sandbox: add formula? method and sandbox core.

Add a new `Sandbox.formula?` method to see if a given formula should be
sandboxed. Use the formula to check its tap against a list of
pre-approved taps where we know every formula builds under the sandbox
(currently just homebrew/core).

2 files changed, 24 insertions, 0 deletions

diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index c299d2f45..133bdb83c 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -3,11 +3,19 @@ require "tempfile"
 
 class Sandbox
   SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
+  SANDBOXED_TAPS = [
+    "homebrew/core",
+  ].freeze
 
   def self.available?
     OS.mac? && File.executable?(SANDBOX_EXEC)
   end
 
+  def self.formula?(formula)
+    return false unless available?
+    ARGV.sandbox? || SANDBOXED_TAPS.include?(formula.tap.to_s)
+  end
+
   def self.test?
     return false unless available?
     !ARGV.no_sandbox?
diff --git a/Library/Homebrew/test/test_sandbox.rb b/Library/Homebrew/test/test_sandbox.rb
index de60551d1..cb33c3ffa 100644
--- a/Library/Homebrew/test/test_sandbox.rb
+++ b/Library/Homebrew/test/test_sandbox.rb
@@ -13,6 +13,22 @@ class SandboxTest < Homebrew::TestCase
     @dir.rmtree
   end
 
+  def test_formula?
+    f = formula { url "foo-1.0" }
+    f2 = formula { url "bar-1.0" }
+    f2.stubs(:tap).returns(Tap.fetch("test/tap"))
+
+    ARGV.stubs(:sandbox?).returns true
+    assert Sandbox.formula?(f),
+      "Formulae should be sandboxed if --sandbox was passed."
+
+    ARGV.stubs(:sandbox?).returns false
+    assert Sandbox.formula?(f),
+      "Formulae should be sandboxed if in a sandboxed tap."
+    refute Sandbox.formula?(f2),
+        "Formulae should not be sandboxed if not in a sandboxed tap."
+  end
+
   def test_test?
     ARGV.stubs(:no_sandbox?).returns false
     assert Sandbox.test?,