Module: OS::Linux::Sandbox::ClassMethods Private
- Extended by:
- T::Helpers
- Includes:
- SystemCommand::Mixin, Utils::Output::Mixin
- Defined in:
- extend/os/linux/sandbox.rb
This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.
Instance Method Summary collapse
- #available? ⇒ Boolean private
- #bubblewrap_candidate_paths ⇒ ::PATH private
- #bubblewrap_executable ⇒ ::Pathname? private
- #bubblewrap_executable! ⇒ ::Pathname private
- #configuration_command_messages ⇒ Array<String> private
- #configuration_commands ⇒ Array<String> private
- #configure! ⇒ void private
- #ensure_sandbox_installed!(install_from_tests: false) ⇒ void private
- #executable_candidate_paths ⇒ ::PATH private
- #executable_name ⇒ String private
- #executable_usable?(candidate) ⇒ Boolean private
- #failure_reason ⇒ String? private
-
#nested_sandbox? ⇒ Boolean
private
Bubblewrap reports this specific namespace error when an outer Bubblewrap sandbox prevents Homebrew from creating another rootless sandbox.
- #reset_state! ⇒ void private
- #sandbox_install_command ⇒ String? private
- #state ⇒ Symbol private
- #system_bubblewrap_paths ⇒ Array<String> private
-
#terminal_ioctl_request ⇒ Integer
private
ioctlrequest used to attach the sandboxed child to a controlling TTY.
Methods included from Utils::Output::Mixin
#issue_reporting_message, #odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #opoo_without_github_actions_annotation, #pretty_deprecated, #pretty_disabled, #pretty_duration, #pretty_install_status, #pretty_installed, #pretty_uninstalled, #pretty_unmarked, #pretty_upgradable, #pretty_warning
Methods included from SystemCommand::Mixin
#system_command, #system_command!
Instance Method Details
#available? ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
196 197 198 |
# File 'extend/os/linux/sandbox.rb', line 196 def available? state == :available end |
#bubblewrap_candidate_paths ⇒ ::PATH
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
151 152 153 |
# File 'extend/os/linux/sandbox.rb', line 151 def bubblewrap_candidate_paths executable_candidate_paths end |
#bubblewrap_executable ⇒ ::Pathname?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
156 157 158 |
# File 'extend/os/linux/sandbox.rb', line 156 def bubblewrap_executable executable end |
#bubblewrap_executable! ⇒ ::Pathname
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
161 162 163 |
# File 'extend/os/linux/sandbox.rb', line 161 def bubblewrap_executable! bubblewrap_executable || raise("Bubblewrap is required to use the Linux sandbox.") end |
#configuration_command_messages ⇒ Array<String>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
236 237 238 239 240 241 242 243 244 |
# File 'extend/os/linux/sandbox.rb', line 236 def commands = configuration_commands SANDBOX_SYSCTL_SETTINGS.each_with_index.flat_map do |setting, index| [ " #{commands.fetch(index)}", *setting.description.map { |line| " #{line}" }, ] end end |
#configuration_commands ⇒ Array<String>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
227 228 229 230 231 232 233 |
# File 'extend/os/linux/sandbox.rb', line 227 def configuration_commands SANDBOX_SYSCTL_SETTINGS.map do |setting| command = "sudo sysctl -w #{setting.assignment}" command += " || true" if setting.optional command end end |
#configure! ⇒ void
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
This method returns an undefined value.
247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
# File 'extend/os/linux/sandbox.rb', line 247 def configure! unless bubblewrap_executable ensure_sandbox_installed!(install_from_tests: true) unless bubblewrap_executable reset_state! return end end ohai "Configuring Bubblewrap..." command = [HOMEBREW_BREW_FILE.to_s, "setup-sandbox"] command.unshift("sudo") unless Process.euid.zero? raise ErrorDuringExecution.new(command, status: $CHILD_STATUS || 1) unless system(*command) reset_state! end |
#ensure_sandbox_installed!(install_from_tests: false) ⇒ void
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
This method returns an undefined value.
166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 |
# File 'extend/os/linux/sandbox.rb', line 166 def ensure_sandbox_installed!(install_from_tests: false) return unless Homebrew::EnvConfig.sandbox_linux? return if ENV["HOMEBREW_TESTS"] && !install_from_tests return if ENV["HOMEBREW_INSTALLING_BUBBLEWRAP"] return if bubblewrap_executable begin require "exceptions" require "formula" with_env(HOMEBREW_INSTALLING_BUBBLEWRAP: "1") do ::Formula["bubblewrap"].ensure_installed!(reason: "Linux sandboxing") end reset_state! return if bubblewrap_executable rescue ::FormulaUnavailableError nil end return unless GitHub::Actions.env_set? return unless ENV.fetch("HOMEBREW_GITHUB_HOSTED_RUNNER", nil) return unless which("apt-get") ohai "Installing Bubblewrap..." command = ["apt-get", "install", "--yes", "bubblewrap"] command.unshift("sudo") unless Process.euid.zero? system(*command) reset_state! end |
#executable_candidate_paths ⇒ ::PATH
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
146 147 148 |
# File 'extend/os/linux/sandbox.rb', line 146 def executable_candidate_paths PATH.new(HOMEBREW_BUBBLEWRAP_PATHS, system_bubblewrap_paths, super) end |
#executable_name ⇒ String
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
131 132 133 |
# File 'extend/os/linux/sandbox.rb', line 131 def executable_name BUBBLEWRAP end |
#executable_usable?(candidate) ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
136 137 138 |
# File 'extend/os/linux/sandbox.rb', line 136 def executable_usable?(candidate) !File.stat(candidate).setuid? end |
#failure_reason ⇒ String?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 |
# File 'extend/os/linux/sandbox.rb', line 265 def failure_reason case state when :disabled, :available nil when :missing "Bubblewrap is required to use the Linux sandbox but was not found." when :setuid "A rootless Bubblewrap executable is required to use the Linux sandbox, " \ "but all found `bwrap` executables are setuid." when :unavailable "Bubblewrap is installed but cannot create a rootless sandbox." else "The Linux sandbox is not available." end end |
#nested_sandbox? ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
Bubblewrap reports this specific namespace error when an outer
Bubblewrap sandbox prevents Homebrew from creating another rootless
sandbox. The shared avoid_nested_sandboxing? only calls this once the
$HOMEBREW_AVOID_NESTED_SANDBOXING opt-in is set.
205 206 207 208 209 210 211 212 |
# File 'extend/os/linux/sandbox.rb', line 205 def nested_sandbox? return false unless Homebrew::EnvConfig.sandbox_linux? bubblewrap = bubblewrap_executable return false unless bubblewrap Utils.popen_read(bubblewrap.to_s, *BUBBLEWRAP_TEST_ARGS, err: :out).include?(NESTED_BUBBLEWRAP_ERROR) end |
#reset_state! ⇒ void
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
This method returns an undefined value.
222 223 224 |
# File 'extend/os/linux/sandbox.rb', line 222 def reset_state! @state = T.let(nil, T.nilable(Symbol)) end |
#sandbox_install_command ⇒ String?
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
282 283 284 |
# File 'extend/os/linux/sandbox.rb', line 282 def sandbox_install_command BUBBLEWRAP_INSTALL_COMMANDS.find { |package_manager, _| which(package_manager) }&.last end |
#state ⇒ Symbol
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
215 216 217 218 219 |
# File 'extend/os/linux/sandbox.rb', line 215 def state return :disabled unless Homebrew::EnvConfig.sandbox_linux? @state ||= T.let(compute_state, T.nilable(Symbol)) end |
#system_bubblewrap_paths ⇒ Array<String>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
141 142 143 |
# File 'extend/os/linux/sandbox.rb', line 141 def system_bubblewrap_paths SYSTEM_BUBBLEWRAP_PATHS end |
#terminal_ioctl_request ⇒ Integer
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
ioctl request used to attach the sandboxed child to a controlling TTY.
288 289 290 |
# File 'extend/os/linux/sandbox.rb', line 288 def terminal_ioctl_request TIOCSCTTY end |