    if @failed && Homebrew::EnvConfig.verbose?
      ohai "Sandbox log"
      puts logs
      $stdout.flush # without it, brew test-bot would fail to catch the log
    end
  end
end

#record_log(file) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'Library/Homebrew/sandbox.rb', line 22

def record_log(file)
  @logfile = file
end