Class: Sandbox Private
- Inherits:
-
Object
- Object
- Sandbox
- Defined in:
- Library/Homebrew/sandbox.rb
Overview
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Helper class for running a sub-process inside of a sandboxed environment.
Class Method Summary collapse
- .available? ⇒ Boolean private
Instance Method Summary collapse
- #add_rule(rule) ⇒ Object private
- #allow_cvs ⇒ Object private
- #allow_fossil ⇒ Object private
- #allow_write(path, options = {}) ⇒ Object private
- #allow_write_cellar(formula) ⇒ Object private
- #allow_write_log(formula) ⇒ Object private
- #allow_write_path(path) ⇒ Object private
- #allow_write_temp_and_cache ⇒ Object private
-
#allow_write_xcode ⇒ Object
private
Xcode projects expect access to certain cache/archive dirs.
- #deny_write(path, options = {}) ⇒ Object private
- #deny_write_homebrew_repository ⇒ Object private
- #deny_write_path(path) ⇒ Object private
- #exec(*args) ⇒ Object private
-
#initialize ⇒ Sandbox
constructor
private
A new instance of Sandbox.
- #record_log(file) ⇒ Object private
Constructor Details
#initialize ⇒ Sandbox
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns a new instance of Sandbox.
18 19 20 |
# File 'Library/Homebrew/sandbox.rb', line 18 def initialize @profile = SandboxProfile.new end |
Class Method Details
Instance Method Details
#add_rule(rule) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
26 27 28 |
# File 'Library/Homebrew/sandbox.rb', line 26 def add_rule(rule) @profile.add_rule(rule) end |
#allow_cvs ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
54 55 56 |
# File 'Library/Homebrew/sandbox.rb', line 54 def allow_cvs allow_write_path "#{Dir.home(ENV["USER"])}/.cvspass" end |
#allow_fossil ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
58 59 60 61 |
# File 'Library/Homebrew/sandbox.rb', line 58 def allow_fossil allow_write_path "#{Dir.home(ENV["USER"])}/.fossil" allow_write_path "#{Dir.home(ENV["USER"])}/.fossil-journal" end |
#allow_write(path, options = {}) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
30 31 32 |
# File 'Library/Homebrew/sandbox.rb', line 30 def allow_write(path, = {}) add_rule allow: true, operation: "file-write*", filter: path_filter(path, [:type]) end |
#allow_write_cellar(formula) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
63 64 65 66 67 |
# File 'Library/Homebrew/sandbox.rb', line 63 def allow_write_cellar(formula) allow_write_path formula.rack allow_write_path formula.etc allow_write_path formula.var end |
#allow_write_log(formula) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
74 75 76 |
# File 'Library/Homebrew/sandbox.rb', line 74 def allow_write_log(formula) allow_write_path formula.logs end |
#allow_write_path(path) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
38 39 40 |
# File 'Library/Homebrew/sandbox.rb', line 38 def allow_write_path(path) allow_write path, type: :subpath end |
#allow_write_temp_and_cache ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
46 47 48 49 50 51 52 |
# File 'Library/Homebrew/sandbox.rb', line 46 def allow_write_temp_and_cache allow_write_path "/private/tmp" allow_write_path "/private/var/tmp" allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex allow_write_path HOMEBREW_TEMP allow_write_path HOMEBREW_CACHE end |
#allow_write_xcode ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Xcode projects expect access to certain cache/archive dirs.
70 71 72 |
# File 'Library/Homebrew/sandbox.rb', line 70 def allow_write_xcode allow_write_path "#{Dir.home(ENV["USER"])}/Library/Developer" end |
#deny_write(path, options = {}) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
34 35 36 |
# File 'Library/Homebrew/sandbox.rb', line 34 def deny_write(path, = {}) add_rule allow: false, operation: "file-write*", filter: path_filter(path, [:type]) end |
#deny_write_homebrew_repository ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
78 79 80 81 82 83 84 85 86 |
# File 'Library/Homebrew/sandbox.rb', line 78 def deny_write_homebrew_repository deny_write HOMEBREW_BREW_FILE if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s deny_write_path HOMEBREW_REPOSITORY else deny_write_path HOMEBREW_LIBRARY deny_write_path HOMEBREW_REPOSITORY/".git" end end |
#deny_write_path(path) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
42 43 44 |
# File 'Library/Homebrew/sandbox.rb', line 42 def deny_write_path(path) deny_write path, type: :subpath end |
#exec(*args) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
# File 'Library/Homebrew/sandbox.rb', line 88 def exec(*args) seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP) seatbelt.write(@profile.dump) seatbelt.close @start = Time.now safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args rescue @failed = true raise ensure seatbelt.unlink sleep 0.1 # wait for a bit to let syslog catch up the latest events. syslog_args = %W[ -F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message) -k Time ge #{@start.to_i} -k Message S deny -k Sender kernel -o -k Time ge #{@start.to_i} -k Message S deny -k Sender sandboxd ] logs = Utils.popen_read("syslog", *syslog_args) # These messages are confusing and non-fatal, so don't report them. logs = logs.lines.reject { |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join unless logs.empty? if @logfile File.open(@logfile, "w") do |log| log.write logs log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n" end end if @failed && Homebrew::EnvConfig.verbose? ohai "Sandbox log" puts logs $stdout.flush # without it, brew test-bot would fail to catch the log end end end |
#record_log(file) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
22 23 24 |
# File 'Library/Homebrew/sandbox.rb', line 22 def record_log(file) @logfile = file end |