New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sandbox: deny read access to HOMEBREW_PREFIX/{bin,include,lib} #2970
Conversation
a08e9dc
to
21c1d44
Compare
LGTM, but you probably won't find the breakages until you rebuild everything. |
Tried a few random things. First breakage I caught:
|
Also, it somehow needs to exempt stdenv I think. |
stdenv is still a thing? Wow. |
@zmwangx yeah, the test blocks and anything depending on |
Isn't the |
@DomT4 it is when it works. Not so much, when it doesn't. See Homebrew/homebrew-core#15910, and #2173 as already mentioned. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is super awesome 👏 👍 🎉
@@ -162,6 +162,11 @@ class SandboxProfile | |||
(regex #"^/dev/ttys?[0-9]*$") | |||
) | |||
(deny file-write*) ; deny non-whitelist file write operations | |||
(deny file-read* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably want this in a def deny_write_homebrew_something
method and then make it conditional on an environment variable being set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could also use HOMEBREW_PREFIX/"lib"
, etc in that method rather than hardcoding /usr/local
, if desired.
@@ -167,7 +167,7 @@ def determine_isystem_paths | |||
end | |||
|
|||
def determine_include_paths | |||
PATH.new(keg_only_deps.map(&:opt_include)).existing | |||
PATH.new(deps.map(&:opt_include)).existing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably want this conditional on an environment variable being set
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the same environment variable as in #2970 (comment)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aye.
@@ -176,8 +176,7 @@ def homebrew_extra_library_paths | |||
|
|||
def determine_library_paths | |||
PATH.new( | |||
keg_only_deps.map(&:opt_lib), | |||
HOMEBREW_PREFIX/"lib", | |||
deps.map(&:opt_lib), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably want this conditional on an environment variable being set
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aye.
@@ -162,6 +162,11 @@ class SandboxProfile | |||
(regex #"^/dev/ttys?[0-9]*$") | |||
) | |||
(deny file-write*) ; deny non-whitelist file write operations | |||
(deny file-read* | |||
(regex #"^/usr/local/bin.*$") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth having a trailing /
before .*$
? Worth handling sbin
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trailing /
still lets you see in the directory.
sbin
probably
@ilovezfs Fair enough. Just seemed a strange mix of tools to achieve the goal, but I'm rarely one to object to expanding a sandbox 😉. You've already fixed something I was going to point out & Mike has suggested a couple others, so, I'll be quiet for now 😄. |
@RandomDSdevel Basically: unfortunately this PR isn't going to be something that we're ever going to be able to roll out to users. |
@MikeMcQuaid: OK, but can you refresh my memory on where that was pointed out? I can't seem to find why at the moment, at least in this discussion thread…though maybe I'm overlooking something obvious…? 🤷♂️ |
@RandomDSdevel It was not a public conversation I'm afraid. |
@MikeMcQuaid: Oh. Sorry to bother you about it, then. |
brew tests
with your changes locally?See discussion in #2173.