sandbox postinstall

Closes Homebrew/homebrew#38479. Signed-off-by: Xu Cheng <xucheng@me.com>
author: Xu Cheng 2015-04-13 18:16:27 +0800
committer: Xu Cheng 2015-04-15 19:51:54 +0800
commit: d1617e86d0ab3c9ee4742c9be1dd913b50b716fd (patch)
tree: e23633a0cc11973b419108f0b14444cc9f278534 /Library/Homebrew/cmd
parent: b621edf89dba704f7165fff0f0311f9e0c05bc34 (diff)
download: brew-d1617e86d0ab3c9ee4742c9be1dd913b50b716fd.tar.bz2
1 files changed, 30 insertions, 1 deletions
diff --git a/Library/Homebrew/cmd/postinstall.rb b/Library/Homebrew/cmd/postinstall.rb
index 8e145d3fd..d677ecc1e 100644
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -1,5 +1,34 @@
+require "sandbox"
+
 module Homebrew
   def postinstall
-    ARGV.formulae.each { |f| f.run_post_install }
+    ARGV.formulae.each { |f| run_post_install(f) }
+  end
+
+  def run_post_install(formula)
+    args = %W[
+      nice #{RUBY_PATH}
+      -W0
+      -I #{HOMEBREW_LIBRARY_PATH}
+      --
+      #{HOMEBREW_LIBRARY_PATH}/postinstall.rb
+      #{formula.path}
+    ].concat(ARGV.options_only)
+
+    Utils.safe_fork do
+      if Sandbox.available? && ARGV.sandbox?
+        sandbox = Sandbox.new
+        sandbox.allow_write_temp_and_cache
+        sandbox.allow_write_log(formula)
+        sandbox.allow_write_cellar(formula)
+        sandbox.allow_write_path HOMEBREW_PREFIX
+        sandbox.deny_write_path HOMEBREW_LIBRARY
+        sandbox.deny_write_path HOMEBREW_REPOSITORY/".git"
+        sandbox.deny_write HOMEBREW_BREW_FILE
+        sandbox.exec(*args)
+      else
+        exec(*args)
+      end
+    end
   end
 end
author	Xu Cheng	2015-04-13 18:16:27 +0800
committer	Xu Cheng	2015-04-15 19:51:54 +0800
commit	d1617e86d0ab3c9ee4742c9be1dd913b50b716fd (patch)
tree	e23633a0cc11973b419108f0b14444cc9f278534 /Library/Homebrew/cmd
parent	b621edf89dba704f7165fff0f0311f9e0c05bc34 (diff)
download	brew-d1617e86d0ab3c9ee4742c9be1dd913b50b716fd.tar.bz2