src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java - bazel - Git at Google

 // Copyright 2014 The Bazel Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //    http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package com.google.devtools.build.lib.sandbox;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.io.Files;
 import com.google.devtools.build.lib.actions.ActionExecutionContext;
 import com.google.devtools.build.lib.actions.ActionInput;
 import com.google.devtools.build.lib.actions.ActionInputHelper;
 import com.google.devtools.build.lib.actions.ActionStatusMessage;
 import com.google.devtools.build.lib.actions.Artifact;
 import com.google.devtools.build.lib.actions.EnvironmentalExecException;
 import com.google.devtools.build.lib.actions.ExecException;
 import com.google.devtools.build.lib.actions.ExecutionStrategy;
 import com.google.devtools.build.lib.actions.Executor;
 import com.google.devtools.build.lib.actions.Spawn;
 import com.google.devtools.build.lib.actions.SpawnActionContext;
 import com.google.devtools.build.lib.actions.UserExecException;
 import com.google.devtools.build.lib.analysis.AnalysisUtils;
 import com.google.devtools.build.lib.analysis.BlazeDirectories;
 import com.google.devtools.build.lib.buildtool.BuildRequest;
 import com.google.devtools.build.lib.cmdline.Label;
 import com.google.devtools.build.lib.rules.cpp.CppCompileAction;
 import com.google.devtools.build.lib.rules.fileset.FilesetActionContext;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
 import com.google.devtools.build.lib.standalone.StandaloneSpawnStrategy;
 import com.google.devtools.build.lib.util.Preconditions;
 import com.google.devtools.build.lib.util.io.FileOutErr;
 import com.google.devtools.build.lib.vfs.FileSystem;
 import com.google.devtools.build.lib.vfs.Path;
 import com.google.devtools.build.lib.vfs.PathFragment;
 import java.io.File;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicInteger;

 /**
  * Strategy that uses sandboxing to execute a process.
  */
 @ExecutionStrategy(
   name = {"sandboxed"},
   contextType = SpawnActionContext.class
 )
 public class LinuxSandboxedStrategy implements SpawnActionContext {
   private static Boolean sandboxingSupported = null;

   public static boolean isSupported(CommandEnvironment env) {
     if (sandboxingSupported == null) {
       // Currently LinuxSandboxRunner support <= LinuxAlmostSandboxRunner support
       sandboxingSupported =
           LinuxAlmostSandboxRunner.isSupported(env) || LinuxSandboxRunner.isSupported(env);
     }
     return sandboxingSupported.booleanValue();
   }

   private final ExecutorService backgroundWorkers;

   private final BuildRequest buildRequest;
   private final SandboxOptions sandboxOptions;
   private final BlazeDirectories blazeDirs;
   private final Path execRoot;
   private final boolean verboseFailures;
   private final UUID uuid = UUID.randomUUID();
   private final AtomicInteger execCounter = new AtomicInteger();
   private final String productName;
   private final boolean fullySupported;

   LinuxSandboxedStrategy(
       BuildRequest buildRequest,
       BlazeDirectories blazeDirs,
       ExecutorService backgroundWorkers,
       boolean verboseFailures,
       String productName,
       boolean fullySupported) {
     this.buildRequest = buildRequest;
     this.sandboxOptions = buildRequest.getOptions(SandboxOptions.class);
     this.blazeDirs = blazeDirs;
     this.execRoot = blazeDirs.getExecRoot();
     this.backgroundWorkers = Preconditions.checkNotNull(backgroundWorkers);
     this.verboseFailures = verboseFailures;
     this.productName = productName;
     this.fullySupported = fullySupported;
   }

   /**
    * Executes the given {@code spawn}.
    */
   @Override
   public void exec(Spawn spawn, ActionExecutionContext actionExecutionContext)
       throws ExecException {
     Executor executor = actionExecutionContext.getExecutor();

     // Certain actions can't run remotely or in a sandbox - pass them on to the standalone strategy.
     if (!spawn.isRemotable()) {
       StandaloneSpawnStrategy standaloneStrategy =
           Preconditions.checkNotNull(executor.getContext(StandaloneSpawnStrategy.class));
       standaloneStrategy.exec(spawn, actionExecutionContext);
       return;
     }

     if (executor.reportsSubcommands()) {
       executor.reportSubcommand(
           Label.print(spawn.getOwner().getLabel()) + " [" + spawn.getResourceOwner().prettyPrint()
               + "]", spawn.asShellCommand(executor.getExecRoot()));
     }

     executor
         .getEventBus()
         .post(ActionStatusMessage.runningStrategy(spawn.getResourceOwner(), "sandbox"));

     FileOutErr outErr = actionExecutionContext.getFileOutErr();

     // The execId is a unique ID just for this invocation of "exec".
     String execId = uuid + "-" + execCounter.getAndIncrement();

     // Each invocation of "exec" gets its own sandbox.
     Path sandboxExecRoot =
         blazeDirs.getOutputBase().getRelative(productName + "-sandbox").getRelative(execId);

     // Gather all necessary mounts for the sandbox.
     Map<PathFragment, Path> mounts;
     try {
       mounts = getMounts(spawn, actionExecutionContext);
     } catch (IllegalArgumentException | IOException e) {
       throw new EnvironmentalExecException("Could not prepare mounts for sandbox execution", e);
     }

     Map<String, String> env = new HashMap<>(spawn.getEnvironment());

     ImmutableSet<Path> writablePaths = getWritablePaths(sandboxExecRoot, env);
     ImmutableList<Path> inaccessiblePaths = getInaccessiblePaths();

     int timeout = getTimeout(spawn);

     ImmutableSet.Builder<PathFragment> outputFiles = ImmutableSet.builder();
     for (PathFragment optionalOutput : spawn.getOptionalOutputFiles()) {
       Preconditions.checkArgument(!optionalOutput.isAbsolute());
       outputFiles.add(optionalOutput);
     }
     for (ActionInput output : spawn.getOutputFiles()) {
       outputFiles.add(new PathFragment(output.getExecPathString()));
     }

     try {
       final LinuxSandboxRunner runner;
       if (fullySupported) {
         runner =
             new LinuxSandboxRunner(
                 execRoot,
                 sandboxExecRoot,
                 writablePaths,
                 inaccessiblePaths,
                 verboseFailures,
                 sandboxOptions.sandboxDebug);
       } else {
         // Then LinuxAlmostSandboxRunner must be supported
         runner =
             new LinuxAlmostSandboxRunner(
                 execRoot,
                 sandboxExecRoot,
                 writablePaths,
                 inaccessiblePaths,
                 verboseFailures,
                 sandboxOptions.sandboxDebug);
       }
       try {
         runner.run(
             spawn.getArguments(),
             env,
             outErr,
             mounts,
             outputFiles.build(),
             timeout,
             SandboxHelpers.shouldAllowNetwork(buildRequest, spawn));
       } finally {
         // Due to the Linux kernel behavior, if we try to remove the sandbox too quickly after the
         // process has exited, we get "Device busy" errors because some of the mounts have not yet
         // been undone. A second later it usually works. We will just clean the old sandboxes up
         // using a background worker.
         backgroundWorkers.execute(
             new Runnable() {
               @Override
               public void run() {
                 try {
                   while (!Thread.currentThread().isInterrupted()) {
                     try {
                       runner.cleanup();
                       return;
                     } catch (IOException e2) {
                       // Sleep & retry.
                       Thread.sleep(250);
                     }
                   }
                 } catch (InterruptedException e) {
                   // Exit.
                 }
               }
             });
       }
     } catch (IOException e) {
       throw new UserExecException("I/O error during sandboxed execution", e);
     }
   }

   private int getTimeout(Spawn spawn) throws ExecException {
     String timeoutStr = spawn.getExecutionInfo().get("timeout");
     if (timeoutStr != null) {
       try {
         return Integer.parseInt(timeoutStr);
       } catch (NumberFormatException e) {
         throw new UserExecException("Could not parse timeout", e);
       }
     }
     return -1;
   }

   /** Gets the list of directories that the spawn will assume to be writable. */
   private ImmutableSet<Path> getWritablePaths(Path sandboxExecRoot, Map<String, String> env) {
     ImmutableSet.Builder<Path> writablePaths = ImmutableSet.builder();
     // We have to make the TEST_TMPDIR directory writable if it is specified.
     if (env.containsKey("TEST_TMPDIR")) {
       Path testTmpDir = sandboxExecRoot.getRelative(env.get("TEST_TMPDIR"));
       writablePaths.add(testTmpDir);
       env.put("TEST_TMPDIR", testTmpDir.getPathString());
     }
     return writablePaths.build();
   }

   private ImmutableList<Path> getInaccessiblePaths() {
     ImmutableList.Builder<Path> inaccessiblePaths = ImmutableList.builder();
     for (String path : sandboxOptions.sandboxBlockPath) {
       inaccessiblePaths.add(blazeDirs.getFileSystem().getPath(path));
     }
     return inaccessiblePaths.build();
   }

   private Map<PathFragment, Path> getMounts(Spawn spawn, ActionExecutionContext executionContext)
       throws IOException, ExecException {
     Map<PathFragment, Path> mounts = new HashMap<>();
     mountRunfilesFromManifests(mounts, spawn);
     mountRunfilesFromSuppliers(mounts, spawn);
     mountFilesFromFilesetManifests(mounts, spawn, executionContext);
     mountInputs(mounts, spawn, executionContext);
     return mounts;
   }

   /** Mount all runfiles that the spawn needs as specified in its runfiles manifests. */
   private void mountRunfilesFromManifests(Map<PathFragment, Path> mounts, Spawn spawn)
       throws IOException, ExecException {
     for (Map.Entry<PathFragment, Artifact> manifest : spawn.getRunfilesManifests().entrySet()) {
       String manifestFilePath = manifest.getValue().getPath().getPathString();
       Preconditions.checkState(!manifest.getKey().isAbsolute());
       PathFragment targetDirectory = manifest.getKey();

       parseManifestFile(
           blazeDirs.getFileSystem(),
           mounts,
           targetDirectory,
           new File(manifestFilePath),
           false,
           "");
     }
   }

   /** Mount all files that the spawn needs as specified in its fileset manifests. */
   private void mountFilesFromFilesetManifests(
       Map<PathFragment, Path> mounts, Spawn spawn, ActionExecutionContext executionContext)
       throws IOException, ExecException {
     final FilesetActionContext filesetContext =
         executionContext.getExecutor().getContext(FilesetActionContext.class);
     for (Artifact fileset : spawn.getFilesetManifests()) {
       File manifestFile =
           new File(
               execRoot.getPathString(),
               AnalysisUtils.getManifestPathFromFilesetPath(fileset.getExecPath()).getPathString());
       PathFragment targetDirectory = fileset.getExecPath();

       parseManifestFile(
           blazeDirs.getFileSystem(),
           mounts,
           targetDirectory,
           manifestFile,
           true,
           filesetContext.getWorkspaceName());
     }
   }

   /** A parser for the MANIFEST files used by Filesets and runfiles. */
   static void parseManifestFile(
       FileSystem fs,
       Map<PathFragment, Path> mounts,
       PathFragment targetDirectory,
       File manifestFile,
       boolean isFilesetManifest,
       String workspaceName)
       throws IOException, ExecException {
     int lineNum = 0;
     for (String line : Files.readLines(manifestFile, StandardCharsets.UTF_8)) {
       if (isFilesetManifest && (++lineNum % 2 == 0)) {
         continue;
       }
       if (line.isEmpty()) {
         continue;
       }

       String[] fields = line.trim().split(" ");

       // The "target" field is always a relative path that is to be interpreted in this way:
       // (1) If this is a fileset manifest and our workspace name is not empty, the first segment
       // of each "target" path must be the workspace name, which is then stripped before further
       // processing.
       // (2) The "target" path is then appended to the "targetDirectory", which is a path relative
       // to the execRoot. Together, this results in the full path in the execRoot in which place a
       // symlink referring to "source" has to be created (see below).
       PathFragment targetPath;
       if (isFilesetManifest) {
         PathFragment targetPathFragment = new PathFragment(fields[0]);
         if (!workspaceName.isEmpty()) {
           if (!targetPathFragment.getSegment(0).equals(workspaceName)) {
             throw new EnvironmentalExecException(
                 "Fileset manifest line must start with workspace name");
           }
           targetPathFragment = targetPathFragment.subFragment(1, targetPathFragment.segmentCount());
         }
         targetPath = targetDirectory.getRelative(targetPathFragment);
       } else {
         targetPath = targetDirectory.getRelative(fields[0]);
       }

       // The "source" field, if it exists, is always an absolute path and may point to any file in
       // the filesystem (it is not limited to files in the workspace or execroot).
       Path source;
       switch (fields.length) {
         case 1:
           source = fs.getPath("/dev/null");
           break;
         case 2:
           source = fs.getPath(fields[1]);
           break;
         default:
           throw new IllegalStateException("'" + line + "' splits into more than 2 parts");
       }

       mounts.put(targetPath, source);
     }
   }

   /** Mount all runfiles that the spawn needs as specified via its runfiles suppliers. */
   private void mountRunfilesFromSuppliers(Map<PathFragment, Path> mounts, Spawn spawn)
       throws IOException {
     Map<PathFragment, Map<PathFragment, Artifact>> rootsAndMappings =
         spawn.getRunfilesSupplier().getMappings();
     for (Map.Entry<PathFragment, Map<PathFragment, Artifact>> rootAndMappings :
         rootsAndMappings.entrySet()) {
       PathFragment root = rootAndMappings.getKey();
       if (root.isAbsolute()) {
         root = root.relativeTo(execRoot.asFragment());
       }
       for (Map.Entry<PathFragment, Artifact> mapping : rootAndMappings.getValue().entrySet()) {
         Artifact sourceArtifact = mapping.getValue();
         PathFragment source =
             (sourceArtifact != null) ? sourceArtifact.getExecPath() : new PathFragment("/dev/null");

         Preconditions.checkArgument(!mapping.getKey().isAbsolute());
         PathFragment target = root.getRelative(mapping.getKey());
         mounts.put(target, execRoot.getRelative(source));
       }
     }
   }

   /** Mount all inputs of the spawn. */
   private void mountInputs(
       Map<PathFragment, Path> mounts, Spawn spawn, ActionExecutionContext actionExecutionContext) {
     List<ActionInput> inputs =
         ActionInputHelper.expandArtifacts(
             spawn.getInputFiles(), actionExecutionContext.getArtifactExpander());

     if (spawn.getResourceOwner() instanceof CppCompileAction) {
       CppCompileAction action = (CppCompileAction) spawn.getResourceOwner();
       if (action.shouldScanIncludes()) {
         inputs.addAll(action.getAdditionalInputs());
       }
     }

     for (ActionInput input : inputs) {
       if (input.getExecPathString().contains("internal/_middlemen/")) {
         continue;
       }
       PathFragment mount = new PathFragment(input.getExecPathString());
       mounts.put(mount, execRoot.getRelative(mount));
     }
   }

   @Override
   public boolean willExecuteRemotely(boolean remotable) {
     return false;
   }

   @Override
   public String toString() {
     return "sandboxed";
   }

   @Override
   public boolean shouldPropagateExecException() {
     return verboseFailures && sandboxOptions.sandboxDebug;
   }
 }
	// Copyright 2014 The Bazel Authors. All rights reserved.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	package com.google.devtools.build.lib.sandbox;

	import com.google.common.collect.ImmutableList;
	import com.google.common.collect.ImmutableSet;
	import com.google.common.io.Files;
	import com.google.devtools.build.lib.actions.ActionExecutionContext;
	import com.google.devtools.build.lib.actions.ActionInput;
	import com.google.devtools.build.lib.actions.ActionInputHelper;
	import com.google.devtools.build.lib.actions.ActionStatusMessage;
	import com.google.devtools.build.lib.actions.Artifact;
	import com.google.devtools.build.lib.actions.EnvironmentalExecException;
	import com.google.devtools.build.lib.actions.ExecException;
	import com.google.devtools.build.lib.actions.ExecutionStrategy;
	import com.google.devtools.build.lib.actions.Executor;
	import com.google.devtools.build.lib.actions.Spawn;
	import com.google.devtools.build.lib.actions.SpawnActionContext;
	import com.google.devtools.build.lib.actions.UserExecException;
	import com.google.devtools.build.lib.analysis.AnalysisUtils;
	import com.google.devtools.build.lib.analysis.BlazeDirectories;
	import com.google.devtools.build.lib.buildtool.BuildRequest;
	import com.google.devtools.build.lib.cmdline.Label;
	import com.google.devtools.build.lib.rules.cpp.CppCompileAction;
	import com.google.devtools.build.lib.rules.fileset.FilesetActionContext;
	import com.google.devtools.build.lib.runtime.CommandEnvironment;
	import com.google.devtools.build.lib.standalone.StandaloneSpawnStrategy;
	import com.google.devtools.build.lib.util.Preconditions;
	import com.google.devtools.build.lib.util.io.FileOutErr;
	import com.google.devtools.build.lib.vfs.FileSystem;
	import com.google.devtools.build.lib.vfs.Path;
	import com.google.devtools.build.lib.vfs.PathFragment;
	import java.io.File;
	import java.io.IOException;
	import java.nio.charset.StandardCharsets;
	import java.util.HashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.UUID;
	import java.util.concurrent.ExecutorService;
	import java.util.concurrent.atomic.AtomicInteger;

	/**
	* Strategy that uses sandboxing to execute a process.
	*/
	@ExecutionStrategy(
	name = {"sandboxed"},
	contextType = SpawnActionContext.class
	)
	public class LinuxSandboxedStrategy implements SpawnActionContext {
	private static Boolean sandboxingSupported = null;

	public static boolean isSupported(CommandEnvironment env) {
	if (sandboxingSupported == null) {
	// Currently LinuxSandboxRunner support <= LinuxAlmostSandboxRunner support
	sandboxingSupported =
	LinuxAlmostSandboxRunner.isSupported(env) \|\| LinuxSandboxRunner.isSupported(env);
	}
	return sandboxingSupported.booleanValue();
	}

	private final ExecutorService backgroundWorkers;

	private final BuildRequest buildRequest;
	private final SandboxOptions sandboxOptions;
	private final BlazeDirectories blazeDirs;
	private final Path execRoot;
	private final boolean verboseFailures;
	private final UUID uuid = UUID.randomUUID();
	private final AtomicInteger execCounter = new AtomicInteger();
	private final String productName;
	private final boolean fullySupported;

	LinuxSandboxedStrategy(
	BuildRequest buildRequest,
	BlazeDirectories blazeDirs,
	ExecutorService backgroundWorkers,
	boolean verboseFailures,
	String productName,
	boolean fullySupported) {
	this.buildRequest = buildRequest;
	this.sandboxOptions = buildRequest.getOptions(SandboxOptions.class);
	this.blazeDirs = blazeDirs;
	this.execRoot = blazeDirs.getExecRoot();
	this.backgroundWorkers = Preconditions.checkNotNull(backgroundWorkers);
	this.verboseFailures = verboseFailures;
	this.productName = productName;
	this.fullySupported = fullySupported;
	}

	/**
	* Executes the given {@code spawn}.
	*/
	@Override
	public void exec(Spawn spawn, ActionExecutionContext actionExecutionContext)
	throws ExecException {
	Executor executor = actionExecutionContext.getExecutor();

	// Certain actions can't run remotely or in a sandbox - pass them on to the standalone strategy.
	if (!spawn.isRemotable()) {
	StandaloneSpawnStrategy standaloneStrategy =
	Preconditions.checkNotNull(executor.getContext(StandaloneSpawnStrategy.class));
	standaloneStrategy.exec(spawn, actionExecutionContext);
	return;
	}

	if (executor.reportsSubcommands()) {
	executor.reportSubcommand(
	Label.print(spawn.getOwner().getLabel()) + " [" + spawn.getResourceOwner().prettyPrint()
	+ "]", spawn.asShellCommand(executor.getExecRoot()));
	}

	executor
	.getEventBus()
	.post(ActionStatusMessage.runningStrategy(spawn.getResourceOwner(), "sandbox"));

	FileOutErr outErr = actionExecutionContext.getFileOutErr();

	// The execId is a unique ID just for this invocation of "exec".
	String execId = uuid + "-" + execCounter.getAndIncrement();

	// Each invocation of "exec" gets its own sandbox.
	Path sandboxExecRoot =
	blazeDirs.getOutputBase().getRelative(productName + "-sandbox").getRelative(execId);

	// Gather all necessary mounts for the sandbox.
	Map<PathFragment, Path> mounts;
	try {
	mounts = getMounts(spawn, actionExecutionContext);
	} catch (IllegalArgumentException \| IOException e) {
	throw new EnvironmentalExecException("Could not prepare mounts for sandbox execution", e);
	}

	Map<String, String> env = new HashMap<>(spawn.getEnvironment());

	ImmutableSet<Path> writablePaths = getWritablePaths(sandboxExecRoot, env);
	ImmutableList<Path> inaccessiblePaths = getInaccessiblePaths();

	int timeout = getTimeout(spawn);

	ImmutableSet.Builder<PathFragment> outputFiles = ImmutableSet.builder();
	for (PathFragment optionalOutput : spawn.getOptionalOutputFiles()) {
	Preconditions.checkArgument(!optionalOutput.isAbsolute());
	outputFiles.add(optionalOutput);
	}
	for (ActionInput output : spawn.getOutputFiles()) {
	outputFiles.add(new PathFragment(output.getExecPathString()));
	}

	try {
	final LinuxSandboxRunner runner;
	if (fullySupported) {
	runner =
	new LinuxSandboxRunner(
	execRoot,
	sandboxExecRoot,
	writablePaths,
	inaccessiblePaths,
	verboseFailures,
	sandboxOptions.sandboxDebug);
	} else {
	// Then LinuxAlmostSandboxRunner must be supported
	runner =
	new LinuxAlmostSandboxRunner(
	execRoot,
	sandboxExecRoot,
	writablePaths,
	inaccessiblePaths,
	verboseFailures,
	sandboxOptions.sandboxDebug);
	}
	try {
	runner.run(
	spawn.getArguments(),
	env,
	outErr,
	mounts,
	outputFiles.build(),
	timeout,
	SandboxHelpers.shouldAllowNetwork(buildRequest, spawn));
	} finally {
	// Due to the Linux kernel behavior, if we try to remove the sandbox too quickly after the
	// process has exited, we get "Device busy" errors because some of the mounts have not yet
	// been undone. A second later it usually works. We will just clean the old sandboxes up
	// using a background worker.
	backgroundWorkers.execute(
	new Runnable() {
	@Override
	public void run() {
	try {
	while (!Thread.currentThread().isInterrupted()) {
	try {
	runner.cleanup();
	return;
	} catch (IOException e2) {
	// Sleep & retry.
	Thread.sleep(250);
	}
	}
	} catch (InterruptedException e) {
	// Exit.
	}
	}
	});
	}
	} catch (IOException e) {
	throw new UserExecException("I/O error during sandboxed execution", e);
	}
	}

	private int getTimeout(Spawn spawn) throws ExecException {
	String timeoutStr = spawn.getExecutionInfo().get("timeout");
	if (timeoutStr != null) {
	try {
	return Integer.parseInt(timeoutStr);
	} catch (NumberFormatException e) {
	throw new UserExecException("Could not parse timeout", e);
	}
	}
	return -1;
	}

	/** Gets the list of directories that the spawn will assume to be writable. */
	private ImmutableSet<Path> getWritablePaths(Path sandboxExecRoot, Map<String, String> env) {
	ImmutableSet.Builder<Path> writablePaths = ImmutableSet.builder();
	// We have to make the TEST_TMPDIR directory writable if it is specified.
	if (env.containsKey("TEST_TMPDIR")) {
	Path testTmpDir = sandboxExecRoot.getRelative(env.get("TEST_TMPDIR"));
	writablePaths.add(testTmpDir);
	env.put("TEST_TMPDIR", testTmpDir.getPathString());
	}
	return writablePaths.build();
	}

	private ImmutableList<Path> getInaccessiblePaths() {
	ImmutableList.Builder<Path> inaccessiblePaths = ImmutableList.builder();
	for (String path : sandboxOptions.sandboxBlockPath) {
	inaccessiblePaths.add(blazeDirs.getFileSystem().getPath(path));
	}
	return inaccessiblePaths.build();
	}

	private Map<PathFragment, Path> getMounts(Spawn spawn, ActionExecutionContext executionContext)
	throws IOException, ExecException {
	Map<PathFragment, Path> mounts = new HashMap<>();
	mountRunfilesFromManifests(mounts, spawn);
	mountRunfilesFromSuppliers(mounts, spawn);
	mountFilesFromFilesetManifests(mounts, spawn, executionContext);
	mountInputs(mounts, spawn, executionContext);
	return mounts;
	}

	/** Mount all runfiles that the spawn needs as specified in its runfiles manifests. */
	private void mountRunfilesFromManifests(Map<PathFragment, Path> mounts, Spawn spawn)
	throws IOException, ExecException {
	for (Map.Entry<PathFragment, Artifact> manifest : spawn.getRunfilesManifests().entrySet()) {
	String manifestFilePath = manifest.getValue().getPath().getPathString();
	Preconditions.checkState(!manifest.getKey().isAbsolute());
	PathFragment targetDirectory = manifest.getKey();

	parseManifestFile(
	blazeDirs.getFileSystem(),
	mounts,
	targetDirectory,
	new File(manifestFilePath),
	false,
	"");
	}
	}

	/** Mount all files that the spawn needs as specified in its fileset manifests. */
	private void mountFilesFromFilesetManifests(
	Map<PathFragment, Path> mounts, Spawn spawn, ActionExecutionContext executionContext)
	throws IOException, ExecException {
	final FilesetActionContext filesetContext =
	executionContext.getExecutor().getContext(FilesetActionContext.class);
	for (Artifact fileset : spawn.getFilesetManifests()) {
	File manifestFile =
	new File(
	execRoot.getPathString(),
	AnalysisUtils.getManifestPathFromFilesetPath(fileset.getExecPath()).getPathString());
	PathFragment targetDirectory = fileset.getExecPath();

	parseManifestFile(
	blazeDirs.getFileSystem(),
	mounts,
	targetDirectory,
	manifestFile,
	true,
	filesetContext.getWorkspaceName());
	}
	}

	/** A parser for the MANIFEST files used by Filesets and runfiles. */
	static void parseManifestFile(
	FileSystem fs,
	Map<PathFragment, Path> mounts,
	PathFragment targetDirectory,
	File manifestFile,
	boolean isFilesetManifest,
	String workspaceName)
	throws IOException, ExecException {
	int lineNum = 0;
	for (String line : Files.readLines(manifestFile, StandardCharsets.UTF_8)) {
	if (isFilesetManifest && (++lineNum % 2 == 0)) {
	continue;
	}
	if (line.isEmpty()) {
	continue;
	}

	String[] fields = line.trim().split(" ");

	// The "target" field is always a relative path that is to be interpreted in this way:
	// (1) If this is a fileset manifest and our workspace name is not empty, the first segment
	// of each "target" path must be the workspace name, which is then stripped before further
	// processing.
	// (2) The "target" path is then appended to the "targetDirectory", which is a path relative
	// to the execRoot. Together, this results in the full path in the execRoot in which place a
	// symlink referring to "source" has to be created (see below).
	PathFragment targetPath;
	if (isFilesetManifest) {
	PathFragment targetPathFragment = new PathFragment(fields[0]);
	if (!workspaceName.isEmpty()) {
	if (!targetPathFragment.getSegment(0).equals(workspaceName)) {
	throw new EnvironmentalExecException(
	"Fileset manifest line must start with workspace name");
	}
	targetPathFragment = targetPathFragment.subFragment(1, targetPathFragment.segmentCount());
	}
	targetPath = targetDirectory.getRelative(targetPathFragment);
	} else {
	targetPath = targetDirectory.getRelative(fields[0]);
	}

	// The "source" field, if it exists, is always an absolute path and may point to any file in
	// the filesystem (it is not limited to files in the workspace or execroot).
	Path source;
	switch (fields.length) {
	case 1:
	source = fs.getPath("/dev/null");
	break;
	case 2:
	source = fs.getPath(fields[1]);
	break;
	default:
	throw new IllegalStateException("'" + line + "' splits into more than 2 parts");
	}

	mounts.put(targetPath, source);
	}
	}

	/** Mount all runfiles that the spawn needs as specified via its runfiles suppliers. */
	private void mountRunfilesFromSuppliers(Map<PathFragment, Path> mounts, Spawn spawn)
	throws IOException {
	Map<PathFragment, Map<PathFragment, Artifact>> rootsAndMappings =
	spawn.getRunfilesSupplier().getMappings();
	for (Map.Entry<PathFragment, Map<PathFragment, Artifact>> rootAndMappings :
	rootsAndMappings.entrySet()) {
	PathFragment root = rootAndMappings.getKey();
	if (root.isAbsolute()) {
	root = root.relativeTo(execRoot.asFragment());
	}
	for (Map.Entry<PathFragment, Artifact> mapping : rootAndMappings.getValue().entrySet()) {
	Artifact sourceArtifact = mapping.getValue();
	PathFragment source =
	(sourceArtifact != null) ? sourceArtifact.getExecPath() : new PathFragment("/dev/null");

	Preconditions.checkArgument(!mapping.getKey().isAbsolute());
	PathFragment target = root.getRelative(mapping.getKey());
	mounts.put(target, execRoot.getRelative(source));
	}
	}
	}

	/** Mount all inputs of the spawn. */
	private void mountInputs(
	Map<PathFragment, Path> mounts, Spawn spawn, ActionExecutionContext actionExecutionContext) {
	List<ActionInput> inputs =
	ActionInputHelper.expandArtifacts(
	spawn.getInputFiles(), actionExecutionContext.getArtifactExpander());

	if (spawn.getResourceOwner() instanceof CppCompileAction) {
	CppCompileAction action = (CppCompileAction) spawn.getResourceOwner();
	if (action.shouldScanIncludes()) {
	inputs.addAll(action.getAdditionalInputs());
	}
	}

	for (ActionInput input : inputs) {
	if (input.getExecPathString().contains("internal/_middlemen/")) {
	continue;
	}
	PathFragment mount = new PathFragment(input.getExecPathString());
	mounts.put(mount, execRoot.getRelative(mount));
	}
	}

	@Override
	public boolean willExecuteRemotely(boolean remotable) {
	return false;
	}

	@Override
	public String toString() {
	return "sandboxed";
	}

	@Override
	public boolean shouldPropagateExecException() {
	return verboseFailures && sandboxOptions.sandboxDebug;
	}
	}