Merge pull request #17708 from Homebrew/sandbox-chmod

2024-07-13 16:38:44 -04:00 · 2024-07-13 16:38:44 -04:00 · 92ef6ef763
commit 92ef6ef763
parent 46c156660b e054a3ccf6
2 changed files with 31 additions and 0 deletions
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@ -37,6 +37,7 @@ class Sandbox
  def allow_write(path:, type: :literal)
    add_rule allow: true, operation: "file-write*", filter: path_filter(path, type)
    add_rule allow: true, operation: "file-write-setugid", filter: path_filter(path, type)
+    add_rule allow: true, operation: "file-write-mode", filter: path_filter(path, type)
  end

  sig { params(path: T.any(String, Pathname), type: Symbol).void }
@ -295,6 +296,8 @@ class Sandbox
          (regex #"^/dev/tty[a-z0-9]*$")
          )
      (deny file-write*) ; deny non-allowlist file write operations
+      (deny file-write-setugid) ; deny non-allowlist file write SUID/SGID operations
+      (deny file-write-mode) ; deny non-allowlist file write mode operations
      (allow process-exec
          (literal "/bin/ps")
          (with no-sandbox)
--- a/Library/Homebrew/test/sandbox_spec.rb
+++ b/Library/Homebrew/test/sandbox_spec.rb
@ -101,4 +101,32 @@ RSpec.describe Sandbox, :needs_macos do
        .and output(a_string_matching(/foo/).and(matching(/bar/).and(not_matching(/Python/)))).to_stdout
    end
  end
+
+  describe "#disallow chmod on some directory" do
+    it "formula does a chmod to opt" do
+      expect { sandbox.exec "chmod", "ug-w", HOMEBREW_PREFIX }.to raise_error(ErrorDuringExecution)
+    end
+
+    it "allows chmod on a path allowed to write" do
+      mktmpdir do |path|
+        FileUtils.touch path/"foo"
+        sandbox.allow_write_path(path)
+        expect { sandbox.exec "chmod", "ug-w", path/"foo" }.not_to raise_error(ErrorDuringExecution)
+      end
+    end
+  end
+
+  describe "#disallow chmod SUID or SGID on some directory" do
+    it "formula does a chmod 4000 to opt" do
+      expect { sandbox.exec "chmod", "4000", HOMEBREW_PREFIX }.to raise_error(ErrorDuringExecution)
+    end
+
+    it "allows chmod 4000 on a path allowed to write" do
+      mktmpdir do |path|
+        FileUtils.touch path/"foo"
+        sandbox.allow_write_path(path)
+        expect { sandbox.exec "chmod", "4000", path/"foo" }.not_to raise_error(ErrorDuringExecution)
+      end
+    end
+  end
 end