formula_installer: conditionally deny network access in sandbox

Homebrew · Apr 23, 2024 · a3cfff7 · a3cfff7
1 parent aac156c
commit a3cfff7
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 2 deletions.
diff --git a/Library/Homebrew/formula_installer.rb b/Library/Homebrew/formula_installer.rb
@@ -925,7 +925,7 @@ def build
  formula.specified_path,
  ].concat(build_argv)
 
- Utils.safe_fork do
+ Utils.safe_fork do |error_pipe|
  if Sandbox.available?
  sandbox = Sandbox.new
  formula.logs.mkpath
@@ -937,6 +937,7 @@ def build
  sandbox.allow_fossil
  sandbox.allow_write_xcode
  sandbox.allow_write_cellar(formula)
+ sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:build)
  sandbox.exec(*args)
  else
  exec(*args)
@@ -1151,7 +1152,7 @@ def post_install
 
  args << post_install_formula_path
 
- Utils.safe_fork do
+ Utils.safe_fork do |error_pipe|
  if Sandbox.available?
  sandbox = Sandbox.new
  formula.logs.mkpath
@@ -1161,6 +1162,7 @@ def post_install
  sandbox.allow_write_xcode
  sandbox.deny_write_homebrew_repository
  sandbox.allow_write_cellar(formula)
+ sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:postinstall)
  Keg::KEG_LINK_DIRECTORIES.each do |dir|
  sandbox.allow_write_path "#{HOMEBREW_PREFIX}/#{dir}"
  end

diff --git a/Library/Homebrew/test/formula_installer_spec.rb b/Library/Homebrew/test/formula_installer_spec.rb
@@ -3,11 +3,13 @@
 require "formula"
 require "formula_installer"
 require "keg"
+require "sandbox"
 require "tab"
 require "cmd/install"
 require "test/support/fixtures/testball"
 require "test/support/fixtures/testball_bottle"
 require "test/support/fixtures/failball"
+require "test/support/fixtures/failball_offline_install"
 
 RSpec.describe FormulaInstaller do
  matcher :be_poured_from_bottle do
@@ -70,6 +72,10 @@ def temporary_install(formula, **options)
  end
  end
 
+ specify "offline installation" do
+ expect { temporary_install(FailballOfflineInstall.new) }.to raise_error(BuildError) if Sandbox.available?
+ end
+
  specify "Formula is not poured from bottle when compiler specified" do
  temporary_install(TestballBottle.new, cc: "clang") do |f|
  tab = Tab.for_formula(f)

diff --git a/Library/Homebrew/test/support/fixtures/failball_offline_install.rb b/Library/Homebrew/test/support/fixtures/failball_offline_install.rb
@@ -0,0 +1,31 @@
+# typed: true
+# frozen_string_literal: true
+
+class FailballOfflineInstall < Formula
+ def initialize(name = "failball_offline_install", path = Pathname.new(__FILE__).expand_path, spec = :stable,
+ alias_path: nil, tap: nil, force_bottle: false)
+ super
+ end
+
+ DSL_PROC = proc do
+ url "file://#{TEST_FIXTURE_DIR}/tarballs/testball-0.1.tbz"
+ sha256 TESTBALL_SHA256
+ deny_network_access! :build
+ end.freeze
+ private_constant :DSL_PROC
+
+ DSL_PROC.call
+
+ def self.inherited(other)
+ super
+ other.instance_eval(&DSL_PROC)
+ end
+
+ def install
+ system "curl", "example.org"
+
+ prefix.install "bin"
+ prefix.install "libexec"
+ Dir.chdir "doc"
+ end
+end