Module: OS::Linux::Sandbox::ClassMethods Private

Extended by:
T::Helpers
Includes:
SystemCommand::Mixin, Utils::Output::Mixin
Defined in:
extend/os/linux/sandbox.rb

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Instance Method Summary collapse

Methods included from Utils::Output::Mixin

#issue_reporting_message, #odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #opoo_without_github_actions_annotation, #pretty_deprecated, #pretty_disabled, #pretty_duration, #pretty_install_status, #pretty_installed, #pretty_uninstalled, #pretty_unmarked, #pretty_upgradable, #pretty_warning

Methods included from SystemCommand::Mixin

#system_command, #system_command!

Instance Method Details

#available?Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

  • (Boolean)


196
197
198
# File 'extend/os/linux/sandbox.rb', line 196

def available?
  state == :available
end

#bubblewrap_candidate_paths::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



151
152
153
# File 'extend/os/linux/sandbox.rb', line 151

def bubblewrap_candidate_paths
  executable_candidate_paths
end

#bubblewrap_executable::Pathname?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



156
157
158
# File 'extend/os/linux/sandbox.rb', line 156

def bubblewrap_executable
  executable
end

#bubblewrap_executable!::Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



161
162
163
# File 'extend/os/linux/sandbox.rb', line 161

def bubblewrap_executable!
  bubblewrap_executable || raise("Bubblewrap is required to use the Linux sandbox.")
end

#configuration_command_messagesArray<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



236
237
238
239
240
241
242
243
244
# File 'extend/os/linux/sandbox.rb', line 236

def configuration_command_messages
  commands = configuration_commands
  SANDBOX_SYSCTL_SETTINGS.each_with_index.flat_map do |setting, index|
    [
      "  #{commands.fetch(index)}",
      *setting.description.map { |line| "    #{line}" },
    ]
  end
end

#configuration_commandsArray<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



227
228
229
230
231
232
233
# File 'extend/os/linux/sandbox.rb', line 227

def configuration_commands
  SANDBOX_SYSCTL_SETTINGS.map do |setting|
    command = "sudo sysctl -w #{setting.assignment}"
    command += " || true" if setting.optional
    command
  end
end

#configure!void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.



247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
# File 'extend/os/linux/sandbox.rb', line 247

def configure!
  unless bubblewrap_executable
    ensure_sandbox_installed!(install_from_tests: true)
    unless bubblewrap_executable
      reset_state!
      return
    end
  end

  ohai "Configuring Bubblewrap..."
  command = [HOMEBREW_BREW_FILE.to_s, "setup-sandbox"]
  command.unshift("sudo") unless Process.euid.zero?
  raise ErrorDuringExecution.new(command, status: $CHILD_STATUS || 1) unless system(*command)

  reset_state!
end

#ensure_sandbox_installed!(install_from_tests: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

  • install_from_tests (Boolean) (defaults to: false)


166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
# File 'extend/os/linux/sandbox.rb', line 166

def ensure_sandbox_installed!(install_from_tests: false)
  return unless Homebrew::EnvConfig.sandbox_linux?
  return if ENV["HOMEBREW_TESTS"] && !install_from_tests
  return if ENV["HOMEBREW_INSTALLING_BUBBLEWRAP"]
  return if bubblewrap_executable

  begin
    require "exceptions"
    require "formula"
    with_env(HOMEBREW_INSTALLING_BUBBLEWRAP: "1") do
      ::Formula["bubblewrap"].ensure_installed!(reason: "Linux sandboxing")
    end
    reset_state!
    return if bubblewrap_executable
  rescue ::FormulaUnavailableError
    nil
  end

  return unless GitHub::Actions.env_set?
  return unless ENV.fetch("HOMEBREW_GITHUB_HOSTED_RUNNER", nil)
  return unless which("apt-get")

  ohai "Installing Bubblewrap..."
  command = ["apt-get", "install", "--yes", "bubblewrap"]
  command.unshift("sudo") unless Process.euid.zero?
  system(*command)
  reset_state!
end

#executable_candidate_paths::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



146
147
148
# File 'extend/os/linux/sandbox.rb', line 146

def executable_candidate_paths
  PATH.new(HOMEBREW_BUBBLEWRAP_PATHS, system_bubblewrap_paths, super)
end

#executable_nameString

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



131
132
133
# File 'extend/os/linux/sandbox.rb', line 131

def executable_name
  BUBBLEWRAP
end

#executable_usable?(candidate) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean)


136
137
138
# File 'extend/os/linux/sandbox.rb', line 136

def executable_usable?(candidate)
  !File.stat(candidate).setuid?
end

#failure_reasonString?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
# File 'extend/os/linux/sandbox.rb', line 265

def failure_reason
  case state
  when :disabled, :available
    nil
  when :missing
    "Bubblewrap is required to use the Linux sandbox but was not found."
  when :setuid
    "A rootless Bubblewrap executable is required to use the Linux sandbox, " \
    "but all found `bwrap` executables are setuid."
  when :unavailable
    "Bubblewrap is installed but cannot create a rootless sandbox."
  else
    "The Linux sandbox is not available."
  end
end

#nested_sandbox?Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Bubblewrap reports this specific namespace error when an outer Bubblewrap sandbox prevents Homebrew from creating another rootless sandbox. The shared avoid_nested_sandboxing? only calls this once the $HOMEBREW_AVOID_NESTED_SANDBOXING opt-in is set.

Returns:

  • (Boolean)


205
206
207
208
209
210
211
212
# File 'extend/os/linux/sandbox.rb', line 205

def nested_sandbox?
  return false unless Homebrew::EnvConfig.sandbox_linux?

  bubblewrap = bubblewrap_executable
  return false unless bubblewrap

  Utils.popen_read(bubblewrap.to_s, *BUBBLEWRAP_TEST_ARGS, err: :out).include?(NESTED_BUBBLEWRAP_ERROR)
end

#reset_state!void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.



222
223
224
# File 'extend/os/linux/sandbox.rb', line 222

def reset_state!
  @state = T.let(nil, T.nilable(Symbol))
end

#sandbox_install_commandString?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



282
283
284
# File 'extend/os/linux/sandbox.rb', line 282

def sandbox_install_command
  BUBBLEWRAP_INSTALL_COMMANDS.find { |package_manager, _| which(package_manager) }&.last
end

#stateSymbol

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



215
216
217
218
219
# File 'extend/os/linux/sandbox.rb', line 215

def state
  return :disabled unless Homebrew::EnvConfig.sandbox_linux?

  @state ||= T.let(compute_state, T.nilable(Symbol))
end

#system_bubblewrap_pathsArray<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



141
142
143
# File 'extend/os/linux/sandbox.rb', line 141

def system_bubblewrap_paths
  SYSTEM_BUBBLEWRAP_PATHS
end

#terminal_ioctl_requestInteger

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

ioctl request used to attach the sandboxed child to a controlling TTY.

Returns:



288
289
290
# File 'extend/os/linux/sandbox.rb', line 288

def terminal_ioctl_request
  TIOCSCTTY
end