Skip to content

Support for opt-in network isolation in build/test sandboxes #17081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 23, 2024
Merged

Support for opt-in network isolation in build/test sandboxes #17081

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3d5c3a0
sandbox: add methods for allowing/denying network access
alebcay Apr 13, 2024
c938f89
env_config: new variables for allowing/denying network access
alebcay Apr 16, 2024
7c11699
formula: add methods for allowing/denying network access
alebcay Apr 13, 2024
aac156c
fork: pass error_pipe path to yielded block
alebcay Apr 13, 2024
a3cfff7
formula_installer: conditionally deny network access in sandbox
alebcay Apr 13, 2024
934398d
test: conditionally deny network access in sandbox
alebcay Apr 13, 2024
4a9d757
ast_constants: enforce {allow,deny}_network_access! order
alebcay Apr 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
formula_installer: conditionally deny network access in sandbox
  • Loading branch information
@alebcay
alebcay committed Apr 23, 2024
commit a3cfff72fd6bdef8a7f1388cc04be28375f94839
6 changes: 4 additions & 2 deletions Library/Homebrew/formula_installer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -925,7 +925,7 @@ def build
formula.specified_path,
].concat(build_argv)

Utils.safe_fork do
Utils.safe_fork do |error_pipe|
if Sandbox.available?
sandbox = Sandbox.new
formula.logs.mkpath
Expand All @@ -937,6 +937,7 @@ def build
sandbox.allow_fossil
sandbox.allow_write_xcode
sandbox.allow_write_cellar(formula)
sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:build)
sandbox.exec(*args)
else
exec(*args)
Expand Down Expand Up @@ -1151,7 +1152,7 @@ def post_install

args << post_install_formula_path

Utils.safe_fork do
Utils.safe_fork do |error_pipe|
if Sandbox.available?
sandbox = Sandbox.new
formula.logs.mkpath
Expand All @@ -1161,6 +1162,7 @@ def post_install
sandbox.allow_write_xcode
sandbox.deny_write_homebrew_repository
sandbox.allow_write_cellar(formula)
sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:postinstall)
Keg::KEG_LINK_DIRECTORIES.each do |dir|
sandbox.allow_write_path "#{HOMEBREW_PREFIX}/#{dir}"
end
Expand Down
6 changes: 6 additions & 0 deletions Library/Homebrew/test/formula_installer_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,13 @@
require "formula"
require "formula_installer"
require "keg"
require "sandbox"
require "tab"
require "cmd/install"
require "test/support/fixtures/testball"
require "test/support/fixtures/testball_bottle"
require "test/support/fixtures/failball"
require "test/support/fixtures/failball_offline_install"

RSpec.describe FormulaInstaller do
matcher :be_poured_from_bottle do
Expand Down Expand Up @@ -70,6 +72,10 @@ def temporary_install(formula, **options)
end
end

specify "offline installation" do
expect { temporary_install(FailballOfflineInstall.new) }.to raise_error(BuildError) if Sandbox.available?
end

specify "Formula is not poured from bottle when compiler specified" do
temporary_install(TestballBottle.new, cc: "clang") do |f|
tab = Tab.for_formula(f)
Expand Down
31 changes: 31 additions & 0 deletions Library/Homebrew/test/support/fixtures/failball_offline_install.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# typed: true
# frozen_string_literal: true

class FailballOfflineInstall < Formula
def initialize(name = "failball_offline_install", path = Pathname.new(__FILE__).expand_path, spec = :stable,
alias_path: nil, tap: nil, force_bottle: false)
super
end

DSL_PROC = proc do
url "file://#{TEST_FIXTURE_DIR}/tarballs/testball-0.1.tbz"
sha256 TESTBALL_SHA256
deny_network_access! :build
end.freeze
private_constant :DSL_PROC

DSL_PROC.call

def self.inherited(other)
super
other.instance_eval(&DSL_PROC)
end

def install
system "curl", "example.org"

prefix.install "bin"
prefix.install "libexec"
Dir.chdir "doc"
end
end