Add internal linux-sandbox option to create a network namespace with no loopback device, for sandboxed workers.
PiperOrigin-RevId: 515033155
Change-Id: I50eb94b9796eee237360aba97f855741a13ffeec
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
index f84c051..21609de 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
@@ -14,6 +14,9 @@
package com.google.devtools.build.lib.sandbox;
+import static com.google.devtools.build.lib.sandbox.LinuxSandboxCommandLineBuilder.NetworkNamespace.NETNS;
+import static com.google.devtools.build.lib.sandbox.LinuxSandboxCommandLineBuilder.NetworkNamespace.NETNS_WITH_LOOPBACK;
+
import com.google.auto.value.AutoValue;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
@@ -61,7 +64,7 @@
private List<BindMount> bindMounts = ImmutableList.of();
private Path statisticsPath;
private boolean useFakeHostname = false;
- private boolean createNetworkNamespace = false;
+ private NetworkNamespace createNetworkNamespace = NetworkNamespace.NO_NETNS;
private boolean useFakeRoot = false;
private boolean useFakeUsername = false;
private boolean enablePseudoterminal = false;
@@ -183,9 +186,10 @@
return this;
}
- /** Sets whether to create a new network namespace. */
+ /** Sets whether and how to create a new network namespace. */
@CanIgnoreReturnValue
- public LinuxSandboxCommandLineBuilder setCreateNetworkNamespace(boolean createNetworkNamespace) {
+ public LinuxSandboxCommandLineBuilder setCreateNetworkNamespace(
+ NetworkNamespace createNetworkNamespace) {
this.createNetworkNamespace = createNetworkNamespace;
return this;
}
@@ -288,8 +292,10 @@
if (useFakeHostname) {
commandLineBuilder.add("-H");
}
- if (createNetworkNamespace) {
+ if (createNetworkNamespace == NETNS_WITH_LOOPBACK) {
commandLineBuilder.add("-N");
+ } else if (createNetworkNamespace == NETNS) {
+ commandLineBuilder.add("-n");
}
if (useFakeRoot) {
commandLineBuilder.add("-R");
@@ -317,4 +323,14 @@
return commandLineBuilder.build();
}
+
+ /** Enum for the possibilities for creating a network namespace in the sandbox. */
+ public enum NetworkNamespace {
+ /** No network namespace will be created, sandboxed processes can access the network freely. */
+ NO_NETNS,
+ /** A fresh network namespace will be created. */
+ NETNS,
+ /** A fresh network namespace will be created, and a loopback device will be set up in it. */
+ NETNS_WITH_LOOPBACK,
+ }
}