StrixOS/build_soong
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix nested minijail0 execution

Browse Source 
We've got an internal testcase that uses minijail0 inside an Android.mk
rule. That was failing since we turned on the linux sandbox, as /proc
was mounted read-only, which prevented setting up the uid/gid mappings
for a child namespace.

Fixes: 122985455
Test: treehugger & forrest of breaking build
Change-Id: Ia77a91a7f4eeeb8a24e84075d8272287f5087587
This commit is contained in:
Dan Willemsen
2019-01-16 23:02:24 -08:00
parent c22c1bf130
commit 3a4dbd651f
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ui/build/sandbox_linux.go
View File

@@ -127,6 +127,9 @@ func (c *Cmd) wrapSandbox() {
// in soong_ui
"-e",
// Mount /proc read-write, necessary to run a nested nsjail or minijail0
"--proc_rw",
// Use a consistent user & group.
// Note that these are mapped back to the real UID/GID when
// doing filesystem operations, so they're rather arbitrary.