1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
require "erb"
require "tempfile"
class Sandbox
SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
def self.available?
OS.mac? && File.executable?(SANDBOX_EXEC)
end
def initialize
@profile = SandboxProfile.new
end
def add_rule(rule)
@profile.add_rule(rule)
end
def allow_write(path, options={})
add_rule :allow => true, :operation => "file-write*", :filter => path_filter(path, options[:type])
end
def deny_write(path, options={})
add_rule :allow => false, :operation => "file-write*", :filter => path_filter(path, options[:type])
end
def allow_write_path(path)
allow_write path, :type => :subpath
end
def deny_write_path(path)
deny_write path, :type => :subpath
end
def allow_write_temp_and_cache
allow_write_path "/private/tmp"
allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", :type => :regex
allow_write_path HOMEBREW_TEMP
allow_write_path HOMEBREW_CACHE
end
def allow_write_cellar(formula)
allow_write_path formula.rack
allow_write_path formula.etc
allow_write_path formula.var
end
def allow_write_log(formula)
allow_write_path HOMEBREW_LOGS/formula.name
end
def exec(*args)
begin
seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
seatbelt.write(@profile.dump)
seatbelt.close
safe_system SANDBOX_EXEC, "-f", seatbelt.path, *args
rescue
if ARGV.verbose?
ohai "Sandbox profile:"
puts @profile.dump
end
raise
ensure
seatbelt.unlink
end
end
private
def expand_realpath(path)
raise unless path.absolute?
path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
end
def path_filter(path, type)
case type
when :regex then "regex \#\"#{path}\""
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
when :literal, nil then "literal \"#{expand_realpath(Pathname.new(path))}\""
end
end
class SandboxProfile
SEATBELT_ERB = <<-EOS.undent
(version 1)
(debug deny) ; log all denied operations to /var/log/system.log
<%= rules.join("\n") %>
(allow file-write*
(literal "/dev/dtracehelper")
(literal "/dev/null")
(regex #"^/dev/fd/\\d+$")
(regex #"^/dev/tty\\d*$")
)
(deny file-write*) ; deny non-whitelist file write operations
(allow default) ; allow everything else
EOS
attr_reader :rules
def initialize
@rules = []
end
def add_rule(rule)
s = "("
s << (rule[:allow] ? "allow": "deny")
s << " #{rule[:operation]}"
s << " (#{rule[:filter]})" if rule[:filter]
s << " (with #{rule[:modifier]})" if rule[:modifier]
s << ")"
@rules << s
end
def dump
ERB.new(SEATBELT_ERB).result(binding)
end
end
end
|
