#!/usr/bin/env ruby

# TODO:
#
# * How are we going to handle allowing processes like `git`, `svn`, and `hg`
#   to work when they might be somewhere in a non-standard prefix?
#
# * Can we scope rules like file-read/file-write to specific processes? E.g.
#   limit `git` to only those directories where any git operations should be
#   performed, while allowing `xcodebuild` access to more directories.
#
# * Limit the scope of the rules where possible. E.g. `network-outbound` and
#   access to the user home directory.
#
# * Installing docs with `appledoc` requires Apple Events and iirc, from a
#   CoreInt episode, this is damn hard to do in a sandbox environment.
#

if $0 == __FILE__
  $:.unshift File.expand_path('../../lib', __FILE__)
end
require 'pathname'
require 'cocoapods/config'


pod_bin = File.expand_path('../pod', __FILE__)
pod_prefix = File.expand_path('../..', pod_bin)

require 'rbconfig'
ruby_bin = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
ruby_prefix = RbConfig::CONFIG['prefix']

homebrew_prefix = `brew --prefix`.strip

developer_prefix = `xcode-select --print-path`.strip
xcode_app_path = File.expand_path('../..', developer_prefix)


require 'erb'
profile = ERB.new(DATA.read).result(TOPLEVEL_BINDING)
filename = '/tmp/sandbox-pod.sb'
File.open(filename, 'w') { |f| f.write(profile) }

puts profile

command = ['/usr/bin/sandbox-exec', '-f', filename, pod_bin, *ARGV]
exec *command


__END__
(version 1)
(debug allow)

(allow file-ioctl)
(allow sysctl-read)
(allow file-read-metadata)
(allow mach-lookup)
(allow ipc-posix-shm)
(allow process-fork)
(allow system-socket)

; TODO: Needed for appldoc to install a docset
; (allow appleevent-send)

; TODO see if we can restrict this too
;(allow network-outbound (literal "/private/var/run/mDNSResponder"))
(allow network-outbound)

(allow process-exec
  (regex 
    #"^<%= pod_bin %>"
    #"^<%= ruby_bin %>"
    #"^<%= homebrew_prefix %>"
    #"^<%= File.join(developer_prefix, 'usr/bin/xcrun') %>"
    #"^<%= File.join(developer_prefix, 'usr/bin/xcodebuild') %>"
    #"^<%= File.join(developer_prefix, 'usr/bin/docsetutil') %>" ; Needed for appledoc
    #"^/bin/*"
    #"^/usr/bin/*"
  )
)

;; Allow these reads:
(allow file-read*
  (regex
    ; TODO see if we can restrict this more, but it's going to be hard
    #"^/Users/[^.]+/*"
    ;#"^/Users/[^.]+/.netrc"
    ;#"^/Users/[^.]+/.gemrc"
    ;#"^/Users/[^.]+/.gem/*"
    ;#"^/Users/[^.]+/Library/.*"
    #"^/Library/*"
    #"^/System/Library/*"
    #"^/usr/lib/*"
    #"^/usr/share/*"
    #"^/private/*"
    #"^/dev/*"
    #"^<%= homebrew_prefix %>"
    #"^<%= ruby_prefix %>"
    #"^<%= pod_prefix %>"
    #"^<%= xcode_app_path %>"
    #"^<%= Pod::Config.instance.repos_dir %>"
  )
)

;; Allow these writes:
(allow file-write*
  (regex
    #"^<%= Pod::Config.instance.project_root %>"
    #"^<%= Pod::Config.instance.repos_dir %>"
    #"^/Users/[^.]+/Library/Caches/CocoaPods/*"
    #"^/Users/[^.]+/Library/Developer/Shared/Documentation/DocSets"
    #"^/dev/dtracehelper"
    #"^/dev/tty"
    #"^/dev/null"
    #"^/private/var"
  )
)

(deny default)
