static void sandboxShell()

in src/main/groovy/ossci/MacOSUtil.groovy [18:65]

• 37 lines of code
• 1 McCabe index (conditional complexity)

  static void sandboxShell(
      context,
      String script) {
    String prefix = '''
mkdir -p ci_scripts

cat >ci_scripts/sandbox_rules.sb << EOL

(version 1)
(allow default)

; Only allow writing to current directory, ccache, and a few log/temp/output paths
(deny file-write*
    (require-all
        (require-not (subpath "$PWD"))
        (require-not (subpath "$HOME/.ccache"))
        (require-not (subpath "$HOME/pytorch-ci-env"))
        (require-not (subpath "$TMPDIR"))
        (require-not (subpath "/private/tmp"))
        (require-not (subpath "/private/var"))
        (require-not (subpath "/var/tmp"))
        (require-not (literal "/dev/null"))
        (require-not (literal "/dev/zero"))
    )
)

EOL

cat >ci_scripts/run_script.sh << EOL
#!/bin/bash

# SCRIPT TO RUN IN MACOS BELOW THIS LINE
'''

    String suffix = '''
# SCRIPT TO RUN IN MACOS ABOVE THIS LINE

EOL

chmod +x ci_scripts/run_script.sh

sandbox-exec -f ci_scripts/sandbox_rules.sb "$PWD/ci_scripts/run_script.sh"
'''

    context.with {
      shell(prefix + script + suffix)
    }
  }