Merge "Mount soong sandbox chroot as read-only" am: e7190f29de

Change-Id: Ie1cd52246470286e1d0406922725e147571b25d3
This commit is contained in:
Diego Wilson
2020-04-03 17:05:01 +00:00
committed by Automerger Merge Worker

View File

@@ -54,6 +54,9 @@ var sandboxConfig struct {
working bool working bool
group string group string
srcDir string
outDir string
distDir string
} }
func (c *Cmd) sandboxSupported() bool { func (c *Cmd) sandboxSupported() bool {
@@ -72,12 +75,20 @@ func (c *Cmd) sandboxSupported() bool {
sandboxConfig.group = "nobody" sandboxConfig.group = "nobody"
} }
sandboxConfig.srcDir = absPath(c.ctx, ".")
sandboxConfig.outDir = absPath(c.ctx, c.config.OutDir())
sandboxConfig.distDir = absPath(c.ctx, c.config.DistDir())
cmd := exec.CommandContext(c.ctx.Context, nsjailPath, cmd := exec.CommandContext(c.ctx.Context, nsjailPath,
"-H", "android-build", "-H", "android-build",
"-e", "-e",
"-u", "nobody", "-u", "nobody",
"-g", sandboxConfig.group, "-g", sandboxConfig.group,
"-B", "/", "-R", "/",
"-B", sandboxConfig.srcDir,
"-B", "/tmp",
"-B", sandboxConfig.outDir,
"-B", sandboxConfig.distDir,
"--disable_clone_newcgroup", "--disable_clone_newcgroup",
"--", "--",
"/bin/bash", "-c", `if [ $(hostname) == "android-build" ]; then echo "Android" "Success"; else echo Failure; fi`) "/bin/bash", "-c", `if [ $(hostname) == "android-build" ]; then echo "Android" "Success"; else echo Failure; fi`)
@@ -144,8 +155,20 @@ func (c *Cmd) wrapSandbox() {
"--rlimit_fsize", "soft", "--rlimit_fsize", "soft",
"--rlimit_nofile", "soft", "--rlimit_nofile", "soft",
// For now, just map everything. Eventually we should limit this, especially to make most things readonly. // For now, just map everything. Make most things readonly.
"-B", "/", "-R", "/",
// Mount source are read-write
"-B", sandboxConfig.srcDir,
//Mount out dir as read-write
"-B", sandboxConfig.outDir,
//Mount dist dir as read-write
"-B", sandboxConfig.distDir,
// Mount a writable tmp dir
"-B", "/tmp",
// Disable newcgroup for now, since it may require newer kernels // Disable newcgroup for now, since it may require newer kernels
// TODO: try out cgroups // TODO: try out cgroups