Class: Sandbox::SandboxProfile Private

Inherits:
Object
  • Object
show all
Defined in:
Library/Homebrew/sandbox.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Configuration profile for a sandbox.

Constant Summary collapse

SEATBELT_ERB =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

<<~ERB
  (version 1)
  (debug deny) ; log all denied operations to /var/log/system.log
  <%= rules.join("\n") %>
  (allow file-write*
      (literal "/dev/ptmx")
      (literal "/dev/dtracehelper")
      (literal "/dev/null")
      (literal "/dev/random")
      (literal "/dev/zero")
      (regex #"^/dev/fd/[0-9]+$")
      (regex #"^/dev/tty[a-z0-9]*$")
      )
  (deny file-write*) ; deny non-allowlist file write operations
  (allow process-exec
      (literal "/bin/ps")
      (with no-sandbox)
      ) ; allow certain processes running without sandbox
  (allow default) ; allow everything else
ERB