sandbox: permit /var/tmp & DerivedData

Long term it would be nice to sandbox everything that writes to DerivedData
but it is essentially a cache directory of sorts.

The downside of allowing stuff to write there particularly is that DerivedData
is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using
installations very quickly, you can chew your disk space up.

Closes Homebrew/homebrew#43276.

Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com>

2 files changed, 2 insertions, 0 deletions

diff --git a/Library/Homebrew/cmd/postinstall.rb b/Library/Homebrew/cmd/postinstall.rb
index 1fdf7f67e..dc402ec4b 100644
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -31,6 +31,7 @@ module Homebrew
         sandbox.allow_write_temp_and_cache
         sandbox.allow_write_log(formula)
         sandbox.allow_write_cellar(formula)
+        sandbox.allow_write_xcode
         sandbox.allow_write_path HOMEBREW_PREFIX
         sandbox.deny_write_homebrew_library
         sandbox.exec(*args)
diff --git a/Library/Homebrew/cmd/test.rb b/Library/Homebrew/cmd/test.rb
index fd3c7c4e6..4dc3c4058 100644
--- a/Library/Homebrew/cmd/test.rb
+++ b/Library/Homebrew/cmd/test.rb
@@ -49,6 +49,7 @@ module Homebrew
             sandbox.record_log(f.logs/"sandbox.test.log")
             sandbox.allow_write_temp_and_cache
             sandbox.allow_write_log(f)
+            sandbox.allow_write_xcode
             sandbox.exec(*args)
           else
             exec(*args)