Module: OS::Linux::Sandbox::ClassMethods Private

Extended by:

T::Helpers

Includes:

Utils::Output::Mixin

Defined in:

extend/os/linux/sandbox.rb

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Instance Method Summary

• #available? ⇒ Boolean private
• #bubblewrap_candidate_paths ⇒ ::PATH private
• #bubblewrap_executable ⇒ ::Pathname^? private
• #bubblewrap_executable! ⇒ ::Pathname private
• #configuration_command_messages ⇒ Array<String> private
• #configuration_commands ⇒ Array<String> private
• #configure! ⇒ void private
• #ensure_sandbox_installed!(install_from_tests: false) ⇒ void private
• #executable_candidate_paths ⇒ ::PATH private
• #executable_name ⇒ String private
• #executable_usable?(candidate) ⇒ Boolean private
• #failure_reason ⇒ String^? private
• #reset_state! ⇒ void private
• #state ⇒ Symbol private
• #system_bubblewrap_paths ⇒ Array<String> private
• #terminal_ioctl_request ⇒ Integer private

  ioctl request used to attach the sandboxed child to a controlling TTY.

Methods included from Utils::Output::Mixin

#issue_reporting_message, #odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #opoo_without_github_actions_annotation, #pretty_deprecated, #pretty_disabled, #pretty_duration, #pretty_install_status, #pretty_installed, #pretty_outdated, #pretty_uninstalled, #pretty_upgradable

Instance Method Details

#available? ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Boolean)

# File 'extend/os/linux/sandbox.rb', line 178

def available?
  state == :available
end

#bubblewrap_candidate_paths ⇒ ::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::PATH)

# File 'extend/os/linux/sandbox.rb', line 133

def bubblewrap_candidate_paths
  executable_candidate_paths
end

#bubblewrap_executable ⇒ ::Pathname^?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::Pathname, nil)

# File 'extend/os/linux/sandbox.rb', line 138

def bubblewrap_executable
  executable
end

#bubblewrap_executable! ⇒ ::Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::Pathname)

# File 'extend/os/linux/sandbox.rb', line 143

def bubblewrap_executable!
  bubblewrap_executable || raise("Bubblewrap is required to use the Linux sandbox.")
end

#configuration_command_messages ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Array<String>)

# File 'extend/os/linux/sandbox.rb', line 204

def configuration_command_messages
  commands = configuration_commands
  SANDBOX_SYSCTL_SETTINGS.each_with_index.flat_map do |setting, index|
    [
      "  #{commands.fetch(index)}",
      *setting.description.map { |line| "    #{line}" },
    ]
  end
end

#configuration_commands ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Array<String>)

# File 'extend/os/linux/sandbox.rb', line 195

def configuration_commands
  SANDBOX_SYSCTL_SETTINGS.map do |setting|
    command = "sudo sysctl -w #{setting.assignment}"
    command += " || true" if setting.optional
    command
  end
end

#configure! ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'extend/os/linux/sandbox.rb', line 215

def configure!
  unless bubblewrap_executable
    ensure_sandbox_installed!(install_from_tests: true)
    unless bubblewrap_executable
      reset_state!
      return
    end
  end

  ohai "Configuring Bubblewrap..."
  SANDBOX_SYSCTL_SETTINGS.each do |setting|
    command = ["sudo", "sysctl", "-w", setting.assignment]
    puts "  #{command.join(" ")}"
    next if system(*command)
    next if setting.optional

    raise ErrorDuringExecution.new(command, status: $CHILD_STATUS)
  end
  reset_state!
end

#ensure_sandbox_installed!(install_from_tests: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• install_from_tests (Boolean) (defaults to: false)

# File 'extend/os/linux/sandbox.rb', line 148

def ensure_sandbox_installed!(install_from_tests: false)
  return unless Homebrew::EnvConfig.sandbox_linux?
  return if ENV["HOMEBREW_TESTS"] && !install_from_tests
  return if ENV["HOMEBREW_INSTALLING_BUBBLEWRAP"]
  return if bubblewrap_executable

  begin
    require "exceptions"
    require "formula"
    with_env(HOMEBREW_INSTALLING_BUBBLEWRAP: "1") do
      ::Formula["bubblewrap"].ensure_installed!(reason: "Linux sandboxing")
    end
    reset_state!
    return if bubblewrap_executable
  rescue ::FormulaUnavailableError
    nil
  end

  return unless GitHub::Actions.env_set?
  return unless ENV.fetch("HOMEBREW_GITHUB_HOSTED_RUNNER", nil)
  return unless which("apt-get")

  ohai "Installing Bubblewrap..."
  command = ["apt-get", "install", "--yes", "bubblewrap"]
  command.unshift("sudo") unless Process.euid.zero?
  system(*command)
  reset_state!
end

#executable_candidate_paths ⇒ ::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::PATH)

# File 'extend/os/linux/sandbox.rb', line 128

def executable_candidate_paths
  PATH.new(HOMEBREW_BUBBLEWRAP_PATHS, system_bubblewrap_paths, super)
end

#executable_name ⇒ String

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (String)

# File 'extend/os/linux/sandbox.rb', line 113

def executable_name
  BUBBLEWRAP
end

#executable_usable?(candidate) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• candidate (::Pathname)

Returns:

• (Boolean)

# File 'extend/os/linux/sandbox.rb', line 118

def executable_usable?(candidate)
  !File.stat(candidate).setuid?
end

#failure_reason ⇒ String^?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (String, nil)

# File 'extend/os/linux/sandbox.rb', line 237

def failure_reason
  case state
  when :disabled, :available
    nil
  when :missing
    "Bubblewrap is required to use the Linux sandbox but was not found."
  when :setuid
    "A rootless Bubblewrap executable is required to use the Linux sandbox, " \
    "but all found `bwrap` executables are setuid."
  when :unavailable
    "Bubblewrap is installed but cannot create a rootless sandbox."
  else
    "The Linux sandbox is not available."
  end
end

#reset_state! ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'extend/os/linux/sandbox.rb', line 190

def reset_state!
  @state = T.let(nil, T.nilable(Symbol))
end

#state ⇒ Symbol

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Symbol)

# File 'extend/os/linux/sandbox.rb', line 183

def state
  return :disabled unless Homebrew::EnvConfig.sandbox_linux?

  @state ||= T.let(compute_state, T.nilable(Symbol))
end

#system_bubblewrap_paths ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Array<String>)

# File 'extend/os/linux/sandbox.rb', line 123

def system_bubblewrap_paths
  SYSTEM_BUBBLEWRAP_PATHS
end

#terminal_ioctl_request ⇒ Integer

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

ioctl request used to attach the sandboxed child to a controlling TTY.

Returns:

• (Integer)

# File 'extend/os/linux/sandbox.rb', line 255

def terminal_ioctl_request
  TIOCSCTTY
end