sandbox: tweak HOMEBREW_REPOSITORY handling.

If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the
default) then we can block access to the whole of HOMEBREW_REPOSITORY
rather than just the HOMEBREW_LIBRARY and `.git`.

2 files changed, 8 insertions, 4 deletions

diff --git a/Library/Homebrew/cmd/postinstall.rb b/Library/Homebrew/cmd/postinstall.rb
index 71b71b3f5..e0bd8e31b 100644
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -36,7 +36,7 @@ module Homebrew
         sandbox.allow_write_cellar(formula)
         sandbox.allow_write_xcode
         sandbox.allow_write_path HOMEBREW_PREFIX
-        sandbox.deny_write_homebrew_library
+        sandbox.deny_write_homebrew_repository
         sandbox.exec(*args)
       else
         exec(*args)
diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index a7fc99d4a..4d0709cb4 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -84,10 +84,14 @@ class Sandbox
     allow_write_path formula.logs
   end
 
-  def deny_write_homebrew_library
-    deny_write_path HOMEBREW_LIBRARY
-    deny_write_path HOMEBREW_REPOSITORY/".git"
+  def deny_write_homebrew_repository
     deny_write HOMEBREW_BREW_FILE
+    if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
+      deny_write_path HOMEBREW_REPOSITORY
+    else
+      deny_write_path HOMEBREW_LIBRARY
+      deny_write_path HOMEBREW_REPOSITORY/".git"
+    end
   end
 
   def exec(*args)