Sandbox for manifests and plugins should block /tmp and instead provide a unique path set by TMPDIR

The `/tmp` temporary directory is particularly unsafe since it's so noisy (with various processes with various ownerships all writing and reading files there), and so it's better to use the per-user directory returned by `confstr(_CS_DARWIN_USER_TEMP_DIR)`.

By code inspection, Foundation's `NSTemporaryDirectory()` respects the `TMPDIR` environment variable both in the open source and Apple implementations (via `confstr()` in the latter).

So we can improve several things here by passing through the result of calling `NSTemporaryDirectory()` in the sandbox instead of `/tmp` and also setting `TMPDIR` in the environment (regardless of whether or not it was set in the inherited one).  This should cause the inferior's use of Foundation to respect this directory, and that should also be true for any command line tools it calls.  If `TMPDIR` is set in SwiftPM's own environment, this will be respected all the way through.

As part of this we also take the opportunity to clean up the interface a little.  In particular, this change turns the stateless Sandbox enum into a SandboxProfile struct that can be configured and passed around well before being applied, and it makes the configuration more flexible in several regards:
- there is a list of path rules allowing a mixed order of `allow` and `deny` rules
- the defaults are built into the initializer rather than a separate `strictness` parameter — this means that they can be queried once the SandboxProfile has been created and are expressed in terms of the choices available to all sandbox profiles.

Having the sandbox profile be a struct that generates the platform specifics as needed also provides a place with which to associate any cached/compiled representation for profiles that are largely static.

As cleanup, this commit also removes the pre-SwiftPM 5.3 specialities which were specific to running the package manifest in an interpreter rather than compiling and executing it.  This functionality is no longer relevant since it isn't possible to run any manifest in the interpreter, no matter what tools version the package specifies.

In this commit, the call sites have been adjusted so that they use the modified SandboxProfile API, but still construct the profiles on-the-fly as before.  A future change could make them instead be configured at an early point and then applied later when the sandboxed process is actually launched.  Another future change could add the sandbox profile to Process as a property so that there is no API assumption that applying a sandbox necessarily involves just modifying the command line.

rdar://91575256

Author: abertelrud

Sources/Basics/CMakeLists.txt

@@ -1,6 +1,6 @@
 # This source file is part of the Swift open source project
 #
-# Copyright (c) 2014 - 2021 Apple Inc. and the Swift project authors
+# Copyright (c) 2014 - 2022 Apple Inc. and the Swift project authors
 # Licensed under Apache License v2.0 with Runtime Library Exception
 #
 # See http://swift.org/LICENSE.txt for license information
@@ -24,7 +24,7 @@ add_library(Basics
   JSONDecoder+Extensions.swift
   Netrc.swift
   Observability.swift
-  Sandbox.swift
+  SandboxProfile.swift
   String+Extensions.swift
   Triple+Extensions.swift
   SwiftVersion.swift

Sources/Basics/Sandbox.swift

@@ -0,0 +1,108 @@
+/*
+ This source file is part of the Swift.org open source project
+
+ Copyright (c) 2021 - 2022 Apple Inc. and the Swift project authors
+ Licensed under Apache License v2.0 with Runtime Library Exception
+
+ See http://swift.org/LICENSE.txt for license information
+ See http://swift.org/CONTRIBUTORS.txt for Swift project authors
+ */
+
+import Foundation
+import TSCBasic
+
+/// A sandbox profile representing the desired restrictions. The implementation can vary between platforms.
+public struct SandboxProfile {
+    /// An ordered list of path rules, where the last rule to cover a particular path "wins". These will be resolved
+    /// to absolute paths at the time the profile is applied. They are applied after any of the implicit directories
+    /// referenced by other sandbox profile settings.
+    public var pathAccessRules: [PathAccessRule]
+
+    /// Represents a rule for access to a path and everything under it.
+    public enum PathAccessRule: Equatable {
+        case noaccess(AbsolutePath)
+        case readonly(AbsolutePath)
+        case writable(AbsolutePath)
+    }
+
+    /// Whether to allow outbound and inbound network access.
+    public var allowNetwork: Bool
+
+    /// Configures a SandboxProfile for blocking network access and writing to the file system except to specifically
+    /// permitted locations.
+    public init(_ pathAccessRules: [PathAccessRule] = [], allowNetwork: Bool = false) {
+        self.pathAccessRules = pathAccessRules
+        self.allowNetwork = allowNetwork
+    }
+
+    // Convenience initializer to make it easier to construct sandbox profiles with conditional rules.
+    public init(_ pathAccessRules: PathAccessRule?..., allowNetwork: Bool = false) {
+        self.init(pathAccessRules.compactMap{ $0 }, allowNetwork: allowNetwork)
+    }
+}
+
+extension SandboxProfile {
+    /// Applies the sandbox profile to the given command line (if the platform supports it), and returns the modified
+    /// command line. On platforms that don't support sandboxing, the unmodified command line is returned.
+    public func apply(to command: [String]) -> [String] {
+        #if os(macOS)
+        return ["/usr/bin/sandbox-exec", "-p", self.generateMacOSSandboxProfileString()] + command
+        #else
+        // rdar://40235432, rdar://75636874 tracks implementing sandboxes for other platforms.
+        return command
+        #endif
+    }
+}
+
+// MARK: - macOS
+
+#if os(macOS)
+fileprivate extension SandboxProfile {
+    /// Private function that generates a Darwin sandbox profile suitable for passing to `sandbox-exec(1)`.
+    func generateMacOSSandboxProfileString() -> String {
+        var contents = "(version 1)\n"
+
+        // Deny everything by default.
+        contents += "(deny default)\n"
+
+        // Import the system sandbox profile.
+        contents += "(import \"system.sb\")\n"
+
+        // Allow operations on subprocesses.
+        contents += "(allow process*)\n"
+
+        // Optionally allow network access (inbound and outbound).
+        if allowNetwork {
+            contents += "(system-network)\n"
+            contents += "(allow network*)\n"
+        }
+
+        // Allow reading any file that isn't protected by TCC or permissions (ideally we'd only allow a specific set
+        // of readable locations, and can maybe tighten this in the future).
+        contents += "(allow file-read*)\n"
+
+        // Apply customized rules for specific file system locations. Everything is readonly by default, so we just
+        // either allow or deny writing, in order. Later rules have precedence over earlier rules.
+        for rule in pathAccessRules {
+            switch rule {
+            case .noaccess(let path):
+                contents += "(deny file-* (subpath \(resolveSymlinksAndQuotePath(path))))\n"
+            case .readonly(let path):
+                contents += "(deny file-write* (subpath \(resolveSymlinksAndQuotePath(path))))\n"
+            case .writable(let path):
+                contents += "(allow file-write* (subpath \(resolveSymlinksAndQuotePath(path))))\n"
+            }
+        }
+        return contents
+    }
+
+    /// Private helper function that resolves an AbsolutePath and returns it as a string quoted for use as a subpath
+    /// in a .sb sandbox profile.
+    func resolveSymlinksAndQuotePath(_ path: AbsolutePath) -> String {
+        return "\"" + resolveSymlinks(path).pathString
+            .replacingOccurrences(of: "\\", with: "\\\\")
+            .replacingOccurrences(of: "\"", with: "\\\"")
+            + "\""
+    }
+}
+#endif

Sources/Basics/SandboxProfile.swift

@@ -452,10 +452,23 @@ public final class BuildOperation: PackageStructureDelegate, SPMBuildCore.BuildS
                 // TODO: We need to also use any working directory, but that support isn't yet available on all platforms at a lower level.
                 var commandLine = [command.configuration.executable.pathString] + command.configuration.arguments
                 if !self.disableSandboxForPluginCommands {
-                    commandLine = Sandbox.apply(command: commandLine, strictness: .writableTemporaryDirectory, writableDirectories: [pluginResult.pluginOutputDirectory])
+                    // Allow access to the plugin's output directory as well as to the local temporary directory.
+                    let sandboxProfile = SandboxProfile(
+                        .writable(pluginResult.pluginOutputDirectory),
+                        .writable(localFileSystem.tempDirectory))
+                    commandLine = sandboxProfile.apply(to: commandLine)
                 }
-                let processResult = try Process.popen(arguments: commandLine, environment: command.configuration.environment)
+
+                // Pass `TMPDIR` in the environment, in addition to anything the plugin specifies, in case we have an
+                // override in our own environment.
+                var environment = command.configuration.environment
+                environment["TMPDIR"] = localFileSystem.tempDirectory.pathString
+
+                // Run the command and wait for it to finish.
+                let processResult = try Process.popen(arguments: commandLine, environment: environment)
                 let output = try processResult.utf8Output() + processResult.utf8stderrOutput()
+
+                // Throw an error if it failed.
                 if processResult.exitStatus != .terminated(code: 0) {
                     throw StringError("failed: \(command)\n\n\(output)")
                 }

Sources/Build/BuildOperation.swift

@@ -619,16 +619,26 @@ extension LLBuildManifestBuilder {
                 let uniquedName = ([execPath.pathString] + command.configuration.arguments).joined(separator: "|")
                 let displayName = command.configuration.displayName ?? execPath.basename
                 var commandLine = [execPath.pathString] + command.configuration.arguments
+
+                // Apply the sandbox, if appropriate.
                 if !self.disableSandboxForPluginCommands {
-                    commandLine = Sandbox.apply(command: commandLine, strictness: .writableTemporaryDirectory, writableDirectories: [result.pluginOutputDirectory])
+                    let sandboxProfile = SandboxProfile(
+                        .writable(result.pluginOutputDirectory),
+                        .writable(localFileSystem.tempDirectory))
+                    commandLine = sandboxProfile.apply(to: commandLine)
                 }
+                // Pass `TMPDIR` in the environment, in addition to anything the plugin specifies, in case we have an
+                // override in our own environment.
+                var environment = command.configuration.environment
+                environment["TMPDIR"] = localFileSystem.tempDirectory.pathString
+
                 manifest.addShellCmd(
                     name: displayName + "-" + ByteString(encodingAsUTF8: uniquedName).sha256Checksum,
                     description: displayName,
                     inputs: [.file(execPath)] + command.inputFiles.map{ .file($0) },
                     outputs: command.outputFiles.map{ .file($0) },
                     arguments: commandLine,
-                    environment: command.configuration.environment,
+                    environment: environment,
                     workingDirectory: command.configuration.workingDirectory?.pathString)
             }
         }

Sources/Build/LLBuildManifestBuilder.swift

@@ -827,18 +827,34 @@ public final class ManifestLoader: ManifestLoaderProtocol {
                         // This provides some safety against arbitrary code execution when parsing manifest files.
                         // We only allow the permissions which are absolutely necessary.
                         if self.isManifestSandboxEnabled {
-                            let cacheDirectories = [self.databaseCacheDir, moduleCachePath].compactMap{ $0 }
-                            let strictness: Sandbox.Strictness = toolsVersion < .v5_3 ? .manifest_pre_53 : .default
-                            cmd = Sandbox.apply(command: cmd, strictness: strictness, writableDirectories: cacheDirectories)
+                            cmd = SandboxProfile(
+                                // Allow writing in the temporary directory (whether or not it's overridden by TMPDIR).
+                                .writable(localFileSystem.tempDirectory),
+
+                                // Allow writing in the database cache directory, if we have one.
+                                self.databaseCacheDir.map{ .writable($0) },
+
+                                // Allow writing in the module cache path, if there is one.
+                                moduleCachePath.map{ .writable($0) },
+
+                                // But do not allow writing in the directory that contains the manifest, even if it is
+                                // inside one of the writable directories.
+                                .readonly(manifestPath.parentDirectory)
+                            ).apply(to: cmd)
                         }
 
-                        // Run the compiled manifest.
+                        // Set up the environment so that the manifest inherits our own environment, but make sure that
+                        // `TMPDIR` is set to whatever the temporary directory is that is allowed in the sandbox.
                         var environment = ProcessEnv.vars
+                        environment["TMPDIR"] = localFileSystem.tempDirectory.pathString
+
+                        // On Windows, also make sure that the `Path` is set up correctly in the environment.
                         #if os(Windows)
                         let windowsPathComponent = runtimePath.pathString.replacingOccurrences(of: "/", with: "\\")
                         environment["Path"] = "\(windowsPathComponent);\(environment["Path"] ?? "")"
                         #endif
 
+                        // Run the compiled manifest.
                         let cleanupAfterRunning = cleanupIfError.delay()
                         Process.popen(arguments: cmd, environment: environment, queue: callbackQueue) { result in
                             dispatchPrecondition(condition: .onQueue(callbackQueue))