admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

sandbox: permit /var/tmp & DerivedData

Browse Source 
Long term it would be nice to sandbox everything that writes to DerivedData
but it is essentially a cache directory of sorts.

The downside of allowing stuff to write there particularly is that DerivedData
is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using
installations very quickly, you can chew your disk space up.

Closes Homebrew/homebrew#43276.

Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com>
This commit is contained in:
Dominyk Tiller 2015-08-25 17:34:52 +01:00
parent 166e33c2ff
commit 98499d1d29
4 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Library/Homebrew/cmd/postinstall.rb
View File

@ -31,6 +31,7 @@ module Homebrew
sandbox.allow_write_temp_and_cache sandbox.allow_write_temp_and_cache
sandbox.allow_write_log(formula) sandbox.allow_write_log(formula)
sandbox.allow_write_cellar(formula) sandbox.allow_write_cellar(formula)
sandbox.allow_write_xcode
sandbox.allow_write_path HOMEBREW_PREFIX sandbox.allow_write_path HOMEBREW_PREFIX
sandbox.deny_write_homebrew_library sandbox.deny_write_homebrew_library
sandbox.exec(*args) sandbox.exec(*args)

1
Library/Homebrew/cmd/test.rb
View File

@ -49,6 +49,7 @@ module Homebrew
sandbox.record_log(f.logs/"sandbox.test.log") sandbox.record_log(f.logs/"sandbox.test.log")
sandbox.allow_write_temp_and_cache sandbox.allow_write_temp_and_cache
sandbox.allow_write_log(f) sandbox.allow_write_log(f)
sandbox.allow_write_xcode
sandbox.exec(*args) sandbox.exec(*args)
else else
exec(*args) exec(*args)

1
Library/Homebrew/formula_installer.rb
View File

@ -553,6 +553,7 @@ class FormulaInstaller
sandbox.record_log(formula.logs/"sandbox.build.log") sandbox.record_log(formula.logs/"sandbox.build.log")
sandbox.allow_write_temp_and_cache sandbox.allow_write_temp_and_cache
sandbox.allow_write_log(formula) sandbox.allow_write_log(formula)
sandbox.allow_write_xcode
sandbox.allow_write_cellar(formula) sandbox.allow_write_cellar(formula)
sandbox.exec(*args) sandbox.exec(*args)
else else

6
Library/Homebrew/sandbox.rb
View File

@ -57,6 +57,7 @@ class Sandbox
def allow_write_temp_and_cache def allow_write_temp_and_cache
allow_write_path "/private/tmp" allow_write_path "/private/tmp"
allow_write_path "/private/var/tmp"
allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", :type => :regex allow_write "^/private/var/folders/[^/]+/[^/]+/[C,T]/", :type => :regex
allow_write_path HOMEBREW_TEMP allow_write_path HOMEBREW_TEMP
allow_write_path HOMEBREW_CACHE allow_write_path HOMEBREW_CACHE
@ -68,6 +69,11 @@ class Sandbox
allow_write_path formula.var allow_write_path formula.var
end end
# Xcode projects expect access to certain cache/archive dirs.
def allow_write_xcode
allow_write_path "/Users/#{ENV["USER"]}/Library/Developer/Xcode/DerivedData/"
end
def allow_write_log(formula) def allow_write_log(formula)
allow_write_path formula.logs allow_write_path formula.logs
end end