Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sandbox: only allow local network operations #17703

Closed
wants to merge 3 commits into from
Closed

sandbox: only allow local network operations #17703

wants to merge 3 commits into from

Conversation

nandahkrishna
Copy link
Member

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

This PR is an attempt to restrict network operations in the sandbox (for build, postinstall and test) to just local network operations. The sandbox rules were inspired from: https://github.com/bazelbuild/bazel/blob/4d62c8f7557a4673ffe5600f963fdfddd7b99d3b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedSpawnRunner.java#L300-L302

This might have to be modified a bit and may cause problems with a bunch of formulae too, so further testing will be required. CC @woodruffw.

@Bo98
Copy link
Member

Bo98 commented Jul 13, 2024

This will definitely break a lot, including all formulae that uses a language package manager (npm, cargo, etc.) as we don't use resources for those with sufficient lockfiles.

@nandahkrishna
Copy link
Member Author

Based on a short discussion with Mike, we thought it might be good have a separate fetch block/phase which does have network access but restricted write permissions. This would just download all these dependencies to the cache and then the install phase would be able to use these. I'm going to spend some time to try and implement that if it makes sense.

@woodruffw woodruffw added the sandbox Homebrew's use of the macOS Sandbox label Jul 13, 2024
woodruffw
woodruffw requested changes Jul 14, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, premature review -- sounds like there's still some stuff to be done here 🙂

@Rylan12 Rylan12 mentioned this pull request Jul 14, 2024
Closed
7 tasks
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2024

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale No recent activity label Aug 5, 2024
@github-actions github-actions bot closed this Aug 12, 2024
@github-actions github-actions bot deleted the install-network-block branch August 12, 2024 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw requested changes

Assignees
No one assigned
Labels
sandbox Homebrew's use of the macOS Sandbox stale No recent activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nandahkrishna @Bo98 @woodruffw