StrixOS/build_soong
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sandbox the OUT_DIR environment variable

Browse Source 
Currently, OUT_DIR is inherited from the parent process, leading to
scripts being able to find the output directory when the enviornment
variable is set to an absolute path. When sandboxing a command,
also rewrite the OUT_DIR environment variable to the sandboxed one,
so that scripts can't find the real out dir.

Bug: 307824623
Test: Presubmits
Change-Id: I325071121a60bddc4105df680fbdfe3d11dc94e2
This commit is contained in:
Cole Faust
2024-08-23 14:41:51 -07:00
parent 079871cd55
commit 1ead86c1a5
4 changed files with 295 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
cmd/sbox/sbox.go
View File

@@ -27,6 +27,7 @@ import (
"os"
"os/exec"
"path/filepath"
"regexp"
"strconv"
"strings"
"time"
@@ -51,6 +52,8 @@ const (
sandboxDirPlaceholder = "__SBOX_SANDBOX_DIR__"
)
var envVarNameRegex = regexp.MustCompile("^[a-zA-Z0-9_-]+$")
func init() {
flag.StringVar(&sandboxesRoot, "sandbox-path", "",
"root of temp directory to put the sandbox into")
@@ -238,6 +241,48 @@ func readManifest(file string) (*sbox_proto.Manifest, error) {
return &manifest, nil
}
func createEnv(command *sbox_proto.Command) ([]string, error) {
env := []string{}
if command.DontInheritEnv == nil || !*command.DontInheritEnv {
env = os.Environ()
}
for _, envVar := range command.Env {
if envVar.Name == nil || !envVarNameRegex.MatchString(*envVar.Name) {
name := "nil"
if envVar.Name != nil {
name = *envVar.Name
}
return nil, fmt.Errorf("Invalid environment variable name: %q", name)
}
if envVar.State == nil {
return nil, fmt.Errorf("Must set state")
}
switch state := envVar.State.(type) {
case *sbox_proto.EnvironmentVariable_Value:
env = append(env, *envVar.Name+"="+state.Value)
case *sbox_proto.EnvironmentVariable_Unset:
if !state.Unset {
return nil, fmt.Errorf("Can't have unset set to false")
}
prefix := *envVar.Name + "="
for i := 0; i < len(env); i++ {
if strings.HasPrefix(env[i], prefix) {
env = append(env[:i], env[i+1:]...)
i--
}
}
case *sbox_proto.EnvironmentVariable_Inherit:
if !state.Inherit {
return nil, fmt.Errorf("Can't have inherit set to false")
}
env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name))
default:
return nil, fmt.Errorf("Unhandled state type")
}
}
return env, nil
}
// runCommand runs a single command from a manifest. If the command references the
// __SBOX_DEPFILE__ placeholder it returns the name of the depfile that was used.
func runCommand(command *sbox_proto.Command, tempDir string, commandIndex int) (depFile string, err error) {
@@ -313,6 +358,12 @@ func runCommand(command *sbox_proto.Command, tempDir string, commandIndex int) (
return "", fmt.Errorf("Failed to update PATH: %w", err)
}
}
cmd.Env, err = createEnv(command)
if err != nil {
return "", err
}
err = cmd.Run()
if err != nil {

257
cmd/sbox/sbox_proto/sbox.pb.go
View File

@@ -14,8 +14,8 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.26.0
// protoc v3.9.1
// protoc-gen-go v1.33.0
// protoc v3.21.12
// source: sbox.proto
package sbox_proto
@@ -116,6 +116,13 @@ type Command struct {
// A list of files that will be copied before the sandboxed command, and whose contents should be
// copied as if they were listed in copy_before.
RspFiles []*RspFile `protobuf:"bytes,6,rep,name=rsp_files,json=rspFiles" json:"rsp_files,omitempty"`
// The environment variables that will be set or unset while running the command.
// Also see dont_inherit_env.
Env []*EnvironmentVariable `protobuf:"bytes,7,rep,name=env" json:"env,omitempty"`
// By default, all environment variables are inherited from the calling process, but may be
// replaced or unset by env. If dont_inherit_env is set, no environment variables will be
// inherited, and instead only the variables in env will be defined.
DontInheritEnv *bool `protobuf:"varint,8,opt,name=dont_inherit_env,json=dontInheritEnv" json:"dont_inherit_env,omitempty"`
}
func (x *Command) Reset() {
@@ -192,6 +199,129 @@ func (x *Command) GetRspFiles() []*RspFile {
return nil
}
func (x *Command) GetEnv() []*EnvironmentVariable {
if x != nil {
return x.Env
}
return nil
}
func (x *Command) GetDontInheritEnv() bool {
if x != nil && x.DontInheritEnv != nil {
return *x.DontInheritEnv
}
return false
}
type EnvironmentVariable struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// The name of the environment variable
Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"`
// Types that are assignable to State:
//
// *EnvironmentVariable_Value
// *EnvironmentVariable_Unset
// *EnvironmentVariable_Inherit
State isEnvironmentVariable_State `protobuf_oneof:"state"`
}
func (x *EnvironmentVariable) Reset() {
*x = EnvironmentVariable{}
if protoimpl.UnsafeEnabled {
mi := &file_sbox_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *EnvironmentVariable) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*EnvironmentVariable) ProtoMessage() {}
func (x *EnvironmentVariable) ProtoReflect() protoreflect.Message {
mi := &file_sbox_proto_msgTypes[2]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use EnvironmentVariable.ProtoReflect.Descriptor instead.
func (*EnvironmentVariable) Descriptor() ([]byte, []int) {
return file_sbox_proto_rawDescGZIP(), []int{2}
}
func (x *EnvironmentVariable) GetName() string {
if x != nil && x.Name != nil {
return *x.Name
}
return ""
}
func (m *EnvironmentVariable) GetState() isEnvironmentVariable_State {
if m != nil {
return m.State
}
return nil
}
func (x *EnvironmentVariable) GetValue() string {
if x, ok := x.GetState().(*EnvironmentVariable_Value); ok {
return x.Value
}
return ""
}
func (x *EnvironmentVariable) GetUnset() bool {
if x, ok := x.GetState().(*EnvironmentVariable_Unset); ok {
return x.Unset
}
return false
}
func (x *EnvironmentVariable) GetInherit() bool {
if x, ok := x.GetState().(*EnvironmentVariable_Inherit); ok {
return x.Inherit
}
return false
}
type isEnvironmentVariable_State interface {
isEnvironmentVariable_State()
}
type EnvironmentVariable_Value struct {
// The value to set the environment variable to.
Value string `protobuf:"bytes,2,opt,name=value,oneof"`
}
type EnvironmentVariable_Unset struct {
// This environment variable should be unset in the command.
Unset bool `protobuf:"varint,3,opt,name=unset,oneof"`
}
type EnvironmentVariable_Inherit struct {
// This environment variable should be inherited from the parent process.
// Can be combined with dont_inherit_env to only inherit certain environment
// variables.
Inherit bool `protobuf:"varint,4,opt,name=inherit,oneof"`
}
func (*EnvironmentVariable_Value) isEnvironmentVariable_State() {}
func (*EnvironmentVariable_Unset) isEnvironmentVariable_State() {}
func (*EnvironmentVariable_Inherit) isEnvironmentVariable_State() {}
// Copy describes a from-to pair of files to copy. The paths may be relative, the root that they
// are relative to is specific to the context the Copy is used in and will be different for
// from and to.
@@ -209,7 +339,7 @@ type Copy struct {
func (x *Copy) Reset() {
*x = Copy{}
if protoimpl.UnsafeEnabled {
mi := &file_sbox_proto_msgTypes[2]
mi := &file_sbox_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -222,7 +352,7 @@ func (x *Copy) String() string {
func (*Copy) ProtoMessage() {}
func (x *Copy) ProtoReflect() protoreflect.Message {
mi := &file_sbox_proto_msgTypes[2]
mi := &file_sbox_proto_msgTypes[3]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -235,7 +365,7 @@ func (x *Copy) ProtoReflect() protoreflect.Message {
// Deprecated: Use Copy.ProtoReflect.Descriptor instead.
func (*Copy) Descriptor() ([]byte, []int) {
return file_sbox_proto_rawDescGZIP(), []int{2}
return file_sbox_proto_rawDescGZIP(), []int{3}
}
func (x *Copy) GetFrom() string {
@@ -274,7 +404,7 @@ type RspFile struct {
func (x *RspFile) Reset() {
*x = RspFile{}
if protoimpl.UnsafeEnabled {
mi := &file_sbox_proto_msgTypes[3]
mi := &file_sbox_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -287,7 +417,7 @@ func (x *RspFile) String() string {
func (*RspFile) ProtoMessage() {}
func (x *RspFile) ProtoReflect() protoreflect.Message {
mi := &file_sbox_proto_msgTypes[3]
mi := &file_sbox_proto_msgTypes[4]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -300,7 +430,7 @@ func (x *RspFile) ProtoReflect() protoreflect.Message {
// Deprecated: Use RspFile.ProtoReflect.Descriptor instead.
func (*RspFile) Descriptor() ([]byte, []int) {
return file_sbox_proto_rawDescGZIP(), []int{3}
return file_sbox_proto_rawDescGZIP(), []int{4}
}
func (x *RspFile) GetFile() string {
@@ -330,7 +460,7 @@ type PathMapping struct {
func (x *PathMapping) Reset() {
*x = PathMapping{}
if protoimpl.UnsafeEnabled {
mi := &file_sbox_proto_msgTypes[4]
mi := &file_sbox_proto_msgTypes[5]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -343,7 +473,7 @@ func (x *PathMapping) String() string {
func (*PathMapping) ProtoMessage() {}
func (x *PathMapping) ProtoReflect() protoreflect.Message {
mi := &file_sbox_proto_msgTypes[4]
mi := &file_sbox_proto_msgTypes[5]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -356,7 +486,7 @@ func (x *PathMapping) ProtoReflect() protoreflect.Message {
// Deprecated: Use PathMapping.ProtoReflect.Descriptor instead.
func (*PathMapping) Descriptor() ([]byte, []int) {
return file_sbox_proto_rawDescGZIP(), []int{4}
return file_sbox_proto_rawDescGZIP(), []int{5}
}
func (x *PathMapping) GetFrom() string {
@@ -383,7 +513,7 @@ var file_sbox_proto_rawDesc = []byte{
0x08, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x6f, 0x75, 0x74,
0x70, 0x75, 0x74, 0x5f, 0x64, 0x65, 0x70, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
0x09, 0x52, 0x0d, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x44, 0x65, 0x70, 0x66, 0x69, 0x6c, 0x65,
0x22, 0xdc, 0x01, 0x0a, 0x07, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x12, 0x2b, 0x0a, 0x0b,
0x22, 0xb3, 0x02, 0x0a, 0x07, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x12, 0x2b, 0x0a, 0x0b,
0x63, 0x6f, 0x70, 0x79, 0x5f, 0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28,
0x0b, 0x32, 0x0a, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x43, 0x6f, 0x70, 0x79, 0x52, 0x0a, 0x63,
0x6f, 0x70, 0x79, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x68, 0x64,
@@ -396,23 +526,37 @@ var file_sbox_proto_rawDesc = []byte{
0x73, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x48,
0x61, 0x73, 0x68, 0x12, 0x2a, 0x0a, 0x09, 0x72, 0x73, 0x70, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73,
0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x52, 0x73,
0x70, 0x46, 0x69, 0x6c, 0x65, 0x52, 0x08, 0x72, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22,
0x4a, 0x0a, 0x04, 0x43, 0x6f, 0x70, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18,
0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74,
0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x12, 0x1e, 0x0a, 0x0a, 0x65,
0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52,
0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x22, 0x55, 0x0a, 0x07, 0x52,
0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x01,
0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x36, 0x0a, 0x0d, 0x70, 0x61,
0x74, 0x68, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
0x0b, 0x32, 0x11, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70,
0x70, 0x69, 0x6e, 0x67, 0x52, 0x0c, 0x70, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
0x67, 0x73, 0x22, 0x31, 0x0a, 0x0b, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52,
0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28,
0x09, 0x52, 0x02, 0x74, 0x6f, 0x42, 0x23, 0x5a, 0x21, 0x61, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64,
0x2f, 0x73, 0x6f, 0x6f, 0x6e, 0x67, 0x2f, 0x63, 0x6d, 0x64, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x2f,
0x73, 0x62, 0x6f, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x70, 0x46, 0x69, 0x6c, 0x65, 0x52, 0x08, 0x72, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12,
0x2b, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73,
0x62, 0x6f, 0x78, 0x2e, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x56,
0x61, 0x72, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x12, 0x28, 0x0a, 0x10,
0x64, 0x6f, 0x6e, 0x74, 0x5f, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x65, 0x6e, 0x76,
0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x64, 0x6f, 0x6e, 0x74, 0x49, 0x6e, 0x68, 0x65,
0x72, 0x69, 0x74, 0x45, 0x6e, 0x76, 0x22, 0x7e, 0x0a, 0x13, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f,
0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x56, 0x61, 0x72, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x12, 0x0a,
0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d,
0x65, 0x12, 0x16, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x48, 0x00, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x16, 0x0a, 0x05, 0x75, 0x6e, 0x73,
0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x05, 0x75, 0x6e, 0x73, 0x65,
0x74, 0x12, 0x1a, 0x0a, 0x07, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x18, 0x04, 0x20, 0x01,
0x28, 0x08, 0x48, 0x00, 0x52, 0x07, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x42, 0x07, 0x0a,
0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x4a, 0x0a, 0x04, 0x43, 0x6f, 0x70, 0x79, 0x12, 0x12,
0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72,
0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02,
0x74, 0x6f, 0x12, 0x1e, 0x0a, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65,
0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62,
0x6c, 0x65, 0x22, 0x55, 0x0a, 0x07, 0x52, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x12, 0x0a,
0x04, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x69, 0x6c,
0x65, 0x12, 0x36, 0x0a, 0x0d, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e,
0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e,
0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0c, 0x70, 0x61, 0x74,
0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x31, 0x0a, 0x0b, 0x50, 0x61, 0x74,
0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d,
0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02,
0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x42, 0x23, 0x5a, 0x21,
0x61, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x2f, 0x73, 0x6f, 0x6f, 0x6e, 0x67, 0x2f, 0x63, 0x6d,
0x64, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74,
0x6f,
}
var (
@@ -427,25 +571,27 @@ func file_sbox_proto_rawDescGZIP() []byte {
return file_sbox_proto_rawDescData
}
var file_sbox_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
var file_sbox_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
var file_sbox_proto_goTypes = []interface{}{
(*Manifest)(nil), // 0: sbox.Manifest
(*Command)(nil), // 1: sbox.Command
(*Copy)(nil), // 2: sbox.Copy
(*RspFile)(nil), // 3: sbox.RspFile
(*PathMapping)(nil), // 4: sbox.PathMapping
(*Manifest)(nil), // 0: sbox.Manifest
(*Command)(nil), // 1: sbox.Command
(*EnvironmentVariable)(nil), // 2: sbox.EnvironmentVariable
(*Copy)(nil), // 3: sbox.Copy
(*RspFile)(nil), // 4: sbox.RspFile
(*PathMapping)(nil), // 5: sbox.PathMapping
}
var file_sbox_proto_depIdxs = []int32{
1, // 0: sbox.Manifest.commands:type_name -> sbox.Command
2, // 1: sbox.Command.copy_before:type_name -> sbox.Copy
2, // 2: sbox.Command.copy_after:type_name -> sbox.Copy
3, // 3: sbox.Command.rsp_files:type_name -> sbox.RspFile
4, // 4: sbox.RspFile.path_mappings:type_name -> sbox.PathMapping
5, // [5:5] is the sub-list for method output_type
5, // [5:5] is the sub-list for method input_type
5, // [5:5] is the sub-list for extension type_name
5, // [5:5] is the sub-list for extension extendee
0, // [0:5] is the sub-list for field type_name
3, // 1: sbox.Command.copy_before:type_name -> sbox.Copy
3, // 2: sbox.Command.copy_after:type_name -> sbox.Copy
4, // 3: sbox.Command.rsp_files:type_name -> sbox.RspFile
2, // 4: sbox.Command.env:type_name -> sbox.EnvironmentVariable
5, // 5: sbox.RspFile.path_mappings:type_name -> sbox.PathMapping
6, // [6:6] is the sub-list for method output_type
6, // [6:6] is the sub-list for method input_type
6, // [6:6] is the sub-list for extension type_name
6, // [6:6] is the sub-list for extension extendee
0, // [0:6] is the sub-list for field type_name
}
func init() { file_sbox_proto_init() }
@@ -479,7 +625,7 @@ func file_sbox_proto_init() {
}
}
file_sbox_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*Copy); i {
switch v := v.(*EnvironmentVariable); i {
case 0:
return &v.state
case 1:
@@ -491,7 +637,7 @@ func file_sbox_proto_init() {
}
}
file_sbox_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*RspFile); i {
switch v := v.(*Copy); i {
case 0:
return &v.state
case 1:
@@ -503,6 +649,18 @@ func file_sbox_proto_init() {
}
}
file_sbox_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*RspFile); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_sbox_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*PathMapping); i {
case 0:
return &v.state
@@ -515,13 +673,18 @@ func file_sbox_proto_init() {
}
}
}
file_sbox_proto_msgTypes[2].OneofWrappers = []interface{}{
(*EnvironmentVariable_Value)(nil),
(*EnvironmentVariable_Unset)(nil),
(*EnvironmentVariable_Inherit)(nil),
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_sbox_proto_rawDesc,
NumEnums: 0,
NumMessages: 5,
NumMessages: 6,
NumExtensions: 0,
NumServices: 0,
},

24
cmd/sbox/sbox_proto/sbox.proto
View File

@@ -51,6 +51,30 @@ message Command {
// A list of files that will be copied before the sandboxed command, and whose contents should be
// copied as if they were listed in copy_before.
repeated RspFile rsp_files = 6;
// The environment variables that will be set or unset while running the command.
// Also see dont_inherit_env.
repeated EnvironmentVariable env = 7;
// By default, all environment variables are inherited from the calling process, but may be
// replaced or unset by env. If dont_inherit_env is set, no environment variables will be
// inherited, and instead only the variables in env will be defined.
optional bool dont_inherit_env = 8;
}
message EnvironmentVariable {
// The name of the environment variable
required string name = 1;
oneof state {
// The value to set the environment variable to.
string value = 2;
// This environment variable should be unset in the command.
bool unset = 3;
// This environment variable should be inherited from the parent process.
// Can be combined with dont_inherit_env to only inherit certain environment
// variables.
bool inherit = 4;
}
}
// Copy describes a from-to pair of files to copy. The paths may be relative, the root that they