#!/usr/bin/env ruby

# This bin wrapper runs the `pod` command in a OS X sandbox. The reason for this
# is to ensure that people can’t use malicious code from pod specifications.
#
# It does this by creating a ‘seatbelt’ profile on the fly and executing the
# given command through `/usr/bin/sandbox-exec`. This profile format is an
# undocumented format, which uses TinyScheme to implement its DSL.
#
# Even though it uses a undocumented format, it’s actually very self-explanatory.
# Because we use a whitelist approach, `(deny default)`, any action that is
# denied is logged to `/var/log/system.log`. So tailing that should provide
# enough information on steps that need to be take to get something to work.
#
# For more information see:
#
# * https://github.com/CocoaPods/CocoaPods/issues/939
# * http://reverse.put.as/wp-content/uploads/2011/08/The-Apple-Sandbox-BHDC2011-Slides.pdf
# * http://reverse.put.as/wp-content/uploads/2011/08/The-Apple-Sandbox-BHDC2011-Paper.pdf
# * https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles
# * `$ man sandbox-exec`
# * `$ ls /usr/share/sandbox`

if $0 == __FILE__
  $:.unshift File.expand_path('../../lib', __FILE__)
end
require 'pathname'
require 'cocoapods/config'


pod_bin = File.expand_path('../pod', __FILE__)
pod_prefix = File.expand_path('../..', pod_bin)

require 'rbconfig'
ruby_bin = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
ruby_prefix = RbConfig::CONFIG['prefix']

prefixes = ['/bin', '/usr/bin']
prefixes << `brew --prefix`.strip unless `which brew`.strip.empty?
# TODO add MacPorts. More?

developer_prefix = `xcode-select --print-path`.strip
xcode_app_path = File.expand_path('../..', developer_prefix)


require 'erb'
profile = ERB.new(DATA.read, 0, '>').result(TOPLEVEL_BINDING)
puts profile

command = ['/usr/bin/sandbox-exec', '-p', profile, pod_bin, *ARGV]
#puts command
exec *command


__END__
(version 1)
(debug allow)

(import "mDNSResponder.sb")

(allow file-ioctl)
(allow sysctl-read)
(allow mach-lookup)
(allow ipc-posix-shm)
(allow process-fork)
(allow system-socket)

; TODO make this stricter if possible
(allow network-outbound)

(allow process-exec
  (regex 
    #"^<%= pod_bin %>"
    #"^<%= ruby_bin %>"
    #"^<%= File.join(developer_prefix, 'usr/bin/xcrun') %>"
    #"^<%= File.join(developer_prefix, 'usr/bin/xcodebuild') %>"
<% prefixes.each do |prefix| %>
    #"^<%= prefix %>/*"
<% end %>
  )
)

(allow file-read-metadata)
(allow file-read*
  (regex
    ; TODO see if we can restrict this more, but it's going to be hard
    #"^/Users/[^.]+/*"
    ;#"^/Users/[^.]+/.netrc"
    ;#"^/Users/[^.]+/.gemrc"
    ;#"^/Users/[^.]+/.gem/*"
    ;#"^/Users/[^.]+/Library/.*"
    #"^/Library/*"
    #"^/System/Library/*"
    #"^/usr/lib/*"
    #"^/usr/share/*"
    #"^/private/*"
    #"^/dev/*"
    #"^<%= ruby_prefix %>"
    #"^<%= pod_prefix %>"
    #"^<%= xcode_app_path %>"
    #"^<%= Pod::Config.instance.repos_dir %>"
<% prefixes.each do |prefix| %>
    #"^<%= prefix %>/*"
<% end %>
  )
)

(allow file-write*
  (regex
    #"^<%= Pod::Config.instance.project_root %>"
    #"^<%= Pod::Config.instance.repos_dir %>"
    #"^/Users/[^.]+/Library/Caches/CocoaPods/*"
    #"^/dev/dtracehelper"
    #"^/dev/tty"
    #"^/dev/null"
    #"^/private/var"
  )
)

(deny default)
