implements dynamic plan sandboxing

Signed-off-by: Johny Jose <[email protected]>
habitat-sh · May 29, 2024 · fb60405 · fb60405
1 parent c6d8362
commit fb60405
Show file tree

Hide file tree

Showing 8 changed files with 2,971 additions and 1,634 deletions.
diff --git a/components/hab/src/command/studio/native.rs b/components/hab/src/command/studio/native.rs
@@ -19,7 +19,10 @@ const HAB_PLAN_BUILD_SOURCE_FILES: [(&str, &[u8]); 4] =
      #[cfg(target_os = "linux")]
      ("hab-plan-build.sh", include_bytes!("../../../../plan-build/bin/hab-plan-build-linux.sh")),
      #[cfg(target_os = "macos")]
-     ("hab-plan-build.sh", include_bytes!("../../../../plan-build/bin/hab-plan-build-darwin.sh"))];
+     ("hab-plan-build.sh", include_bytes!("../../../../plan-build/bin/hab-plan-build-darwin.sh")),
+     #[cfg(target_os = "macos")]
+     ("hab-plan-build.sh",
+      include_bytes!("../../../../plan-build/bin/hab-plan-build-darwin-internal.bash"))];
 
 pub fn start_native_studio(ui: &mut UI, args: &[OsString]) -> Result<()> {
     start_native_studio_impl(ui, args).map_err(Error::NativeStudioError)

diff --git a/components/studio/libexec/darwin-sandbox.sb → components/plan-build/bin/darwin-sandbox.sb b/components/studio/libexec/darwin-sandbox.sb → components/plan-build/bin/darwin-sandbox.sb
@@ -1,7 +1,8 @@
 (version 1)
+
+;; Support for dynamic linker from the base system
 (import "dyld-support.sb")
 
-(define BUILD_DIR (param "BUILD_DIR"))
 (define STUDIO_DIR (param "STUDIO_DIR"))
 (define STUDIO_HAB (param "STUDIO_HAB"))
 (define PLAN_CONTEXT_DIR (param "PLAN_CONTEXT_DIR"))
@@ -24,14 +25,15 @@
 
 ;; Allow file access and process execution inside build, studio and plan context directories
 (allow file* process-exec
-       (subpath BUILD_DIR)
        (subpath STUDIO_DIR)
        (subpath PLAN_CONTEXT_DIR))
 
 ;; Allow access to the studio's habitat binary
 ;; Also allow access to check the existence of accepted habitat licenses
 (allow file* process-exec (literal STUDIO_HAB))
-(allow file-read* (literal "/hab/accepted-licenses/habitat"))
+(allow file-read*
+    (literal "/hab/accepted-licenses")
+    (literal "/hab/accepted-licenses/habitat"))
 
 ;; Allow access to read and execute habitat packages, and cache directory
 (allow file* process-exec
@@ -49,9 +51,8 @@
 
 ;; Allow access to timezone database
 ;; This permits reading the timezone information necessary for time-related functions and operations.
-(allow file-read* 
-    (literal "/var")
-    (subpath "/private/var/db/timezone"))
+(allow file-read-metadata (literal "/var"))
+(allow file-read* (subpath "/private/var/db/timezone"))
 
 ;; Allow access to terminfo database
 (allow file-read* (subpath "/usr/share/terminfo"))