sandbox: add formula? method and sandbox core.

Add a new `Sandbox.formula?` method to see if a given formula should be sandboxed. Use the formula to check its tap against a list of pre-approved taps where we know every formula builds under the sandbox (currently just homebrew/core).
2016-08-14 17:34:54 +01:00 · 2016-08-14 17:34:54 +01:00 · 6e887fbf5a
commit 6e887fbf5a
parent ca3e4fcc1d
2 changed files with 24 additions and 0 deletions
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@ -3,11 +3,19 @@ require "tempfile"

 class Sandbox
  SANDBOX_EXEC = "/usr/bin/sandbox-exec".freeze
+  SANDBOXED_TAPS = [
+    "homebrew/core",
+  ].freeze

  def self.available?
    OS.mac? && File.executable?(SANDBOX_EXEC)
  end

+  def self.formula?(formula)
+    return false unless available?
+    ARGV.sandbox? || SANDBOXED_TAPS.include?(formula.tap.to_s)
+  end
+
  def self.test?
    return false unless available?
    !ARGV.no_sandbox?
--- a/Library/Homebrew/test/test_sandbox.rb
+++ b/Library/Homebrew/test/test_sandbox.rb
@ -13,6 +13,22 @@ class SandboxTest < Homebrew::TestCase
    @dir.rmtree
  end

+  def test_formula?
+    f = formula { url "foo-1.0" }
+    f2 = formula { url "bar-1.0" }
+    f2.stubs(:tap).returns(Tap.fetch("test/tap"))
+
+    ARGV.stubs(:sandbox?).returns true
+    assert Sandbox.formula?(f),
+      "Formulae should be sandboxed if --sandbox was passed."
+
+    ARGV.stubs(:sandbox?).returns false
+    assert Sandbox.formula?(f),
+      "Formulae should be sandboxed if in a sandboxed tap."
+    refute Sandbox.formula?(f2),
+        "Formulae should not be sandboxed if not in a sandboxed tap."
+  end
+
  def test_test?
    ARGV.stubs(:no_sandbox?).returns false
    assert Sandbox.test?,