Module: OS::Linux::Sandbox::ClassMethods Private

Extended by:

T::Helpers

Defined in:

extend/os/linux/sandbox.rb

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Instance Method Summary

• #available? ⇒ Boolean private
• #bubblewrap_candidate_paths ⇒ ::PATH private
• #bubblewrap_executable ⇒ ::Pathname^? private
• #bubblewrap_executable! ⇒ ::Pathname private
• #ensure_sandbox_installed! ⇒ void private
• #executable_candidate_paths ⇒ ::PATH private
• #executable_name ⇒ String private
• #executable_usable?(candidate) ⇒ Boolean private
• #system_bubblewrap_paths ⇒ Array<String> private
• #terminal_ioctl_request ⇒ Integer private

  ioctl request used to attach the sandboxed child to a controlling TTY.

Instance Method Details

#available? ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Boolean)

# File 'extend/os/linux/sandbox.rb', line 132

def available?
  return false unless Homebrew::EnvConfig.sandbox_linux?
  return false unless (bubblewrap = executable)

  system(
    bubblewrap.to_s,
    "--unshare-user",
    "--unshare-ipc",
    "--unshare-pid",
    "--unshare-uts",
    "--unshare-cgroup-try",
    "--ro-bind", "/", "/",
    "--proc", "/proc",
    "--dev", "/dev",
    "true",
    out: File::NULL,
    err: File::NULL
  ) == true
end

#bubblewrap_candidate_paths ⇒ ::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::PATH)

# File 'extend/os/linux/sandbox.rb', line 97

def bubblewrap_candidate_paths
  executable_candidate_paths
end

#bubblewrap_executable ⇒ ::Pathname^?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::Pathname, nil)

# File 'extend/os/linux/sandbox.rb', line 102

def bubblewrap_executable
  executable
end

#bubblewrap_executable! ⇒ ::Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::Pathname)

# File 'extend/os/linux/sandbox.rb', line 107

def bubblewrap_executable!
  bubblewrap_executable || raise("Bubblewrap is required to use the Linux sandbox.")
end

#ensure_sandbox_installed! ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'extend/os/linux/sandbox.rb', line 112

def ensure_sandbox_installed!
  return unless Homebrew::EnvConfig.sandbox_linux?
  # Never trigger a real install during `brew tests`.
  return if ENV["HOMEBREW_TESTS"]
  return if ENV["HOMEBREW_INSTALLING_BUBBLEWRAP"]
  return if bubblewrap_executable

  require "tap"
  return unless ::CoreTap.instance.installed?

  require "exceptions"
  require "formula"
  with_env(HOMEBREW_INSTALLING_BUBBLEWRAP: "1") do
    ::Formula["bubblewrap"].ensure_installed!(reason: "Linux sandboxing")
  end
rescue ::FormulaUnavailableError
  nil
end

#executable_candidate_paths ⇒ ::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::PATH)

# File 'extend/os/linux/sandbox.rb', line 92

def executable_candidate_paths
  PATH.new(system_bubblewrap_paths, super)
end

#executable_name ⇒ String

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (String)

# File 'extend/os/linux/sandbox.rb', line 77

def executable_name
  BUBBLEWRAP
end

#executable_usable?(candidate) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• candidate (::Pathname)

Returns:

• (Boolean)

# File 'extend/os/linux/sandbox.rb', line 82

def executable_usable?(candidate)
  !File.stat(candidate).setuid?
end

#system_bubblewrap_paths ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Array<String>)

# File 'extend/os/linux/sandbox.rb', line 87

def system_bubblewrap_paths
  SYSTEM_BUBBLEWRAP_PATHS
end

#terminal_ioctl_request ⇒ Integer

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

ioctl request used to attach the sandboxed child to a controlling TTY.

Returns:

• (Integer)

# File 'extend/os/linux/sandbox.rb', line 154

def terminal_ioctl_request
  TIOCSCTTY
end