Skip to content

Enable sandbox by default for homebrew/core #713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MikeMcQuaid merged 5 commits into from
Aug 17, 2016
Merged

Enable sandbox by default for homebrew/core #713

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fed9638
sandbox: add test? method.
MikeMcQuaid Aug 14, 2016
ca3e4fc
cmd/test: use Sandbox.test?
MikeMcQuaid Aug 14, 2016
6e887fb
sandbox: add formula? method and sandbox core.
MikeMcQuaid Aug 14, 2016
6375adc
formula_installer: use Sandbox.formula? method.
MikeMcQuaid Aug 14, 2016
c615195
cmd/postinstall: use Sandbox.formula? method.
MikeMcQuaid Aug 14, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions Library/Homebrew/cmd/postinstall.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,10 @@ def run_post_install(formula)
args << "--devel"
end

if Sandbox.available? && ARGV.sandbox?
Sandbox.print_sandbox_message
end
Sandbox.print_sandbox_message if Sandbox.formula?(formula)

Utils.safe_fork do
if Sandbox.available? && ARGV.sandbox?
if Sandbox.formula?(formula)
sandbox = Sandbox.new
formula.logs.mkpath
sandbox.record_log(formula.logs/"sandbox.postinstall.log")
Expand Down
6 changes: 2 additions & 4 deletions Library/Homebrew/cmd/test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,12 +57,10 @@ def test
args << "--devel"
end

if Sandbox.available? && !ARGV.no_sandbox?
Sandbox.print_sandbox_message
end
Sandbox.print_sandbox_message if Sandbox.test?

Utils.safe_fork do
if Sandbox.available? && !ARGV.no_sandbox?
if Sandbox.test?
sandbox = Sandbox.new
f.logs.mkpath
sandbox.record_log(f.logs/"sandbox.test.log")
Expand Down
6 changes: 2 additions & 4 deletions Library/Homebrew/formula_installer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -588,15 +588,13 @@ def build
#{formula.path}
].concat(build_argv)

if Sandbox.available? && ARGV.sandbox?
Sandbox.print_sandbox_message
end
Sandbox.print_sandbox_message if Sandbox.formula?(formula)

Utils.safe_fork do
# Invalidate the current sudo timestamp in case a build script calls sudo
system "/usr/bin/sudo", "-k"

if Sandbox.available? && ARGV.sandbox?
if Sandbox.formula?(formula)
sandbox = Sandbox.new
formula.logs.mkpath
sandbox.record_log(formula.logs/"sandbox.build.log")
Expand Down
13 changes: 13 additions & 0 deletions Library/Homebrew/sandbox.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,24 @@

class Sandbox
SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
SANDBOXED_TAPS = [
"homebrew/core",
].freeze

def self.available?
OS.mac? && File.executable?(SANDBOX_EXEC)
end

def self.formula?(formula)
return false unless available?
ARGV.sandbox? || SANDBOXED_TAPS.include?(formula.tap.to_s)
end

def self.test?
return false unless available?
!ARGV.no_sandbox?
end

def self.print_sandbox_message
unless @printed_sandbox_message
ohai "Using the sandbox"
Expand Down
22 changes: 22 additions & 0 deletions Library/Homebrew/test/test_sandbox.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,28 @@ def teardown
@dir.rmtree
end

def test_formula?
f = formula { url "foo-1.0" }
f2 = formula { url "bar-1.0" }
f2.stubs(:tap).returns(Tap.fetch("test/tap"))

ARGV.stubs(:sandbox?).returns true
assert Sandbox.formula?(f),
"Formulae should be sandboxed if --sandbox was passed."

ARGV.stubs(:sandbox?).returns false
assert Sandbox.formula?(f),
"Formulae should be sandboxed if in a sandboxed tap."
refute Sandbox.formula?(f2),
"Formulae should not be sandboxed if not in a sandboxed tap."
end

def test_test?
ARGV.stubs(:no_sandbox?).returns false
assert Sandbox.test?,
"Tests should be sandboxed unless --no-sandbox was passed."
end

def test_allow_write
@sandbox.allow_write @file
@sandbox.exec "touch", @file
Expand Down