[Sandbox] Get `pod install` to work and run `rake examples:build` in the sandbox.

e749faab · Eloy Durán · 817af7c8 · e749faab · e749faab
Commit e749faab authored Apr 06, 2013 by Eloy Durán
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 10 deletions

Rakefile Rakefile +1 -1

sandbox-pod bin/sandbox-pod +38 -9

No files found.
--- a/Rakefile
+++ b/Rakefile
@@ -323,7 +323,7 @@ namespace :examples do
      puts "Building example: #{example}"
      Dir.chdir(example.to_s) do
        execute_command "rm -rf Pods DerivedData"
-        execute_command "#{'../../bin/' unless ENV['FROM_GEM']}pod install --verbose --no-update"
+        execute_command "#{'../../bin/' unless ENV['FROM_GEM']}sandbox-pod install --verbose --no-update"
        command = "xcodebuild -workspace '#{example.basename}.xcworkspace' -scheme '#{example.basename}'"
        if (example + 'Podfile').read.include?('platform :ios')
          # Specifically build against the simulator SDK so we don't have to deal with code signing.

--- a/bin/sandbox-pod
+++ b/bin/sandbox-pod
@@ -11,10 +11,16 @@ require 'cocoapods/config'
 pod_bin = File.expand_path('../pod', __FILE__)
-pod_root = File.expand_path('../..', pod_bin)
+pod_prefix = File.expand_path('../..', pod_bin)
 ruby_bin = `rbenv which ruby`.strip
-ruby_root = File.expand_path('../..', ruby_bin)
+ruby_prefix = File.expand_path('../..', ruby_bin)
+# TODO how are we going to handle the required tools in the PATH? e.g. git, svn, hg
+homebrew_prefix = `brew --prefix`.strip
+developer_prefix = `xcode-select --print-path`.strip
+xcode_app_path = File.expand_path('../..', developer_prefix)
 require 'erb'
@@ -38,11 +44,25 @@ __END__
 (allow mach-lookup)
 (allow ipc-posix-shm)
 (allow process-fork)
+(allow system-socket)
+; TODO this doesn’t actually work atm, because appledoc needs to be code signed for apple events to be allowed.
+; Needed for appldoc to install a docset
+; (allow appleevent-send)
+; TODO see if we can restrict this too
+;(allow network-outbound (literal "/private/var/run/mDNSResponder"))
+(allow network-outbound)
 (allow process-exec
  (regex 
    #"^<%= pod_bin %>"
    #"^<%= ruby_bin %>"
+    #"^<%= homebrew_prefix %>"
+    #"^<%= File.join(developer_prefix, 'usr/bin/xcrun') %>"
+    #"^<%= File.join(developer_prefix, 'usr/bin/xcodebuild') %>"
+    #"^<%= File.join(developer_prefix, 'usr/bin/docsetutil') %>" ; Needed for appledoc
+    #"^/bin/*"
    #"^/usr/bin/*"
  )
 )
@@ -50,16 +70,22 @@ __END__
 ;; Allow these reads:
 (allow file-read*
  (regex
-    #"^/Users/[^.]+/.gemrc"
+    ; TODO see if we can restrict this more, but it's going to be hard
-    #"^/Users/[^.]+/.gem/*"
+    #"^/Users/[^.]+/*"
+    ;#"^/Users/[^.]+/.netrc"
+    ;#"^/Users/[^.]+/.gemrc"
+    ;#"^/Users/[^.]+/.gem/*"
+    ;#"^/Users/[^.]+/Library/.*"
    #"^/Library/*"
    #"^/System/Library/*"
    #"^/usr/lib/*"
    #"^/usr/share/*"
    #"^/private/*"
    #"^/dev/*"
-    #"^<%= File.join(ruby_root, '*') %>"
+    #"^<%= homebrew_prefix %>"
-    #"^<%= File.join(pod_root, '*') %>"
+    #"^<%= ruby_prefix %>"
+    #"^<%= pod_prefix %>"
+    #"^<%= xcode_app_path %>"
    #"^<%= Pod::Config.instance.repos_dir %>"
  )
 )
@@ -67,10 +93,13 @@ __END__
 ;; Allow these writes:
 (allow file-write*
  (regex
-    #"^<%= File.join(Pod::Config.instance.project_root, '*') %>"
+    #"^<%= Pod::Config.instance.project_root %>"
-    ;#"^/Users/[^.]+/Library/.*"
+    #"^/Users/[^.]+/Library/Caches/CocoaPods/*"
-    ;#"^/private/var/*"
+    #"^/Users/[^.]+/Library/Developer/Shared/Documentation/DocSets"
    #"^/dev/dtracehelper"
+    #"^/dev/tty"
+    #"^/dev/null"
+    #"^/private/var"
  )
 )