admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Deny file mode changes outside of specified paths in sandbox

Browse Source
This commit is contained in:
Rylan Polster 2024-07-13 15:23:39 -04:00
parent 6a5bcb339d
commit ab46965d95
No known key found for this signature in database
GPG Key ID: 46A744940CFF4D64
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Library/Homebrew/sandbox.rb
View File

@ -37,6 +37,14 @@ class Sandbox
def allow_write(path:, type: :literal) def allow_write(path:, type: :literal)
add_rule allow: true, operation: "file-write*", filter: path_filter(path, type) add_rule allow: true, operation: "file-write*", filter: path_filter(path, type)
add_rule allow: true, operation: "file-write-setugid", filter: path_filter(path, type) add_rule allow: true, operation: "file-write-setugid", filter: path_filter(path, type)
file_write_mode_path = if Pathname(path).directory?
"#{path}/*"
else
path
end
add_rule allow: true, operation: "file-write-mode", filter: path_filter(file_write_mode_path, type)
end end
sig { params(path: T.any(String, Pathname), type: Symbol).void } sig { params(path: T.any(String, Pathname), type: Symbol).void }
@ -289,6 +297,7 @@ class Sandbox
(regex #"^/dev/tty[a-z0-9]*$") (regex #"^/dev/tty[a-z0-9]*$")
) )
(deny file-write*) ; deny non-allowlist file write operations (deny file-write*) ; deny non-allowlist file write operations
(deny file-write-mode) ; deny non-allowlist file write mode operations
(allow process-exec (allow process-exec
(literal "/bin/ps") (literal "/bin/ps")
(with no-sandbox) (with no-sandbox)