pkgxdev
Use sandbox-exec on macOS to disable writes to TEA_PREFIX
Runs the repl or commands inside a sandboxed environment.
The sandbox allows everything by default, and then disables writes to all files under TEA_PREFIX.
Fixes #77
edit: ok, there's quite a few tests at the moment that expect TEA_PREFIX to be writeable 😅
- Add a new option to the run function that allows for usage of sandbox-exec on darwin
- Use this flag in app.exec and repl functions when running commands with TEA_PREFIX set
- Create a helper function to create the sandbox profile file, which is used by
sandboxExecCmd
![what-the-diff[bot] avatar](https://avatars.githubusercontent.com/in/242248?v=4 "Published by a pub.dev verified publisher"){kind=small}
Example:
$ ~/s/t/cli (sandbox-exec)> tea run -S +deno.land
tea: pantries sync’d ⎷
this is a temporary shell containing the following packages:
[email protected]
when done type: `exit'
tea %~ touch $TEA_PREFIX/what
touch: /Users/gustav/.tea/what: Operation not permitted
tea %~ touch ~/what
tea %~
#77 actually wanted the opposite (wording was poor, my bad 😓), restricting writes only to TEA_PREFIX.
I think though I was thinking about “builds” when making that ticket, and well, we have since decided that users won't do builds. However it would still be a welcome change to @teaxyz/pantry-core’s build.ts.
For the REPL, I'm not sure we should sandbox that either.
open to a discussion about what should be sandboxed.
I think it could be amazing to sandbox tea-scripts.
I've been noodling this and it's possible this is totally the right time to add this. Where packages must specify what paths in their own prefix they allow writes. And we figure out the issues with the tests.
Most packages should not allow writes in $TEA_PREFIX. This is a nice feature.
Thanks for this contribution and sorry we see-sawed on applying it.
At this point I think we are going to omit this feature.