From 66a479be82392931e2f7faec09879e414a70d776 Mon Sep 17 00:00:00 2001 From: Thierry Moisan Date: Sun, 14 Jul 2024 11:03:53 -0400 Subject: [PATCH 1/3] sandbox: deny signal to other processes --- Library/Homebrew/sandbox.rb | 1 + Library/Homebrew/test/sandbox_spec.rb | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb index 5fe1f43766..aea0c99f2e 100644 --- a/Library/Homebrew/sandbox.rb +++ b/Library/Homebrew/sandbox.rb @@ -302,6 +302,7 @@ class Sandbox (literal "/bin/ps") (with no-sandbox) ) ; allow certain processes running without sandbox + (deny signal (target others)) ; deny sending signals to other processes (allow default) ; allow everything else ERB diff --git a/Library/Homebrew/test/sandbox_spec.rb b/Library/Homebrew/test/sandbox_spec.rb index fee72c130c..5aeaa280f4 100644 --- a/Library/Homebrew/test/sandbox_spec.rb +++ b/Library/Homebrew/test/sandbox_spec.rb @@ -129,4 +129,22 @@ RSpec.describe Sandbox, :needs_macos do end end end + + describe "#disallow sending signal to other processes" do + # we have to spawn a process, otherwise kill doesn't try to send a signal if the process doesn't exist + let(:pid) do + pid = spawn("sleep 1000") + sleep 1 # Ensure the process has started + pid + end + + after do + Process.kill("KILL", pid) + Process.wait(pid) + end + + it "sandbox stops signal to other processes" do + expect { sandbox.exec "kill", "-SIGTERM", pid.to_s }.to raise_error(ErrorDuringExecution) + end + end end From 6995e955b52b500d91d37fcd5636bb7dd3917e4c Mon Sep 17 00:00:00 2001 From: Thierry Moisan Date: Sun, 14 Jul 2024 11:51:45 -0400 Subject: [PATCH 2/3] Update Library/Homebrew/test/sandbox_spec.rb Co-authored-by: Mike McQuaid --- Library/Homebrew/test/sandbox_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Library/Homebrew/test/sandbox_spec.rb b/Library/Homebrew/test/sandbox_spec.rb index 5aeaa280f4..ec93530d94 100644 --- a/Library/Homebrew/test/sandbox_spec.rb +++ b/Library/Homebrew/test/sandbox_spec.rb @@ -134,7 +134,7 @@ RSpec.describe Sandbox, :needs_macos do # we have to spawn a process, otherwise kill doesn't try to send a signal if the process doesn't exist let(:pid) do pid = spawn("sleep 1000") - sleep 1 # Ensure the process has started + sleep 0.1 # Ensure the process has started pid end From e351cf049cb1b5a0c08849b845c6ae4fcdd02f13 Mon Sep 17 00:00:00 2001 From: Thierry Moisan Date: Sun, 14 Jul 2024 11:51:52 -0400 Subject: [PATCH 3/3] Update Library/Homebrew/test/sandbox_spec.rb Co-authored-by: Mike McQuaid --- Library/Homebrew/test/sandbox_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Library/Homebrew/test/sandbox_spec.rb b/Library/Homebrew/test/sandbox_spec.rb index ec93530d94..a28389b427 100644 --- a/Library/Homebrew/test/sandbox_spec.rb +++ b/Library/Homebrew/test/sandbox_spec.rb @@ -130,7 +130,7 @@ RSpec.describe Sandbox, :needs_macos do end end - describe "#disallow sending signal to other processes" do + describe "disallow sending signal to other processes" do # we have to spawn a process, otherwise kill doesn't try to send a signal if the process doesn't exist let(:pid) do pid = spawn("sleep 1000")