Class: Sandbox::SandboxProfile

Inherits:
Object
  • Object
show all
Defined in:
Library/Homebrew/sandbox.rb

Constant Summary collapse

SEATBELT_ERB =
<<~EOS.freeze
  (version 1)
  (debug deny) ; log all denied operations to /var/log/system.log
  <%= rules.join("\n") %>
  (allow file-write*
      (literal "/dev/ptmx")
      (literal "/dev/dtracehelper")
      (literal "/dev/null")
      (literal "/dev/random")
      (literal "/dev/zero")
      (regex #"^/dev/fd/[0-9]+$")
      (regex #"^/dev/ttys?[0-9]*$")
      )
  (deny file-write*) ; deny non-whitelist file write operations
  (allow process-exec
      (literal "/bin/ps")
      (with no-sandbox)
      ) ; allow certain processes running without sandbox
  (allow default) ; allow everything else
EOS

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSandboxProfile

Returns a new instance of SandboxProfile



164
165
166
# File 'Library/Homebrew/sandbox.rb', line 164

def initialize
  @rules = []
end

Instance Attribute Details

#rulesObject (readonly)

Returns the value of attribute rules



162
163
164
# File 'Library/Homebrew/sandbox.rb', line 162

def rules
  @rules
end

Instance Method Details

#add_rule(rule) ⇒ Object



168
169
170
171
172
173
174
175
176
# File 'Library/Homebrew/sandbox.rb', line 168

def add_rule(rule)
  s = "("
  s << (rule[:allow] ? "allow" : "deny")
  s << " #{rule[:operation]}"
  s << " (#{rule[:filter]})" if rule[:filter]
  s << " (with #{rule[:modifier]})" if rule[:modifier]
  s << ")"
  @rules << s
end

#dumpObject



178
179
180
# File 'Library/Homebrew/sandbox.rb', line 178

def dump
  ERB.new(SEATBELT_ERB).result(binding)
end