forked from ritthisakdi/homebrew
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsandbox.rb
182 lines (155 loc) · 4.58 KB
/
sandbox.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
require "erb"
require "tempfile"
class Sandbox
SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
def self.available?
OS.mac? && File.executable?(SANDBOX_EXEC)
end
# there are times the sandbox cannot be used.
def self.auto_disable?
@auto_disable ||= ARGV.interactive? || ARGV.debug?
end
def self.print_autodisable_warning
unless @printed_autodisable_warning
opoo "The sandbox cannot be used in debug or interactive mode."
@printed_autodisable_warning = true
end
end
def self.print_sandbox_message
unless @printed_sandbox_message
ohai "Using the sandbox"
@printed_sandbox_message = true
end
end
def initialize
@profile = SandboxProfile.new
end
def record_log(file)
@logfile = file
end
def add_rule(rule)
@profile.add_rule(rule)
end
def allow_write(path, options = {})
add_rule :allow => true, :operation => "file-write*", :filter => path_filter(path, options[:type])
end
def deny_write(path, options = {})
add_rule :allow => false, :operation => "file-write*", :filter => path_filter(path, options[:type])
end
def allow_write_path(path)
allow_write path, :type => :subpath
end
def deny_write_path(path)
deny_write path, :type => :subpath
end
def allow_write_temp_and_cache
allow_write_path "/private/tmp"
allow_write_path "/private/var/tmp"
allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", :type => :regex
allow_write_path HOMEBREW_TEMP
allow_write_path HOMEBREW_CACHE
end
def allow_write_cellar(formula)
allow_write_path formula.rack
allow_write_path formula.etc
allow_write_path formula.var
end
# Xcode projects expect access to certain cache/archive dirs.
def allow_write_xcode
allow_write_path "/Users/#{ENV["USER"]}/Library/Developer/Xcode/DerivedData/"
end
def allow_write_log(formula)
allow_write_path formula.logs
end
def deny_write_homebrew_library
deny_write_path HOMEBREW_LIBRARY
deny_write_path HOMEBREW_REPOSITORY/".git"
deny_write HOMEBREW_BREW_FILE
end
def exec(*args)
seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
seatbelt.write(@profile.dump)
seatbelt.close
@start = Time.now
safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
rescue
@failed = true
raise
ensure
seatbelt.unlink
sleep 0.1 # wait for a bit to let syslog catch up the latest events.
syslog_args = %W[
-F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)
-k Time ge #{@start.to_i}
-k Message S deny
-k Sender kernel
-o
-k Time ge #{@start.to_i}
-k Message S deny
-k Sender sandboxd
]
logs = Utils.popen_read("syslog", *syslog_args)
unless logs.empty?
if @logfile
log = open(@logfile, "w")
log.write logs
log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
log.close
end
if @failed && ARGV.verbose?
ohai "Sandbox log"
puts logs
$stdout.flush # without it, brew test-bot would fail to catch the log
end
end
end
private
def expand_realpath(path)
raise unless path.absolute?
path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
end
def path_filter(path, type)
case type
when :regex then "regex \#\"#{path}\""
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""
end
end
class SandboxProfile
SEATBELT_ERB = <<-EOS.undent
(version 1)
(debug deny) ; log all denied operations to /var/log/system.log
<%= rules.join("\n") %>
(allow file-write*
(literal "/dev/ptmx")
(literal "/dev/dtracehelper")
(literal "/dev/null")
(literal "/dev/zero")
(regex #"^/dev/fd/[0-9]+$")
(regex #"^/dev/ttys?[0-9]*$")
)
(deny file-write*) ; deny non-whitelist file write operations
(allow process-exec
(literal "/bin/ps")
(with no-sandbox)
) ; allow certain processes running without sandbox
(allow default) ; allow everything else
EOS
attr_reader :rules
def initialize
@rules = []
end
def add_rule(rule)
s = "("
s << (rule[:allow] ? "allow": "deny")
s << " #{rule[:operation]}"
s << " (#{rule[:filter]})" if rule[:filter]
s << " (with #{rule[:modifier]})" if rule[:modifier]
s << ")"
@rules << s
end
def dump
ERB.new(SEATBELT_ERB).result(binding)
end
end
end