| Age | Commit message (Collapse) | Author |
|---|
|
|
|
If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the
default) then we can block access to the whole of HOMEBREW_REPOSITORY
rather than just the HOMEBREW_LIBRARY and `.git`.
|
|
It doesn't really need to be as tight as it is currently, certainly outside brew
you can write to here without any special privileges beside being the user,
and being so can tight can cause issues on clean systems or systems where
Xcode hasn't been used before as exposed by https://github.com/Homebrew/homebrew-core/issues/4892.
Closes https://github.com/Homebrew/homebrew-core/issues/4892.
|
|
|
|
|
|
|
|
|
|
|
|
But remove some manual `.freeze`s on constants that shouldn't be
constants.
|
|
Although `sandbox-exec` is available in 10.5, it has very limit
support on the DSL for sandbox profile file(.sb file). Therefore,
sandbox for Homebrew on 10.5 is broken.
Closes #735.
Signed-off-by: Xu Cheng <git@xuc.me>
|
|
|
|
Add a new `Sandbox.formula?` method to see if a given formula should be
sandboxed. Use the formula to check its tap against a list of
pre-approved taps where we know every formula builds under the sandbox
(currently just homebrew/core).
|
|
Simplify checking if we’re going to sandbox a test with `Sandbox.test?`.
|
|
These are never fatal and often confusing.
Fixes #683.
|
|
Also enables sandbox for --interactive and --debug use of install
and test, using automatic retention.
Closes #66.
Signed-off-by: Andrew Janke <andrew@apjanke.net>
|
|
|
|
|
|
* use syslog filter instead of grep.
* output sandbox log to stdout when verbose and failed.
* output nothing if sandbox log is empty.
Closes Homebrew/homebrew#43325.
Signed-off-by: Xu Cheng <xucheng@me.com>
|
|
Closes Homebrew/homebrew#43344.
|
|
Long term it would be nice to sandbox everything that writes to DerivedData
but it is essentially a cache directory of sorts.
The downside of allowing stuff to write there particularly is that DerivedData
is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using
installations very quickly, you can chew your disk space up.
Closes Homebrew/homebrew#43276.
Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com>
|
|
|
|
Closes Homebrew/homebrew#42354.
Signed-off-by: Mike McQuaid <mike@mikemcquaid.com>
|
|
Closes Homebrew/homebrew#42293.
Signed-off-by: Xu Cheng <xucheng@me.com>
|
|
Closes Homebrew/homebrew#38792.
Signed-off-by: Xu Cheng <xucheng@me.com>
|
|
1. `script` (used to fake the tty) requires write access to /dev/ptmx
and /dev/ttys*
2. sandbox profile only accepts `[0-9]` instead of `\d`.
|
|
|
|
|
|
Closes Homebrew/homebrew#38711.
Signed-off-by: Xu Cheng <xucheng@me.com>
|
|
|
|
Closes Homebrew/homebrew#38361.
Signed-off-by: Xu Cheng <xucheng@me.com>
|
