sandbox postinstall

Closes #38479. Signed-off-by: Xu Cheng <xucheng@me.com>
author: Xu Cheng 2015-04-13 18:16:27 +0800
committer: Xu Cheng 2015-04-15 19:51:54 +0800
commit: e31bf9cfb76dfcf1774ac2ccd29c07b7fb0302b4 (patch)
tree: 7c62142079f21b3aeb03ec88155a8e610576d53b /Library/Homebrew/cmd
parent: 11d9e553c8c44e82e492f3f1df2f0b8f62a4633d (diff)
download: homebrew-e31bf9cfb76dfcf1774ac2ccd29c07b7fb0302b4.tar.bz2
1 files changed, 30 insertions, 1 deletions
diff --git a/Library/Homebrew/cmd/postinstall.rb b/Library/Homebrew/cmd/postinstall.rb
index 8e145d3fd..d677ecc1e 100644
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -1,5 +1,34 @@
+require "sandbox"
+
 module Homebrew
   def postinstall
-    ARGV.formulae.each { |f| f.run_post_install }
+    ARGV.formulae.each { |f| run_post_install(f) }
+  end
+
+  def run_post_install(formula)
+    args = %W[
+      nice #{RUBY_PATH}
+      -W0
+      -I #{HOMEBREW_LIBRARY_PATH}
+      --
+      #{HOMEBREW_LIBRARY_PATH}/postinstall.rb
+      #{formula.path}
+    ].concat(ARGV.options_only)
+
+    Utils.safe_fork do
+      if Sandbox.available? && ARGV.sandbox?
+        sandbox = Sandbox.new
+        sandbox.allow_write_temp_and_cache
+        sandbox.allow_write_log(formula)
+        sandbox.allow_write_cellar(formula)
+        sandbox.allow_write_path HOMEBREW_PREFIX
+        sandbox.deny_write_path HOMEBREW_LIBRARY
+        sandbox.deny_write_path HOMEBREW_REPOSITORY/".git"
+        sandbox.deny_write HOMEBREW_BREW_FILE
+        sandbox.exec(*args)
+      else
+        exec(*args)
+      end
+    end
   end
 end
author	Xu Cheng	2015-04-13 18:16:27 +0800
committer	Xu Cheng	2015-04-15 19:51:54 +0800
commit	e31bf9cfb76dfcf1774ac2ccd29c07b7fb0302b4 (patch)
tree	7c62142079f21b3aeb03ec88155a8e610576d53b /Library/Homebrew/cmd
parent	11d9e553c8c44e82e492f3f1df2f0b8f62a4633d (diff)
download	homebrew-e31bf9cfb76dfcf1774ac2ccd29c07b7fb0302b4.tar.bz2