Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sandbox: only allow local network operations #17703

Closed
wants to merge 3 commits into from
Closed

sandbox: only allow local network operations #17703

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0598183
sandbox: only allow local network operations
nandahkrishna Jul 13, 2024
7e03abf
sandbox.rb: type fixes
nandahkrishna Jul 13, 2024
4cf9b57
test/{formula,dev-cmd/test}_spec: fix failures
nandahkrishna Jul 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Library/Homebrew/dev-cmd/test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@
sandbox.allow_write_path(HOMEBREW_PREFIX/"var/log")
sandbox.allow_write_path(HOMEBREW_PREFIX/"var/run")
sandbox.deny_all_network_except_pipe(error_pipe) unless f.class.network_access_allowed?(:test)
sandbox.allow_network_localhost

Check warning on line 96 in Library/Homebrew/dev-cmd/test.rb

View check run for this annotation

Codecov / codecov/patch

Library/Homebrew/dev-cmd/test.rb#L96 

Added line #L96 was not covered by tests
sandbox.exec(*exec_args)
else
exec(*exec_args)
Expand Down
2 changes: 1 addition & 1 deletion Library/Homebrew/formula.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ class Formula

SUPPORTED_NETWORK_ACCESS_PHASES = [:build, :test, :postinstall].freeze
private_constant :SUPPORTED_NETWORK_ACCESS_PHASES
DEFAULT_NETWORK_ACCESS_ALLOWED = true
DEFAULT_NETWORK_ACCESS_ALLOWED = false
private_constant :DEFAULT_NETWORK_ACCESS_ALLOWED

# The name of this {Formula}.
Expand Down
2 changes: 2 additions & 0 deletions Library/Homebrew/formula_installer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -943,6 +943,7 @@
sandbox.allow_write_xcode
sandbox.allow_write_cellar(formula)
sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:build)
sandbox.allow_network_localhost

Check warning on line 946 in Library/Homebrew/formula_installer.rb

View check run for this annotation

Codecov / codecov/patch

Library/Homebrew/formula_installer.rb#L946 

Added line #L946 was not covered by tests
sandbox.exec(*args)
else
exec(*args)
Expand Down Expand Up @@ -1158,6 +1159,7 @@
sandbox.deny_write_homebrew_repository
sandbox.allow_write_cellar(formula)
sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:postinstall)
sandbox.allow_network_localhost

Check warning on line 1162 in Library/Homebrew/formula_installer.rb

View check run for this annotation

Codecov / codecov/patch

Library/Homebrew/formula_installer.rb#L1162 

Added line #L1162 was not covered by tests
Keg::KEG_LINK_DIRECTORIES.each do |dir|
sandbox.allow_write_path "#{HOMEBREW_PREFIX}/#{dir}"
end
Expand Down
7 changes: 7 additions & 0 deletions Library/Homebrew/sandbox.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,13 @@
allow_network path:, type: :literal
end

sig { void }
def allow_network_localhost
add_rule allow: true, operation: "network-inbound", filter: "local ip \"localhost:*\""
add_rule allow: true, operation: "network*", filter: "remote ip \"localhost:*\""
add_rule allow: true, operation: "network*", filter: "remote unix"

Check warning on line 137 in Library/Homebrew/sandbox.rb

View check run for this annotation

Codecov / codecov/patch

Library/Homebrew/sandbox.rb#L135-L137 

Added lines #L135 - L137 were not covered by tests
end

sig { params(args: T.any(String, Pathname)).void }
def exec(*args)
seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
Expand Down
2 changes: 1 addition & 1 deletion Library/Homebrew/test/dev-cmd/test_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
RUBY

expect { brew "test", "--verbose", "testball_offline_test" }
.to output(/curl: \(6\) Could not resolve host: example\.org/).to_stdout
.to output(/curl: \(7\) Failed to connect to example.org/).to_stdout
.and be_a_failure
end
end
Expand Down
4 changes: 2 additions & 2 deletions Library/Homebrew/test/formula_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
expect(f.alias_name).to be_nil
expect(f.full_alias_name).to be_nil
expect(f.specified_path).to eq(path)
[:build, :test, :postinstall].each { |phase| expect(f.network_access_allowed?(phase)).to be(true) }
[:build, :test, :postinstall].each { |phase| expect(f.network_access_allowed?(phase)).to be(false) }
expect { klass.new }.to raise_error(ArgumentError)
end

Expand All @@ -56,7 +56,7 @@
expect(f_alias.specified_path).to eq(Pathname(alias_path))
expect(f_alias.full_alias_name).to eq(alias_name)
expect(f_alias.full_specified_name).to eq(alias_name)
[:build, :test, :postinstall].each { |phase| expect(f_alias.network_access_allowed?(phase)).to be(true) }
[:build, :test, :postinstall].each { |phase| expect(f_alias.network_access_allowed?(phase)).to be(false) }
expect { klass.new }.to raise_error(ArgumentError)
end

Expand Down
Loading