Skip to content

Commit

Permalink
fixes for mac studio
Browse files Browse the repository at this point in the history 
- adds tmp directories to sandbox
- adds various binaries provided by xcode to sandbox exclusion
- adds SUDO_USER inside the studio
- reworks do_strip to work correctly on macos in hab-plan-build

Signed-off-by: Johny Jose <johny.jose@progress.com>
  • Loading branch information
@atrniv
atrniv committed May 14, 2024
1 parent 416a940 commit a2eaafe
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 13 deletions.
44 changes: 34 additions & 10 deletions components/plan-build/bin/hab-plan-build.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2160,16 +2160,40 @@ do_strip() {
# https://bugs.launchpad.net/ubuntu/+source/file/+bug/1747711
do_default_strip() {
build_line "Stripping unneeded symbols from binaries and libraries"
find "$pkg_prefix" -type f -perm -u+w -print0 2> /dev/null \
| while read -rd '' f; do
case "$(file -bi "$f")" in
*application/x-executable*) strip --strip-all "$f";;
*application/x-pie-executable*) strip --strip-unneeded "$f";;
*application/x-sharedlib*) strip --strip-unneeded "$f";;
*application/x-archive*) strip --strip-debug "$f";;
*) continue;;
esac
done
case "$pkg_target" in
aarch64-darwin)
# TODO: for this to be correct, the file binary we use must be GNU file and not BSD file.
# This works for now, sorta, but may need to be fixed in future
find "$pkg_prefix" -type f -perm -u+w -print0 2> /dev/null \
| while read -rd '' f; do
case "$(file -bi "$f")" in
*application/x-mach-binary*)
echo "$f: $(file -bi "$f")"
strip -x "$f"
;;
*application/x-archive*)
echo "$f: $(file -bi "$f")"
strip -Sx "$f"
;;
*) continue;;
esac
done
;;
*)
find "$pkg_prefix" -type f -perm -u+w -print0 2> /dev/null \
| while read -rd '' f; do
case "$(file -bi "$f")" in
*application/x-executable*) strip --strip-all "$f";;
*application/x-pie-executable*) strip --strip-unneeded "$f";;
*application/x-sharedlib*) strip --strip-unneeded "$f";;
*application/x-archive*) strip --strip-debug "$f";;
*) continue;;
esac
done
;;
esac


}

# At this phase of the build, the package has been built, installed, and
Expand Down
3 changes: 3 additions & 0 deletions components/studio/bin/hab-studio-darwin.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -599,6 +599,9 @@ build_sandbox_env() {
if [ -n "$extra_env" ]; then
sandbox_env="$sandbox_env $extra_env"
fi
if [ -n "${SUDO_USER:-}" ]; then
sandbox_env="$sandbox_env SUDO_USER=$SUDO_USER"
fi
# If a Habitat config filetype ignore string is set, then propagate it
# into the Studio's sandbox environment.
if [ -n "${HAB_CONFIG_EXCLUDE:-}" ]; then
Expand Down
65 changes: 62 additions & 3 deletions components/studio/libexec/darwin-sandbox.sb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@
; we allow access to in PLAN_CONTEXT_DIR (but if we allow them more broadly, you could in
; theory escape the sandbox)
(allow file* process-exec process-fork network-outbound network-inbound
(literal "/tmp")
(subpath "/tmp")
(subpath "/private/tmp")
(subpath "/hab")
(subpath HAB_CACHE_ARTIFACT_PATH))

Expand All @@ -47,20 +48,77 @@
(begin
(allow file* process-exec process-fork network-outbound network-inbound
(literal "/usr/bin/xcrun")
(literal "/usr/bin/ar")
(literal "/usr/bin/as")
(literal "/usr/bin/asa")
(literal "/usr/bin/bison")
(literal "/usr/bin/c++")
(literal "/usr/bin/c++filt")
(literal "/usr/bin/c89")
(literal "/usr/bin/c99")
(literal "/usr/bin/cc")
(literal "/usr/bin/clang")
(literal "/usr/bin/clang++")
(literal "/usr/bin/cpp")
(literal "/usr/bin/ctags")
(literal "/usr/bin/dsymutil")
(literal "/usr/bin/flex")
(literal "/usr/bin/flex++")
(literal "/usr/bin/gcc")
(literal "/usr/bin/g++")
(literal "/usr/bin/gcov")
(literal "/usr/bin/gm4")
(literal "/usr/bin/gperf")
(literal "/usr/bin/ld")
(literal "/usr/bin/lex")
(literal "/usr/bin/libtool")
(literal "/usr/bin/lipo")
(literal "/usr/bin/m4")
(literal "/usr/bin/nm")
(literal "/usr/bin/nmedit")
(literal "/usr/bin/objdump")
(literal "/usr/bin/otool")
(literal "/usr/bin/pagestuff")
(literal "/usr/bin/ranlib")
(literal "/usr/bin/rpcgen")
(literal "/usr/bin/segedit")
(literal "/usr/bin/size")
(literal "/usr/bin/strip")
(literal "/usr/bin/strings")
(literal "/usr/bin/unifdef")
(literal "/usr/bin/unifdefall")
(literal "/usr/bin/unwinddump")
(literal "/usr/bin/vtool")
(literal "/usr/bin/yacc")
(literal "/usr/bin/iconv")
(literal "/usr/bin/clear")
(literal "/usr/bin/sudo")
(literal "/usr/bin/install_name_tool")
(literal "/usr/bin/xcode-select")
(subpath "/usr/share/terminfo")
(subpath "/var/db/xcode_select_link")
(subpath "/private/var/db/xcode_select_link")
(subpath "/Applications/Xcode.app/Contents"))))
(subpath "/usr/share/i18n")
(literal "/usr")
(subpath "/usr/lib")
(literal "/System")
(subpath "/System/Library")
(literal "/Applications")
(subpath "/Applications/Xcode.app"))))

; Access to allowed system binaries
(allow file* process-exec process-fork
(literal "/bin/ps")
(literal "/bin/sh")
(literal "/bin/bash")
(literal "/bin/pwd")
(literal "/usr/bin/which")
(literal "/usr/bin/env")
(literal "/usr/bin/uname")
(literal "/usr/bin/sw_vers"))

; Allow access to /bin/ps without sandbox restrictions
(allow process-exec (with no-sandbox) (literal "/bin/ps"))
(allow process-exec (with no-sandbox) (literal "/bin/ps") (literal "/usr/bin/sudo") (literal "/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild"))

; Access to the plan context and it's ancestors
(allow file-read* file-test-existence
Expand All @@ -73,6 +131,7 @@

; Some packages like to read the system version.
(allow file-read*
(literal "/private/etc/master.passwd")
(literal "/System/Library/CoreServices/SystemVersion.plist")
(literal "/System/Library/CoreServices/SystemVersionCompat.plist"))

Expand Down

0 comments on commit a2eaafe

Please sign in to comment.