From e31bf9cfb76dfcf1774ac2ccd29c07b7fb0302b4 Mon Sep 17 00:00:00 2001
From: Xu Cheng
Date: Mon, 13 Apr 2015 18:16:27 +0800
Subject: sandbox postinstall

Closes #38479.

Signed-off-by: Xu Cheng <xucheng@me.com>
---
 Library/Homebrew/cmd/postinstall.rb | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

(limited to 'Library/Homebrew/cmd')

diff --git a/Library/Homebrew/cmd/postinstall.rb b/Library/Homebrew/cmd/postinstall.rb
index 8e145d3fd..d677ecc1e 100644
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -1,5 +1,34 @@
+require "sandbox"
+
 module Homebrew
   def postinstall
-    ARGV.formulae.each { |f| f.run_post_install }
+    ARGV.formulae.each { |f| run_post_install(f) }
+  end
+
+  def run_post_install(formula)
+    args = %W[
+      nice #{RUBY_PATH}
+      -W0
+      -I #{HOMEBREW_LIBRARY_PATH}
+      --
+      #{HOMEBREW_LIBRARY_PATH}/postinstall.rb
+      #{formula.path}
+    ].concat(ARGV.options_only)
+
+    Utils.safe_fork do
+      if Sandbox.available? && ARGV.sandbox?
+        sandbox = Sandbox.new
+        sandbox.allow_write_temp_and_cache
+        sandbox.allow_write_log(formula)
+        sandbox.allow_write_cellar(formula)
+        sandbox.allow_write_path HOMEBREW_PREFIX
+        sandbox.deny_write_path HOMEBREW_LIBRARY
+        sandbox.deny_write_path HOMEBREW_REPOSITORY/".git"
+        sandbox.deny_write HOMEBREW_BREW_FILE
+        sandbox.exec(*args)
+      else
+        exec(*args)
+      end
+    end
   end
 end
-- 
cgit v1.2.3