Class: Sandbox Private

Inherits:

Object

• Object
• Sandbox

Includes:

OS::Linux::Sandbox, OS::Mac::Sandbox, Utils::Output::Mixin

Defined in:

sandbox.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Helper class for running a sub-process inside of a sandboxed environment.

Class Method Summary

• .available? ⇒ Boolean private
• .configuration_command_messages ⇒ Array<String> private
• .configuration_commands ⇒ Array<String> private
• .configure! ⇒ void private
• .ensure_sandbox_installed!(install_from_tests: false) ⇒ void private
• .executable ⇒ Pathname^? private
• .executable! ⇒ Pathname private
• .executable_candidate_paths ⇒ ::PATH private
• .executable_name ⇒ String private
• .executable_usable?(_candidate) ⇒ Boolean private
• .failure_reason ⇒ String^? private
• .reset_state! ⇒ void private
• .state ⇒ Symbol private
• .terminal_ioctl_request ⇒ Integer private

Instance Method Summary

• #add_rule(allow:, operation:, filter: nil, modifier: nil) ⇒ void private
• #allow_cvs ⇒ void private
• #allow_fossil ⇒ void private
• #allow_network(path:, type: :literal) ⇒ void private
• #allow_read(path:, type: :literal) ⇒ void private
• #allow_read_if_exists(path:, type: :literal) ⇒ void private
• #allow_write(path:, type: :literal) ⇒ void private
• #allow_write_cellar(formula) ⇒ void private
• #allow_write_log(formula) ⇒ void private
• #allow_write_path(path) ⇒ void private
• #allow_write_path_if_exists(path) ⇒ void private
• #allow_write_temp_and_cache ⇒ void private
• #allow_write_xcode ⇒ void private
• #deny_all_network ⇒ void private
• #deny_read(path:, type: :literal) ⇒ void private
• #deny_read_home ⇒ void private
• #deny_read_path(path) ⇒ void private
• #deny_write(path:, type: :literal) ⇒ void private
• #deny_write_homebrew_repository ⇒ void private
• #deny_write_path(path) ⇒ void private
• #initialize ⇒ void constructor private
• #path_filter(path, type) ⇒ SandboxPathFilter private
• #record_log(file) ⇒ void private
• #run(*args) ⇒ void private

Methods included from Utils::Output::Mixin

#issue_reporting_message, #odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #opoo_without_github_actions_annotation, #pretty_deprecated, #pretty_disabled, #pretty_duration, #pretty_install_status, #pretty_installed, #pretty_outdated, #pretty_uninstalled, #pretty_upgradable

Methods included from OS::Linux::Sandbox

bubblewrap_candidate_paths, bubblewrap_executable, bubblewrap_executable!

Constructor Details

#initialize ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'sandbox.rb', line 154

def initialize
  @profile = T.let(SandboxProfile.new, SandboxProfile)
  @failed = T.let(false, T::Boolean)
  @logfile = T.let(nil, T.nilable(T.any(String, Pathname)))
  @start = T.let(nil, T.nilable(Time))
end

Class Method Details

.available? ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Boolean)

# File 'sandbox.rb', line 73

def self.available?
  false
end

.configuration_command_messages ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Array<String>)

# File 'sandbox.rb', line 99

def self.configuration_command_messages = []

.configuration_commands ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Array<String>)

# File 'sandbox.rb', line 96

def self.configuration_commands = []

.configure! ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 102

def self.configure!
  ensure_sandbox_installed!
  reset_state!
end

.ensure_sandbox_installed!(install_from_tests: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• install_from_tests (Boolean) (defaults to: false)

# File 'sandbox.rb', line 78

def self.ensure_sandbox_installed!(install_from_tests: false); end

.executable ⇒ Pathname^?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Pathname, nil)

# File 'sandbox.rb', line 121

def self.executable
  executable_candidate_paths.each do |path|
    begin
      candidate = Pathname.new(File.expand_path(executable_name, path))
    rescue ArgumentError
      next
    end

    next if !candidate.file? || !candidate.executable?
    next unless executable_usable?(candidate)

    return candidate
  end

  nil
end

.executable! ⇒ Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Pathname)

# File 'sandbox.rb', line 139

def self.executable!
  executable || raise("#{executable_name} is required to use the sandbox.")
end

.executable_candidate_paths ⇒ ::PATH

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (::PATH)

# File 'sandbox.rb', line 113

def self.executable_candidate_paths
  executable_path = Pathname.new(executable_name)
  return PATH.new(executable_path.dirname) if executable_path.absolute?

  PATH.new(ORIGINAL_PATHS, ENV.fetch("PATH"), HOMEBREW_ORIGINAL_BREW_FILE.dirname)
end

.executable_name ⇒ String

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (String)

Raises:

• (NotImplementedError)

# File 'sandbox.rb', line 108

def self.executable_name
  raise NotImplementedError, "Sandbox is not implemented for this OS."
end

.executable_usable?(_candidate) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• _candidate (Pathname)

Returns:

• (Boolean)

# File 'sandbox.rb', line 144

def self.executable_usable?(_candidate)
  true
end

.failure_reason ⇒ String^?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (String, nil)

# File 'sandbox.rb', line 86

def self.failure_reason
  return if state == :available

  "The sandbox is not available."
end

.reset_state! ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 93

def self.reset_state!; end

.state ⇒ Symbol

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Symbol)

# File 'sandbox.rb', line 81

def self.state
  available? ? :available : :unavailable
end

.terminal_ioctl_request ⇒ Integer

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Integer)

Raises:

• (NotImplementedError)

# File 'sandbox.rb', line 149

def self.terminal_ioctl_request
  raise NotImplementedError, "Sandbox is not implemented for this OS."
end

Instance Method Details

#add_rule(allow:, operation:, filter: nil, modifier: nil) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• allow (Boolean)
• operation (String)
• filter (SandboxPathFilter, nil) (defaults to: nil)
• modifier (String, nil) (defaults to: nil)

# File 'sandbox.rb', line 170

def add_rule(allow:, operation:, filter: nil, modifier: nil)
  rule = SandboxRule.new(allow:, operation:, filter:, modifier:)
  @profile.add_rule(rule)
end

#allow_cvs ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 282

def allow_cvs
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.cvspass"
end

#allow_fossil ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 287

def allow_fossil
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil"
  allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.fossil-journal"
end

#allow_network(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 319

def allow_network(path:, type: :literal)
  add_rule allow: true, operation: "network*", filter: path_filter(path, type)
end

#allow_read(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 176

def allow_read(path:, type: :literal)
  add_rule allow: true, operation: "file-read*", filter: path_filter(path, type)
end

#allow_read_if_exists(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname, nil)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 238

def allow_read_if_exists(path:, type: :literal)
  return unless path
  return unless File.exist?(path)

  allow_read path:, type:
end

#allow_write(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 246

def allow_write(path:, type: :literal)
  add_rule allow: true, operation: "file-write*", filter: path_filter(path, type)
  add_rule allow: true, operation: "file-write-setugid", filter: path_filter(path, type)
  add_rule allow: true, operation: "file-write-mode", filter: path_filter(path, type)
end

#allow_write_cellar(formula) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• formula (Formula)

# File 'sandbox.rb', line 293

def allow_write_cellar(formula)
  allow_write_path formula.rack
  allow_write_path formula.etc
  allow_write_path formula.var
end

#allow_write_log(formula) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• formula (Formula)

# File 'sandbox.rb', line 303

def allow_write_log(formula)
  allow_write_path formula.logs
end

#allow_write_path(path) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)

# File 'sandbox.rb', line 258

def allow_write_path(path)
  allow_write path:, type: :subpath
end

#allow_write_path_if_exists(path) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname, nil)

# File 'sandbox.rb', line 263

def allow_write_path_if_exists(path)
  return unless path
  return unless File.exist?(path)

  allow_write_path path
end

#allow_write_temp_and_cache ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 276

def allow_write_temp_and_cache
  allow_write_path HOMEBREW_TEMP
  allow_write_path HOMEBREW_CACHE
end

#allow_write_xcode ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 300

def allow_write_xcode; end

#deny_all_network ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 324

def deny_all_network
  add_rule allow: false, operation: "network*"
end

#deny_read(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 181

def deny_read(path:, type: :literal)
  add_rule allow: false, operation: "file-read*", filter: path_filter(path, type)
end

#deny_read_home ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 191

def deny_read_home
  home = Pathname(Dir.home(ENV.fetch("USER"))).realpath
  if [
    HOMEBREW_PREFIX,
    HOMEBREW_REPOSITORY,
    HOMEBREW_CACHE,
    HOMEBREW_TEMP,
    ENV.fetch("GITHUB_WORKSPACE", nil),
    ENV.fetch("RUNNER_WORKSPACE", nil),
    ENV.fetch("RUNNER_TEMP", nil),
  ].compact.any? do |path|
    path = Pathname(path)
    [path.expand_path, path.exist? ? path.realpath : nil].compact.any? { |pathname| pathname.ascend.include?(home) }
  end
    [
      ".ssh",
      ".aws",
      ".azure",
      ".config/gcloud",
      ".docker",
      ".gnupg",
      ".kube",
      ".netrc",
      ".npmrc",
      ".pypirc",
      ".gem/credentials",
      "Documents",
      "Movies",
      "Music",
      "Pictures",
      "Library/Keychains",
      "Library/Mobile Documents",
      "Library/CloudStorage",
      "Dropbox",
      "Google Drive",
      "OneDrive",
    ].each do |path|
      path = home/path
      deny_read_path path if path.exist?
    end
    return
  end

  deny_read_path home
end

#deny_read_path(path) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)

# File 'sandbox.rb', line 186

def deny_read_path(path)
  deny_read path:, type: :subpath
end

#deny_write(path:, type: :literal) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)
• type (Symbol) (defaults to: :literal)

# File 'sandbox.rb', line 253

def deny_write(path:, type: :literal)
  add_rule allow: false, operation: "file-write*", filter: path_filter(path, type)
end

#deny_write_homebrew_repository ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

# File 'sandbox.rb', line 308

def deny_write_homebrew_repository
  deny_write path: HOMEBREW_ORIGINAL_BREW_FILE
  if HOMEBREW_PREFIX.to_s == HOMEBREW_REPOSITORY.to_s
    deny_write_path HOMEBREW_LIBRARY
    deny_write_path HOMEBREW_REPOSITORY/".git"
  else
    deny_write_path HOMEBREW_REPOSITORY
  end
end

#deny_write_path(path) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• path (String, Pathname)

# File 'sandbox.rb', line 271

def deny_write_path(path)
  deny_write path:, type: :subpath
end

#path_filter(path, type) ⇒ SandboxPathFilter

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• path (String, Pathname)
• type (Symbol)

Returns:

• (SandboxPathFilter)

Raises:

• (ArgumentError)

# File 'sandbox.rb', line 426

def path_filter(path, type)
  invalid_char = ['"', "'", "(", ")", "\n", "\\"].find do |c|
    path.to_s.include?(c)
  end
  raise ArgumentError, "Invalid character '#{invalid_char}' in path: #{path}" if invalid_char

  filter_path = case type
  when :regex   then path.to_s
  when :subpath, :literal
    expand_realpath(Pathname.new(path)).to_s
  else raise ArgumentError, "Invalid path filter type: #{type}"
  end

  SandboxPathFilter.new(path: filter_path, type:)
end

#record_log(file) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• file (String, Pathname)

# File 'sandbox.rb', line 162

def record_log(file)
  @logfile = file
end

#run(*args) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• args (String, Pathname)

# File 'sandbox.rb', line 329

def run(*args)
  Dir.mktmpdir("homebrew-sandbox", HOMEBREW_TEMP) do |tmpdir|
    allow_network path: File.join(tmpdir, "socket"), type: :literal if allow_network_for_error_pipe?
    @start = T.let(Time.now, T.nilable(Time))

    begin
      command = sandbox_command(args, tmpdir)
      # Start sandbox in a pseudoterminal to prevent access of the parent terminal.
      PTY.open do |controller, worker|
        # Set the PTY's window size to match the parent terminal.
        # Some formula tests are sensitive to the terminal size and fail if this is not set.
        winch = proc do |_sig|
          controller.winsize = if $stdout.tty?
            # We can only use IO#winsize if the IO object is a TTY.
            $stdout.winsize
          else
            # Otherwise, default to tput, if available.
            # This relies on ncurses rather than the system's ioctl.
            [Utils.popen_read("tput", "lines").to_i, Utils.popen_read("tput", "cols").to_i]
          end
        end

        write_to_pty = proc do
          # Don't hang if stdin is not able to be used - throw EIO instead.
          old_ttin = trap(:TTIN, "IGNORE")

          # Update the window size whenever the parent terminal's window size changes.
          old_winch = trap(:WINCH, &winch)
          winch.call(nil)

          stdin_thread = Thread.new do
            IO.copy_stream($stdin, controller)
          rescue Errno::EIO
            # stdin is unavailable - move on.
          end

          stdout_thread = Thread.new do
            controller.each_char { |c| print(c) }
          end

          Utils.safe_fork(directory: tmpdir, yield_parent: true) do |error_pipe|
            if error_pipe
              # Child side
              Process.setsid
              controller.close
              worker.ioctl(self.class.terminal_ioctl_request, 0) # Make this the controlling terminal.

              ensure_child_tty_available

              # Move into a non-denied directory before `exec` so subsequent
              # `getcwd(3)` calls (which walk every parent) never cross a
              # `deny_read_home` path inherited from the caller's CWD.
              Dir.chdir(tmpdir)

              worker.close_on_exec = true
              exec(*command, in: worker, out: worker, err: worker) # And map everything to the PTY.
            else
              # Parent side
              worker.close
            end
          end
        rescue ChildProcessError => e
          raise ErrorDuringExecution.new(command, status: e.status)
        ensure
          stdin_thread&.kill
          stdout_thread&.kill
          trap(:TTIN, old_ttin)
          trap(:WINCH, old_winch)
        end

        if $stdin.tty?
          # If stdin is a TTY, use io.raw to set stdin to a raw, passthrough
          # mode while we copy the input/output of the process spawned in the
          # PTY. After we've finished copying to/from the PTY process, io.raw
          # will restore the stdin TTY to its original state.
          begin
            # Ignore SIGTTOU as setting raw mode will hang if the process is in the background.
            old_ttou = trap(:TTOU, "IGNORE")
            $stdin.raw(&write_to_pty)
          ensure
            trap(:TTOU, old_ttou)
          end
        else
          write_to_pty.call
        end
      end
    rescue
      @failed = true
      raise
    ensure
      record_sandbox_log
    end
  end
end