1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
require "erb"
require "tempfile"
class Sandbox
SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
def self.available?
OS.mac? && File.executable?(SANDBOX_EXEC)
end
def initialize
@profile = SandboxProfile.new
end
def record_log(file)
@log = file
end
def add_rule(rule)
@profile.add_rule(rule)
end
def allow_write(path, options={})
add_rule :allow => true, :operation => "file-write*", :filter => path_filter(path, options[:type])
end
def deny_write(path, options={})
add_rule :allow => false, :operation => "file-write*", :filter => path_filter(path, options[:type])
end
def allow_write_path(path)
allow_write path, :type => :subpath
end
def deny_write_path(path)
deny_write path, :type => :subpath
end
def allow_write_temp_and_cache
allow_write_path "/private/tmp"
allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", :type => :regex
allow_write_path HOMEBREW_TEMP
allow_write_path HOMEBREW_CACHE
end
def allow_write_cellar(formula)
allow_write_path formula.rack
allow_write_path formula.etc
allow_write_path formula.var
end
def allow_write_log(formula)
allow_write_path formula.logs
end
def deny_write_homebrew_library
deny_write_path HOMEBREW_LIBRARY
deny_write_path HOMEBREW_REPOSITORY/".git"
deny_write HOMEBREW_BREW_FILE
end
def exec(*args)
begin
seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
seatbelt.write(@profile.dump)
seatbelt.close
@start = Time.now
safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
rescue
if ARGV.verbose?
ohai "Sandbox profile:"
puts @profile.dump
end
raise
ensure
seatbelt.unlink
unless @log.nil?
sleep 0.1 # wait for a bit to let syslog catch up the latest events.
syslog_args = %W[
-F '$((Time)(local))\ $(Sender)[$(PID)]:\ $Message'
-k Time ge #{@start.to_i.to_s}
-k Sender kernel
-o
-k Time ge #{@start.to_i.to_s}
-k Sender sandboxd
]
quiet_system "syslog #{syslog_args * " "} | grep deny > #{@log}"
end
end
end
private
def expand_realpath(path)
raise unless path.absolute?
path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
end
def path_filter(path, type)
case type
when :regex then "regex \#\"#{path}\""
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""
end
end
class SandboxProfile
SEATBELT_ERB = <<-EOS.undent
(version 1)
(debug deny) ; log all denied operations to /var/log/system.log
<%= rules.join("\n") %>
(allow file-write*
(literal "/dev/dtracehelper")
(literal "/dev/null")
(regex #"^/dev/fd/\\d+$")
(regex #"^/dev/tty\\d*$")
)
(deny file-write*) ; deny non-whitelist file write operations
(allow default) ; allow everything else
EOS
attr_reader :rules
def initialize
@rules = []
end
def add_rule(rule)
s = "("
s << (rule[:allow] ? "allow": "deny")
s << " #{rule[:operation]}"
s << " (#{rule[:filter]})" if rule[:filter]
s << " (with #{rule[:modifier]})" if rule[:modifier]
s << ")"
@rules << s
end
def dump
ERB.new(SEATBELT_ERB).result(binding)
end
end
end
|
