diff --git a/Library/Homebrew/dev-cmd/test.rb b/Library/Homebrew/dev-cmd/test.rb index b2a9c47194598..64dfd89d4102e 100644 --- a/Library/Homebrew/dev-cmd/test.rb +++ b/Library/Homebrew/dev-cmd/test.rb @@ -93,6 +93,7 @@ def run sandbox.allow_write_path(HOMEBREW_PREFIX/"var/log") sandbox.allow_write_path(HOMEBREW_PREFIX/"var/run") sandbox.deny_all_network_except_pipe(error_pipe) unless f.class.network_access_allowed?(:test) + sandbox.allow_network_localhost sandbox.exec(*exec_args) else exec(*exec_args) diff --git a/Library/Homebrew/formula.rb b/Library/Homebrew/formula.rb index c10b7345bb04d..a96c373542d92 100644 --- a/Library/Homebrew/formula.rb +++ b/Library/Homebrew/formula.rb @@ -76,7 +76,7 @@ class Formula SUPPORTED_NETWORK_ACCESS_PHASES = [:build, :test, :postinstall].freeze private_constant :SUPPORTED_NETWORK_ACCESS_PHASES - DEFAULT_NETWORK_ACCESS_ALLOWED = true + DEFAULT_NETWORK_ACCESS_ALLOWED = false private_constant :DEFAULT_NETWORK_ACCESS_ALLOWED # The name of this {Formula}. diff --git a/Library/Homebrew/formula_installer.rb b/Library/Homebrew/formula_installer.rb index f2faedbe2951b..6ee47d4402b9a 100644 --- a/Library/Homebrew/formula_installer.rb +++ b/Library/Homebrew/formula_installer.rb @@ -943,6 +943,7 @@ def build sandbox.allow_write_xcode sandbox.allow_write_cellar(formula) sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:build) + sandbox.allow_network_localhost sandbox.exec(*args) else exec(*args) @@ -1158,6 +1159,7 @@ def post_install sandbox.deny_write_homebrew_repository sandbox.allow_write_cellar(formula) sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:postinstall) + sandbox.allow_network_localhost Keg::KEG_LINK_DIRECTORIES.each do |dir| sandbox.allow_write_path "#{HOMEBREW_PREFIX}/#{dir}" end diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb index 0cbd7db525e55..7f229a3d51133 100644 --- a/Library/Homebrew/sandbox.rb +++ b/Library/Homebrew/sandbox.rb @@ -130,6 +130,13 @@ def deny_all_network_except_pipe(path) allow_network path:, type: :literal end + sig { void } + def allow_network_localhost + add_rule allow: true, operation: "network-inbound", filter: "local ip \"localhost:*\"" + add_rule allow: true, operation: "network*", filter: "remote ip \"localhost:*\"" + add_rule allow: true, operation: "network*", filter: "remote unix" + end + sig { params(args: T.any(String, Pathname)).void } def exec(*args) seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP) diff --git a/Library/Homebrew/test/dev-cmd/test_spec.rb b/Library/Homebrew/test/dev-cmd/test_spec.rb index 0eb0dc8b2151f..7fce00709a1fa 100644 --- a/Library/Homebrew/test/dev-cmd/test_spec.rb +++ b/Library/Homebrew/test/dev-cmd/test_spec.rb @@ -30,7 +30,7 @@ RUBY expect { brew "test", "--verbose", "testball_offline_test" } - .to output(/curl: \(6\) Could not resolve host: example\.org/).to_stdout + .to output(/curl: \(7\) Failed to connect to example.org/).to_stdout .and be_a_failure end end diff --git a/Library/Homebrew/test/formula_spec.rb b/Library/Homebrew/test/formula_spec.rb index bb1b9fd5c8e6d..ae7e6b47df4e1 100644 --- a/Library/Homebrew/test/formula_spec.rb +++ b/Library/Homebrew/test/formula_spec.rb @@ -42,7 +42,7 @@ expect(f.alias_name).to be_nil expect(f.full_alias_name).to be_nil expect(f.specified_path).to eq(path) - [:build, :test, :postinstall].each { |phase| expect(f.network_access_allowed?(phase)).to be(true) } + [:build, :test, :postinstall].each { |phase| expect(f.network_access_allowed?(phase)).to be(false) } expect { klass.new }.to raise_error(ArgumentError) end @@ -56,7 +56,7 @@ expect(f_alias.specified_path).to eq(Pathname(alias_path)) expect(f_alias.full_alias_name).to eq(alias_name) expect(f_alias.full_specified_name).to eq(alias_name) - [:build, :test, :postinstall].each { |phase| expect(f_alias.network_access_allowed?(phase)).to be(true) } + [:build, :test, :postinstall].each { |phase| expect(f_alias.network_access_allowed?(phase)).to be(false) } expect { klass.new }.to raise_error(ArgumentError) end