Class: AgentJail::Restrictions::Seatbelt

Inherits:

Base

• Object
• Base
• AgentJail::Restrictions::Seatbelt

Defined in:

lib/agent_jail/restrictions/seatbelt.rb

Overview

Applies macOS Seatbelt (sandbox_init) filesystem restrictions in the child process.

Constant Summary

SYSTEM_READ_PATHS =

%w[
  /usr
  /Library
  /System
  /private/var/db/dyld
  /private/etc
  /dev
  /proc
].freeze

Instance Method Summary

• #apply ⇒ Object
• #initialize(fs_allow:, fs_read_allow:) ⇒ Seatbelt constructor

  A new instance of Seatbelt.

Constructor Details

#initialize(fs_allow:, fs_read_allow:) ⇒ Seatbelt

Returns a new instance of Seatbelt.

# File 'lib/agent_jail/restrictions/seatbelt.rb', line 17

def initialize(fs_allow:, fs_read_allow:)
  super()
  @fs_allow      = Array(fs_allow)
  @fs_read_allow = Array(fs_read_allow)
end

Instance Method Details

#apply ⇒ Object

# File 'lib/agent_jail/restrictions/seatbelt.rb', line 23

def apply
  return unless FFI::Seatbelt::AVAILABLE

  profile = build_profile
  errorbuf_ptr = ::FFI::MemoryPointer.new(:pointer)
  result = FFI::Seatbelt.sandbox_init(profile, 0, errorbuf_ptr)

  return unless result != 0

  err_ptr = errorbuf_ptr.read_pointer
  message = err_ptr.null? ? "sandbox_init failed" : err_ptr.read_string
  FFI::Seatbelt.sandbox_free_error(err_ptr) unless err_ptr.null?
  raise "sandbox_init failed: #{message}"
end