Skip to content

Commit

Permalink
Add deny_signal method
Browse files Browse the repository at this point in the history
  • Loading branch information
Moisan committed Jul 15, 2024
1 parent 7bf5b70 commit 1e38b8c
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
1 change: 1 addition & 0 deletions Library/Homebrew/formula.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
require "extend/on_system"
require "api"
require "extend/api_hashable"
require "sandbox"

# A formula provides instructions and metadata for Homebrew to install a piece
# of software. Every Homebrew formula is a {Formula}.
Expand Down
1 change: 1 addition & 0 deletions Library/Homebrew/formula_installer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -943,6 +943,7 @@ def build
sandbox.allow_fossil
sandbox.allow_write_xcode
sandbox.allow_write_cellar(formula)
sandbox.deny_signal(formula)
sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:build)
sandbox.exec(*args)
else
Expand Down
10 changes: 9 additions & 1 deletion Library/Homebrew/sandbox.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ class Sandbox
SANDBOX_EXEC = "/usr/bin/sandbox-exec"
private_constant :SANDBOX_EXEC

SANDBOX_REDUCTIONS = [:allow_write_to_temp].freeze
SANDBOX_REDUCTIONS = [:allow_write_to_temp, :allow_signal].freeze

sig { returns(T::Boolean) }
def self.available?
Expand Down Expand Up @@ -68,6 +68,14 @@ def allow_write_temp_and_cache(formula = nil)
allow_write_path HOMEBREW_CACHE
end

sig { params(formula: T.nilable(Formula)).void }
def deny_signal(formula = nil)
puts "deny_signal: #{formula&.reduced_sandbox&.include?(:allow_signal)}"
unless formula&.reduced_sandbox&.include?(:allow_signal)
add_rule allow: false, operation: "signal", filter: "target others"
end
end

sig { void }
def allow_cvs
allow_write_path "#{Dir.home(ENV.fetch("USER"))}/.cvspass"
Expand Down

0 comments on commit 1e38b8c

Please sign in to comment.