Module: OS::Linux::Sandbox::ClassMethods Private

Extended by:
T::Helpers
Includes:
Utils::Output::Mixin
Defined in:
extend/os/linux/sandbox.rb

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Instance Method Summary collapse

Methods included from Utils::Output::Mixin

#issue_reporting_message, #odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #opoo_without_github_actions_annotation, #pretty_deprecated, #pretty_disabled, #pretty_duration, #pretty_install_status, #pretty_installed, #pretty_uninstalled, #pretty_upgradable

Instance Method Details

#available?Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

  • (Boolean) 


190
191
192
 
# File 'extend/os/linux/sandbox.rb', line 190

def available?
  state == :available
end

#bubblewrap_candidate_paths::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



145
146
147
 
# File 'extend/os/linux/sandbox.rb', line 145

def bubblewrap_candidate_paths
  executable_candidate_paths
end

#bubblewrap_executable::Pathname?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



150
151
152
 
# File 'extend/os/linux/sandbox.rb', line 150

def bubblewrap_executable
  executable
end

#bubblewrap_executable!::Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



155
156
157
 
# File 'extend/os/linux/sandbox.rb', line 155

def bubblewrap_executable!
  bubblewrap_executable || raise("Bubblewrap is required to use the Linux sandbox.")
end

#configuration_command_messagesArray<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



216
217
218
219
220
221
222
223
224
 
# File 'extend/os/linux/sandbox.rb', line 216

def configuration_command_messages
  commands = configuration_commands
  SANDBOX_SYSCTL_SETTINGS.each_with_index.flat_map do |setting, index|
    [
      "  #{commands.fetch(index)}",
      *setting.description.map { |line| "    #{line}" },
    ]
  end
end

#configuration_commandsArray<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



207
208
209
210
211
212
213
 
# File 'extend/os/linux/sandbox.rb', line 207

def configuration_commands
  SANDBOX_SYSCTL_SETTINGS.map do |setting|
    command = "sudo sysctl -w #{setting.assignment}"
    command += " || true" if setting.optional
    command
  end
end

#configure!void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Raises:



227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
 
# File 'extend/os/linux/sandbox.rb', line 227

def configure!
  unless bubblewrap_executable
    ensure_sandbox_installed!(install_from_tests: true)
    unless bubblewrap_executable
      reset_state!
      return
    end
  end

  ohai "Configuring Bubblewrap..."
  command = [HOMEBREW_BREW_FILE, "setup-sandbox"]
  command.unshift("sudo") unless Process.euid.zero?
  raise ErrorDuringExecution.new(command, status: $CHILD_STATUS || 1) unless system(*command)

  reset_state!
end

#ensure_sandbox_installed!(install_from_tests: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

  • install_from_tests (Boolean) (defaults to: false) 


160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
 
# File 'extend/os/linux/sandbox.rb', line 160

def ensure_sandbox_installed!(install_from_tests: false)
  return unless Homebrew::EnvConfig.sandbox_linux?
  return if ENV["HOMEBREW_TESTS"] && !install_from_tests
  return if ENV["HOMEBREW_INSTALLING_BUBBLEWRAP"]
  return if bubblewrap_executable

  begin
    require "exceptions"
    require "formula"
    with_env(HOMEBREW_INSTALLING_BUBBLEWRAP: "1") do
      ::Formula["bubblewrap"].ensure_installed!(reason: "Linux sandboxing")
    end
    reset_state!
    return if bubblewrap_executable
  rescue ::FormulaUnavailableError
    nil
  end

  return unless GitHub::Actions.env_set?
  return unless ENV.fetch("HOMEBREW_GITHUB_HOSTED_RUNNER", nil)
  return unless which("apt-get")

  ohai "Installing Bubblewrap..."
  command = ["apt-get", "install", "--yes", "bubblewrap"]
  command.unshift("sudo") unless Process.euid.zero?
  system(*command)
  reset_state!
end

#executable_candidate_paths::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



140
141
142
 
# File 'extend/os/linux/sandbox.rb', line 140

def executable_candidate_paths
  PATH.new(HOMEBREW_BUBBLEWRAP_PATHS, system_bubblewrap_paths, super)
end

#executable_nameString

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



125
126
127
 
# File 'extend/os/linux/sandbox.rb', line 125

def executable_name
  BUBBLEWRAP
end

#executable_usable?(candidate) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean) 


130
131
132
 
# File 'extend/os/linux/sandbox.rb', line 130

def executable_usable?(candidate)
  !File.stat(candidate).setuid?
end

#failure_reasonString?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
 
# File 'extend/os/linux/sandbox.rb', line 245

def failure_reason
  case state
  when :disabled, :available
    nil
  when :missing
    "Bubblewrap is required to use the Linux sandbox but was not found."
  when :setuid
    "A rootless Bubblewrap executable is required to use the Linux sandbox, " \
    "but all found `bwrap` executables are setuid."
  when :unavailable
    "Bubblewrap is installed but cannot create a rootless sandbox."
  else
    "The Linux sandbox is not available."
  end
end

#reset_state!void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.



202
203
204
 
# File 'extend/os/linux/sandbox.rb', line 202

def reset_state!
  @state = T.let(nil, T.nilable(Symbol))
end

#sandbox_install_commandString?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



262
263
264
 
# File 'extend/os/linux/sandbox.rb', line 262

def sandbox_install_command
  BUBBLEWRAP_INSTALL_COMMANDS.find { |package_manager, _| which(package_manager) }&.last
end

#stateSymbol

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



195
196
197
198
199
 
# File 'extend/os/linux/sandbox.rb', line 195

def state
  return :disabled unless Homebrew::EnvConfig.sandbox_linux?

  @state ||= T.let(compute_state, T.nilable(Symbol))
end

#system_bubblewrap_pathsArray<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



135
136
137
 
# File 'extend/os/linux/sandbox.rb', line 135

def system_bubblewrap_paths
  SYSTEM_BUBBLEWRAP_PATHS
end

#terminal_ioctl_requestInteger

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

ioctl request used to attach the sandboxed child to a controlling TTY.

Returns:



268
269
270
 
# File 'extend/os/linux/sandbox.rb', line 268

def terminal_ioctl_request
  TIOCSCTTY
end