1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
require "erb"
require "tempfile"
class Sandbox
SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
def self.available?
OS.mac? && OS::Mac.version >= "10.6" && File.executable?(SANDBOX_EXEC)
end
def self.formula?(_formula)
return false unless available?
!ARGV.no_sandbox?
end
def self.test?
return false unless available?
!ARGV.no_sandbox?
end
def initialize
@profile = SandboxProfile.new
end
def record_log(file)
@logfile = file
end
def add_rule(rule)
@profile.add_rule(rule)
end
def allow_write(path, options = {})
add_rule allow: true, operation: "file-write*", filter: path_filter(path, options[:type])
end
def deny_write(path, options = {})
add_rule allow: false, operation: "file-write*", filter: path_filter(path, options[:type])
end
def allow_write_path(path)
allow_write path, type: :subpath
end
def deny_write_path(path)
deny_write path, type: :subpath
end
def allow_write_temp_and_cache
allow_write_path "/private/tmp"
allow_write_path "/private/var/tmp"
allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", type: :regex
allow_write_path HOMEBREW_TEMP
allow_write_path HOMEBREW_CACHE
end
def allow_write_cellar(formula)
allow_write_path formula.rack
allow_write_path formula.etc
allow_write_path formula.var
end
# Xcode projects expect access to certain cache/archive dirs.
def allow_write_xcode
allow_write_path "/Users/#{ENV["USER"]}/Library/Developer"
end
def allow_write_log(formula)
allow_write_path formula.logs
end
def deny_write_homebrew_repository
deny_write HOMEBREW_BREW_FILE
if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
deny_write_path HOMEBREW_REPOSITORY
else
deny_write_path HOMEBREW_LIBRARY
deny_write_path HOMEBREW_REPOSITORY/".git"
end
end
def exec(*args)
seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
seatbelt.write(@profile.dump)
seatbelt.close
@start = Time.now
safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
rescue
@failed = true
raise
ensure
seatbelt.unlink
sleep 0.1 # wait for a bit to let syslog catch up the latest events.
syslog_args = %W[
-F $((Time)(local))\ $(Sender)[$(PID)]:\ $(Message)
-k Time ge #{@start.to_i}
-k Message S deny
-k Sender kernel
-o
-k Time ge #{@start.to_i}
-k Message S deny
-k Sender sandboxd
]
logs = Utils.popen_read("syslog", *syslog_args)
# These messages are confusing and non-fatal, so don't report them.
logs = logs.lines.reject { |l| l.match(/^.*Python\(\d+\) deny file-write.*pyc$/) }.join
unless logs.empty?
if @logfile
log = open(@logfile, "w")
log.write logs
log.write "\nWe use time to filter sandbox log. Therefore, unrelated logs may be recorded.\n"
log.close
end
if @failed && ARGV.verbose?
ohai "Sandbox log"
puts logs
$stdout.flush # without it, brew test-bot would fail to catch the log
end
end
end
private
def expand_realpath(path)
raise unless path.absolute?
path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
end
def path_filter(path, type)
case type
when :regex then "regex \#\"#{path}\""
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""
end
end
class SandboxProfile
SEATBELT_ERB = <<~EOS.freeze
(version 1)
(debug deny) ; log all denied operations to /var/log/system.log
<%= rules.join("\n") %>
(allow file-write*
(literal "/dev/ptmx")
(literal "/dev/dtracehelper")
(literal "/dev/null")
(literal "/dev/random")
(literal "/dev/zero")
(regex #"^/dev/fd/[0-9]+$")
(regex #"^/dev/ttys?[0-9]*$")
)
(deny file-write*) ; deny non-whitelist file write operations
(allow process-exec
(literal "/bin/ps")
(with no-sandbox)
) ; allow certain processes running without sandbox
(allow default) ; allow everything else
EOS
attr_reader :rules
def initialize
@rules = []
end
def add_rule(rule)
s = "("
s << (rule[:allow] ? "allow" : "deny")
s << " #{rule[:operation]}"
s << " (#{rule[:filter]})" if rule[:filter]
s << " (with #{rule[:modifier]})" if rule[:modifier]
s << ")"
@rules << s
end
def dump
ERB.new(SEATBELT_ERB).result(binding)
end
end
end
|
