Merge "Sandbox environment variables" into main am: 2f33c04a97
Original change: https://android-review.googlesource.com/c/platform/build/soong/+/3245994 Change-Id: I2af033a7fbbef8928553efffe79b26d55d36e96a Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot
Automerger Merge Worker
@@ -463,6 +463,8 @@ func (r *RuleBuilder) Build(name string, desc string) {
|
|||||||
r.build(name, desc, true)
|
r.build(name, desc, true)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var sandboxEnvOnceKey = NewOnceKey("sandbox_environment_variables")
|
||||||
|
|
||||||
func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString bool) {
|
func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString bool) {
|
||||||
name = ninjaNameEscape(name)
|
name = ninjaNameEscape(name)
|
||||||
|
|
||||||
@@ -580,16 +582,44 @@ func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString b
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set OUT_DIR to the relative path of the sandboxed out directory.
|
// Only allow the build to access certain environment variables
|
||||||
// Otherwise, OUT_DIR will be inherited from the rest of the build,
|
command.DontInheritEnv = proto.Bool(true)
|
||||||
// which will allow scripts to escape the sandbox if OUT_DIR is an
|
command.Env = r.ctx.Config().Once(sandboxEnvOnceKey, func() interface{} {
|
||||||
// absolute path.
|
// The list of allowed variables was found by running builds of all
|
||||||
command.Env = append(command.Env, &sbox_proto.EnvironmentVariable{
|
// genrules and seeing what failed
|
||||||
Name: proto.String("OUT_DIR"),
|
var result []*sbox_proto.EnvironmentVariable
|
||||||
State: &sbox_proto.EnvironmentVariable_Value{
|
inheritedVars := []string{
|
||||||
Value: sboxOutSubDir,
|
"PATH",
|
||||||
},
|
"JAVA_HOME",
|
||||||
})
|
"TMPDIR",
|
||||||
|
// Allow RBE variables because the art tests invoke RBE manually
|
||||||
|
"RBE_log_dir",
|
||||||
|
"RBE_platform",
|
||||||
|
"RBE_server_address",
|
||||||
|
// TODO: RBE_exec_root is set to the absolute path to the root of the source
|
||||||
|
// tree, which we don't want sandboxed actions to find. Remap it to ".".
|
||||||
|
"RBE_exec_root",
|
||||||
|
}
|
||||||
|
for _, v := range inheritedVars {
|
||||||
|
result = append(result, &sbox_proto.EnvironmentVariable{
|
||||||
|
Name: proto.String(v),
|
||||||
|
State: &sbox_proto.EnvironmentVariable_Inherit{
|
||||||
|
Inherit: true,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
// Set OUT_DIR to the relative path of the sandboxed out directory.
|
||||||
|
// Otherwise, OUT_DIR will be inherited from the rest of the build,
|
||||||
|
// which will allow scripts to escape the sandbox if OUT_DIR is an
|
||||||
|
// absolute path.
|
||||||
|
result = append(result, &sbox_proto.EnvironmentVariable{
|
||||||
|
Name: proto.String("OUT_DIR"),
|
||||||
|
State: &sbox_proto.EnvironmentVariable_Value{
|
||||||
|
Value: sboxOutSubDir,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
return result
|
||||||
|
}).([]*sbox_proto.EnvironmentVariable)
|
||||||
command.Chdir = proto.Bool(true)
|
command.Chdir = proto.Bool(true)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -275,7 +275,10 @@ func createEnv(command *sbox_proto.Command) ([]string, error) {
|
|||||||
if !state.Inherit {
|
if !state.Inherit {
|
||||||
return nil, fmt.Errorf("Can't have inherit set to false")
|
return nil, fmt.Errorf("Can't have inherit set to false")
|
||||||
}
|
}
|
||||||
env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name))
|
val, ok := os.LookupEnv(*envVar.Name)
|
||||||
|
if ok {
|
||||||
|
env = append(env, *envVar.Name+"="+val)
|
||||||
|
}
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("Unhandled state type")
|
return nil, fmt.Errorf("Unhandled state type")
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user