Support for opt-in network isolation in build/test sandboxes

Library/Homebrew/ast_constants.rb

@@ -44,6 +44,8 @@
   [{ name: :go_resource, type: :block_call }, { name: :resource, type: :block_call }],
   [{ name: :patch, type: :method_call }, { name: :patch, type: :block_call }],
   [{ name: :needs, type: :method_call }],
+  [{ name: :allow_network_access!, type: :method_call }],
+  [{ name: :deny_network_access!, type: :method_call }],
   [{ name: :install, type: :method_definition }],
   [{ name: :post_install, type: :method_definition }],
   [{ name: :caveats, type: :method_definition }],

Library/Homebrew/dev-cmd/test.rb

@@ -80,7 +80,7 @@ def run
 
             exec_args << "--HEAD" if f.head?
 
-            Utils.safe_fork do
+            Utils.safe_fork do |error_pipe|
               if Sandbox.available?
                 sandbox = Sandbox.new
                 f.logs.mkpath
@@ -92,6 +92,7 @@ def run
                 sandbox.allow_write_path(HOMEBREW_PREFIX/"var/homebrew/locks")
                 sandbox.allow_write_path(HOMEBREW_PREFIX/"var/log")
                 sandbox.allow_write_path(HOMEBREW_PREFIX/"var/run")
+                sandbox.deny_all_network_except_pipe(error_pipe) unless f.class.network_access_allowed?(:test)
                 sandbox.exec(*exec_args)
               else
                 exec(*exec_args)

Library/Homebrew/env_config.rb

@@ -228,6 +228,21 @@ module EnvConfig
                      "of Ruby is new enough.",
         boolean:     true,
       },
+      HOMEBREW_FORMULA_BUILD_NETWORK:            {
+        description: "If set, controls network access to the sandbox for formulae builds. Overrides any " \
+                     "controls set through DSL usage inside formulae. Must be `allow` or `deny`. If no value is " \
+                     "set through this environment variable or DSL usage, the default behavior is `allow`.",
+      },
+      HOMEBREW_FORMULA_POSTINSTALL_NETWORK:      {
+        description: "If set, controls network access to the sandbox for formulae postinstall. Overrides any " \
+                     "controls set through DSL usage inside formulae. Must be `allow` or `deny`. If no value is " \
+                     "set through this environment variable or DSL usage, the default behavior is `allow`.",
+      },
+      HOMEBREW_FORMULA_TEST_NETWORK:             {
+        description: "If set, controls network access to the sandbox for formulae test. Overrides any " \
+                     "controls set through DSL usage inside formulae. Must be `allow` or `deny`. If no value is " \
+                     "set through this environment variable or DSL usage, the default behavior is `allow`.",
+      },
       HOMEBREW_GITHUB_API_TOKEN:                 {
         description: "Use this personal access token for the GitHub API, for features such as " \
                      "`brew search`. You can create one at <https://github.com/settings/tokens>. If set, " \

Library/Homebrew/formula.rb

@@ -70,6 +70,11 @@ class Formula
   extend Attrable
   extend APIHashable
 
+  SUPPORTED_NETWORK_ACCESS_PHASES = [:build, :test, :postinstall].freeze
+  DEFAULT_NETWORK_ACCESS_ALLOWED = true
+  private_constant :SUPPORTED_NETWORK_ACCESS_PHASES
+  private_constant :DEFAULT_NETWORK_ACCESS_ALLOWED
+
   # The name of this {Formula}.
   # e.g. `this-formula`
   sig { returns(String) }
@@ -400,6 +405,7 @@ def head_only?
     !!head && !stable
   end
 
+  # Stop RuboCop from erroneously indenting hash target
   delegate [ # rubocop:disable Layout/HashAlignment
     :bottle_defined?,
     :bottle_tag?,
@@ -459,6 +465,13 @@ def bottle_for_tag(tag = nil)
   # @see .version
   delegate version: :active_spec
 
+  # Stop RuboCop from erroneously indenting hash target
+  delegate [ # rubocop:disable Layout/HashAlignment
+    :allow_network_access!,
+    :deny_network_access!,
+    :network_access_allowed?,
+  ] => :"self.class"
+
   # Whether this formula was loaded using the formulae.brew.sh API
   # @!method loaded_from_api?
   # @private
@@ -3028,6 +3041,9 @@ def inherited(child)
         @skip_clean_paths = Set.new
         @link_overwrite_paths = Set.new
         @loaded_from_api = false
+        @network_access_allowed = SUPPORTED_NETWORK_ACCESS_PHASES.to_h do |phase|
+          [phase, DEFAULT_NETWORK_ACCESS_ALLOWED]
+        end
       end
     end
 
@@ -3104,6 +3120,59 @@ def license(args = nil)
       end
     end
 
+    # @!attribute [w] allow_network_access!
+    # The phases for which network access is allowed. By default, network
+    # access is allowed for all phases. Valid phases are `:build`, `:test`,
+    # and `:postinstall`. When no argument is passed, network access will be
+    # allowed for all phases.
+    # <pre>allow_network_access!</pre>
+    # <pre>allow_network_access! :build</pre>
+    # <pre>allow_network_access! [:build, :test]</pre>
+    sig { params(phases: T.any(Symbol, T::Array[Symbol])).void }
+    def allow_network_access!(phases = [])
+      phases_array = Array(phases)
+      if phases_array.empty?
+        @network_access_allowed.each_key { |phase| @network_access_allowed[phase] = true }
+      else
+        phases_array.each do |phase|
+          raise ArgumentError, "Unknown phase: #{phase}" unless SUPPORTED_NETWORK_ACCESS_PHASES.include?(phase)
+
+          @network_access_allowed[phase] = true
+        end
+      end
+    end
+
+    # @!attribute [w] deny_network_access!
+    # The phases for which network access is denied. By default, network
+    # access is allowed for all phases. Valid phases are `:build`, `:test`,
+    # and `:postinstall`. When no argument is passed, network access will be
+    # denied for all phases.
+    # <pre>deny_network_access!</pre>
+    # <pre>deny_network_access! :build</pre>
+    # <pre>deny_network_access! [:build, :test]</pre>
+    sig { params(phases: T.any(Symbol, T::Array[Symbol])).void }
+    def deny_network_access!(phases = [])
+      phases_array = Array(phases)
+      if phases_array.empty?
+        @network_access_allowed.each_key { |phase| @network_access_allowed[phase] = false }
+      else
+        phases_array.each do |phase|
+          raise ArgumentError, "Unknown phase: #{phase}" unless SUPPORTED_NETWORK_ACCESS_PHASES.include?(phase)
+
+          @network_access_allowed[phase] = false
+        end
+      end
+    end
+
+    # Whether the specified phase should be forced offline.
+    sig { params(phase: Symbol).returns(T::Boolean) }
+    def network_access_allowed?(phase)
+      raise ArgumentError, "Unknown phase: #{phase}" unless SUPPORTED_NETWORK_ACCESS_PHASES.include?(phase)
+
+      env_var = Homebrew::EnvConfig.send(:"formula_#{phase}_network")
+      env_var.nil? ? @network_access_allowed[phase] : env_var == "allow"
+    end
+
     # @!attribute [w] homepage
     # The homepage for the software. Used by users to get more information
     # about the software and Homebrew maintainers as a point of contact for

Library/Homebrew/formula_installer.rb

@@ -925,7 +925,7 @@ def build
       formula.specified_path,
     ].concat(build_argv)
 
-    Utils.safe_fork do
+    Utils.safe_fork do |error_pipe|
       if Sandbox.available?
         sandbox = Sandbox.new
         formula.logs.mkpath
@@ -937,6 +937,7 @@ def build
         sandbox.allow_fossil
         sandbox.allow_write_xcode
         sandbox.allow_write_cellar(formula)
+        sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:build)
         sandbox.exec(*args)
       else
         exec(*args)
@@ -1151,7 +1152,7 @@ def post_install
 
     args << post_install_formula_path
 
-    Utils.safe_fork do
+    Utils.safe_fork do |error_pipe|
       if Sandbox.available?
         sandbox = Sandbox.new
         formula.logs.mkpath
@@ -1161,6 +1162,7 @@ def post_install
         sandbox.allow_write_xcode
         sandbox.deny_write_homebrew_repository
         sandbox.allow_write_cellar(formula)
+        sandbox.deny_all_network_except_pipe(error_pipe) unless formula.network_access_allowed?(:postinstall)
         Keg::KEG_LINK_DIRECTORIES.each do |dir|
           sandbox.allow_write_path "#{HOMEBREW_PREFIX}/#{dir}"
         end

Library/Homebrew/sandbox.rb

@@ -91,6 +91,32 @@ def deny_write_homebrew_repository
     end
   end
 
+  sig { params(path: T.any(String, Pathname), type: Symbol).void }
+  def allow_network(path:, type: :literal)
+    add_rule allow: true, operation: "network*", filter: path_filter(path, type)
+  end
+
+  sig { params(path: T.any(String, Pathname), type: Symbol).void }
+  def deny_network(path:, type: :literal)
+    add_rule allow: false, operation: "network*", filter: path_filter(path, type)
+  end
+
+  sig { void }
+  def allow_all_network
+    add_rule allow: true, operation: "network*"
+  end
+
+  sig { void }
+  def deny_all_network
+    add_rule allow: false, operation: "network*"
+  end
+
+  sig { params(path: T.any(String, Pathname)).void }
+  def deny_all_network_except_pipe(path)
+    deny_all_network
+    allow_network path:, type: :literal
+  end
+
   def exec(*args)
     seatbelt = Tempfile.new(["homebrew", ".sb"], HOMEBREW_TEMP)
     seatbelt.write(@profile.dump)

Library/Homebrew/test/dev-cmd/test_spec.rb

@@ -2,6 +2,7 @@
 
 require "cmd/shared_examples/args_parse"
 require "dev-cmd/test"
+require "sandbox"
 
 RSpec.describe Homebrew::DevCmd::Test do
   it_behaves_like "parseable arguments"
@@ -18,4 +19,19 @@
       .and not_to_output.to_stderr
       .and be_a_success
   end
+
+  it "blocks network access when test phase is offline", :integration_test do
+    if Sandbox.available?
+      install_test_formula "testball_offline_test", <<~RUBY
+        deny_network_access! :test
+        test do
+          system "curl", "example.org"
+        end
+      RUBY
+
+      expect { brew "test", "--verbose", "testball_offline_test" }
+        .to output(/curl: \(6\) Could not resolve host: example\.org/).to_stdout
+        .and be_a_failure
+    end
+  end
 end

Library/Homebrew/test/formula_installer_spec.rb

@@ -3,11 +3,13 @@
 require "formula"
 require "formula_installer"
 require "keg"
+require "sandbox"
 require "tab"
 require "cmd/install"
 require "test/support/fixtures/testball"
 require "test/support/fixtures/testball_bottle"
 require "test/support/fixtures/failball"
+require "test/support/fixtures/failball_offline_install"
 
 RSpec.describe FormulaInstaller do
   matcher :be_poured_from_bottle do
@@ -70,6 +72,10 @@ def temporary_install(formula, **options)
     end
   end
 
+  specify "offline installation" do
+    expect { temporary_install(FailballOfflineInstall.new) }.to raise_error(BuildError) if Sandbox.available?
+  end
+
   specify "Formula is not poured from bottle when compiler specified" do
     temporary_install(TestballBottle.new, cc: "clang") do |f|
       tab = Tab.for_formula(f)

Library/Homebrew/test/formula_spec.rb

@@ -42,6 +42,7 @@
       expect(f.alias_name).to be_nil
       expect(f.full_alias_name).to be_nil
       expect(f.specified_path).to eq(path)
+      [:build, :test, :postinstall].each { |phase| expect(f.network_access_allowed?(phase)).to be(true) }
       expect { klass.new }.to raise_error(ArgumentError)
     end
 
@@ -55,6 +56,7 @@
       expect(f_alias.specified_path).to eq(Pathname(alias_path))
       expect(f_alias.full_alias_name).to eq(alias_name)
       expect(f_alias.full_specified_name).to eq(alias_name)
+      [:build, :test, :postinstall].each { |phase| expect(f_alias.network_access_allowed?(phase)).to be(true) }
       expect { klass.new }.to raise_error(ArgumentError)
     end
 
@@ -1895,4 +1897,39 @@ def install
       expect(f.fish_completion/"testball.fish").to be_a_file
     end
   end
+
+  describe "{allow,deny}_network_access" do
+    phases = [:build, :postinstall, :test].freeze
+    actions = %w[allow deny].freeze
+    phases.each do |phase|
+      actions.each do |action|
+        it "can #{action} network access for #{phase}" do
+          f = Class.new(Testball) do
+            send(:"#{action}_network_access!", phase)
+          end
+
+          expect(f.network_access_allowed?(phase)).to be(action == "allow")
+        end
+      end
+    end
+
+    actions.each do |action|
+      it "can #{action} network access for all phases" do
+        f = Class.new(Testball) do
+          send(:"#{action}_network_access!")
+        end
+
+        phases.each do |phase|
+          expect(f.network_access_allowed?(phase)).to be(action == "allow")
+        end
+      end
+    end
+  end
+
+  describe "#network_access_allowed?" do
+    it "throws an error when passed an invalid symbol" do
+      f = Testball.new
+      expect { f.network_access_allowed?(:foo) }.to raise_error(ArgumentError)
+    end
+  end
 end

Library/Homebrew/test/support/fixtures/failball_offline_install.rb

@@ -0,0 +1,31 @@
+# typed: true
+# frozen_string_literal: true
+
+class FailballOfflineInstall < Formula
+  def initialize(name = "failball_offline_install", path = Pathname.new(__FILE__).expand_path, spec = :stable,
+                 alias_path: nil, tap: nil, force_bottle: false)
+    super
+  end
+
+  DSL_PROC = proc do
+    url "file://#{TEST_FIXTURE_DIR}/tarballs/testball-0.1.tbz"
+    sha256 TESTBALL_SHA256
+    deny_network_access! :build
+  end.freeze
+  private_constant :DSL_PROC
+
+  DSL_PROC.call
+
+  def self.inherited(other)
+    super
+    other.instance_eval(&DSL_PROC)
+  end
+
+  def install
+    system "curl", "example.org"
+
+    prefix.install "bin"
+    prefix.install "libexec"
+    Dir.chdir "doc"
+  end
+end

Library/Homebrew/utils/fork.rb

@@ -37,15 +37,15 @@ def self.safe_fork
         pid = fork do
           # bootsnap doesn't like these forked processes
           ENV["HOMEBREW_NO_BOOTSNAP"] = "1"
-
-          ENV["HOMEBREW_ERROR_PIPE"] = server.path
+          error_pipe = server.path
+          ENV["HOMEBREW_ERROR_PIPE"] = error_pipe
           server.close
           read.close
           write.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
 
           Process::UID.change_privilege(Process.euid) if Process.euid != Process.uid
 
-          yield
+          yield(error_pipe)
         rescue Exception => e # rubocop:disable Lint/RescueException
           error_hash = JSON.parse e.to_json