sandbox: tweak HOMEBREW_REPOSITORY handling.

If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the default) then we can block access to the whole of HOMEBREW_REPOSITORY rather than just the HOMEBREW_LIBRARY and `.git`.

sandbox: tweak HOMEBREW_REPOSITORY handling.
536c48e8 · Mike McQuaid · 5cf3838f · 536c48e8 · 536c48e8
Commit 536c48e8 authored 8 years ago by Mike McQuaid
--- a/Library/Homebrew/cmd/postinstall.rb
+++ b/Library/Homebrew/cmd/postinstall.rb
@@ -36,7 +36,7 @@ module Homebrew
        sandbox.allow_write_cellar(formula)
        sandbox.allow_write_xcode
        sandbox.allow_write_path HOMEBREW_PREFIX
-        sandbox.deny_write_homebrew_library
+        sandbox.deny_write_homebrew_repository
        sandbox.exec(*args)
      else
        exec(*args)

--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -84,10 +84,14 @@ class Sandbox
    allow_write_path formula.logs
  end

-  def deny_write_homebrew_library
-    deny_write_path HOMEBREW_LIBRARY
-    deny_write_path HOMEBREW_REPOSITORY/".git"
+  def deny_write_homebrew_repository
    deny_write HOMEBREW_BREW_FILE
+    if HOMEBREW_PREFIX.to_s != HOMEBREW_REPOSITORY.to_s
+      deny_write_path HOMEBREW_REPOSITORY
+    else
+      deny_write_path HOMEBREW_LIBRARY
+      deny_write_path HOMEBREW_REPOSITORY/".git"
+    end
  end

  def exec(*args)