Rework the Sandbox enum into a SandboxProfile struct that can separate out point of configuration from point of application
#4005
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abertelrud
added
the
ready
abertelrud
commented
Jan 12, 2022
abertelrud
commented
Jan 12, 2022
| @@ -1361,6 +1370,7 @@ final class PackageToolTests: CommandsTestCase { | |||
| let output = try result.utf8Output() + result.utf8stderrOutput() | |||
| XCTAssertEqual(result.exitStatus, .terminated(code: 0), "output: \(output)") | |||
| XCTAssertMatch(output, .contains("This is MyCommandPlugin.")) | |||
| XCTAssertMatch(output, .contains("successfully created file at path \(resolveSymlinks(packageDir).appending(components: ".build", "plugins", "outputs", "Foo"))")) | |||
There was a problem hiding this comment.
This is the check that was incomplete in the previous test, and would have caught the problem.
|
@swift-ci smoke test |
abertelrud
force-pushed
the
eng/87417780-sandbox-should-always-allow-plugin-output-directory
branch
from
0b631ed to
836aabb
Compare
|
@swift-ci smoke test |
abertelrud
commented
Jan 12, 2022
Tests/BasicsTests/SandboxTests.swift
Outdated
| } | ||
| } | ||
|
|
||
| func testWritingToWritableInsideReadOnlyAllowed() throws { |
There was a problem hiding this comment.
This adds a specific test case for a writable directory inside of a read-only directory.
abertelrud
commented
Jan 12, 2022
Comment on lines
902
to
903
| let strictness: Sandbox.Strictness = toolsVersion < .v5_3 ? .manifest_pre_53 : .default | ||
| cmd = Sandbox.apply(command: cmd, strictness: strictness, writableDirectories: cacheDirectories) | ||
| let sandboxProfile = SandboxProfile(pathRules: cacheDirectories.map{ .writable($0) }) | ||
| cmd = sandboxProfile.apply(to: cmd) |
There was a problem hiding this comment.
The notes in the Sandbox profile generator indicate that the pre-5.3 rules were needed for interpreting the manifest rather than compiling and running it. This isn't supported anymore, and the operations affected were being able to write to some Clang locations and to set sysctls. Those don't seem like operations that we want to keep supporting. Do we know of any packages that required the < 5.3 strictness?
abertelrud
force-pushed
the
eng/87417780-sandbox-should-always-allow-plugin-output-directory
branch
from
836aabb to
692e86a
Compare
|
@swift-ci smoke test |
neonichu
approved these changes
Jan 12, 2022
|
@swift-ci please test package compatibility |
|
Hmm... |
abertelrud
changed the title
<pkgdir>/.buildSandbox enum into a SandboxProfile struct that can separate out point of configuration from point of application
|
Moving this one aside temporarily while preparing a much smaller fix for the problem at hand. That fix can then be nominated for inclusion in 5.6. Then I'll bring this back since it's what we want to do moving forward. |
abertelrud
added
WIP
|
@swift-ci please test package compatibility |
abertelrud
force-pushed
the
eng/87417780-sandbox-should-always-allow-plugin-output-directory
branch
2 times, most recently
from
16e9075 to
af586c4
Compare
|
@swift-ci please smoke test |
abertelrud
force-pushed
the
eng/87417780-sandbox-should-always-allow-plugin-output-directory
branch
from
af586c4 to
ccdc849
Compare
…vide a unique path specified by `TMPDIR` The `/tmp` temporary directory is particularly unsafe because it is noisy — various processes with various ownerships write and read files there. So it's better to use the per-user directory returned by `NSTemporaryDirectory()`. We can improve several things here by passing through the result of calling `NSTemporaryDirectory()` in the sandbox instead of `/tmp` and also setting `TMPDIR` in the environment (regardless of whether or not it was set in the inherited one). This will cause the inferior's use of Foundation to respect this directory (the implementation of `NSTemporaryDirectory()` looks at `TMPDIR` on all platforms), and that should also be true for any command line tools it calls, as long as it passes through the environment. If `TMPDIR` is set in SwiftPM's own environment, it will control SwiftPM's own `NSTemporaryDirectory()` will be respected all the way through. As part of this we also take the opportunity to clean up the interface a little. In particular, this change turns the stateless `Sandbox` enum into a `SandboxProfile` struct that's a bit more flexible: - there is a list of path rules allowing a mixed order of `writable`, `readonly`, and `noaccess` rules - the defaults are built into the initializer rather than a separate `strictness` parameter — this means that they can be queried once the SandboxProfile has been created and are expressed in terms of the choices available to all sandbox profiles - there is separate control for whether or not to allow network access The new `SandboxProfile` is also a bit more ergonomic — as a struct, it can be copied, mutated, and carried around in a property before being used. Having the sandbox profile be a struct that generates the platform specifics as needed also could also provide a place with which to associate any cached/compiled representation for profiles that are largely static, for any platform that supports that. As cleanup, this commit also removes the pre-SwiftPM 5.3 specialities which were specific to running the package manifest in an interpreter rather than compiling and executing it. This functionality is no longer relevant since it isn't possible to run any manifest in the interpreter, no matter what tools version the package specifies. In this commit, the call sites have been adjusted so that they use the modified SandboxProfile API, but they still construct the profiles on-the-fly as before. A future change will make them instead be configured at an early point and then applied later when the sandboxed process is actually launched. Another future change could add the sandbox profile to `Process` as a property so that there is no API assumption that applying a sandbox necessarily involves just modifying the command line. rdar://91575256
abertelrud
force-pushed
the
eng/87417780-sandbox-should-always-allow-plugin-output-directory
branch
from
ccdc849 to
e32cba8
Compare
|
Opened a new PR here: #4307 that replaces this one |
abertelrud
deleted the
eng/87417780-sandbox-should-always-allow-plugin-output-directory
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change turns the stateless Sandbox enum into a SandboxProfile struct that can be configured and passed around well before being applied, and it makes the configuration more flexible in several regards:
allowanddenyrulesstrictnessparameter — this means that they can be queried once the SandboxProfile has been created and are expressed in terms of the choices available to all sandbox profiles.Motivation
Separating out the point of configuration from the point of application of the sandbox makes it easier to configure.
The ergonomic changes described above also make it easier to use.
Having the sandbox profile be a struct that generates the platform specifics as needed also provides a place with which to associate any cached/compiled representation for profiles that are largely static.
Details
As cleanup, this commit also removes the pre-SwiftPM 5.3 specialities which were specific to running the package manifest in an interpreter rather than compiling and executing it. This functionality is no longer relevant since it isn't possible to run any manifest in the interpreter.
In this commit, the call sites have been adjusted so that they use the modified SandboxProfile API, but still construct the profiles on-the-fly as before. A future change could make them instead be configured at an early point and then applied later when the sandboxed process is actually launched. Another future change could add the sandbox profile to Process as a property so that there is no API assumption that applying a sandbox necessarily involves just modifying the command line.