Google Git
Sign in
bazel / bazel / c2ba4a08a788097297da81b58e2fb9ffdb22a581 / . / src / main / java / com / google / devtools / build / lib / sandbox / LinuxSandboxedStrategy.java
blob: 4d3d85d63afe0984d8f6e0fb3d35090dd39eced8 [file] [log] [blame]
Damien Martin-Guillerezf88f4d82015-09-25 13:56:55 +0000[diff] [blame]1// Copyright 2014 The Bazel Authors. All rights reserved.
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
Philipp Wollermann5a50b4f2016-08-31 12:07:40 +0000[diff] [blame]14
Philipp Wollermann1572344e2015-06-29 13:59:45 +0000[diff] [blame]15package com.google.devtools.build.lib.sandbox;
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]16
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]17import com.google.devtools.build.lib.actions.ExecutionStrategy;
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]18import com.google.devtools.build.lib.actions.SpawnActionContext;
ulfjack19befaf2017-07-24 11:09:40 +0200[diff] [blame]19import com.google.devtools.build.lib.exec.AbstractSpawnStrategy;
20import com.google.devtools.build.lib.exec.SpawnRunner;
Philipp Wollermanne219a242016-08-18 14:39:37 +0000[diff] [blame]21import com.google.devtools.build.lib.runtime.CommandEnvironment;
Philipp Wollermann95b16a82016-09-30 10:32:36 +0000[diff] [blame]22import com.google.devtools.build.lib.vfs.FileSystemUtils;
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]23import com.google.devtools.build.lib.vfs.Path;
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]24import java.io.IOException;
rupertsda009412017-12-22 16:59:38 -0800[diff] [blame]25import java.time.Duration;
jmmvbd923e72018-04-10 14:01:34 -0700[diff] [blame]26import javax.annotation.Nullable;
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]27
Philipp Wollermann5a50b4f2016-08-31 12:07:40 +0000[diff] [blame]28/** Strategy that uses sandboxing to execute a process. */
ulfjacka63da8e2017-07-12 16:51:20 +0200[diff] [blame]29// TODO(ulfjack): This class only exists for this annotation. Find a better way to handle this!
Yue Gan6b88e152016-04-12 14:10:27 +0000[diff] [blame]30@ExecutionStrategy(
philwo0c613be2017-04-21 16:39:30 +0200[diff] [blame]31 name = {"sandboxed", "linux-sandbox"},
Yue Gan6b88e152016-04-12 14:10:27 +0000[diff] [blame]32 contextType = SpawnActionContext.class
33)
ulfjack19befaf2017-07-24 11:09:40 +0200[diff] [blame]34public final class LinuxSandboxedStrategy extends AbstractSpawnStrategy {
tomlu1a19b622018-01-11 15:17:28 -0800[diff] [blame]35 LinuxSandboxedStrategy(Path execRoot, SpawnRunner spawnRunner) {
36 super(execRoot, spawnRunner);
philwodb5e06a2017-05-12 23:41:47 +0200[diff] [blame]37 }
38
ulfjack19befaf2017-07-24 11:09:40 +0200[diff] [blame]39 @Override
40 public String toString() {
philwod3de5cc2018-04-16 06:40:19 -0700[diff] [blame]41 return "linux-sandbox";
ulfjack19befaf2017-07-24 11:09:40 +0200[diff] [blame]42 }
43
rupertsda009412017-12-22 16:59:38 -0800[diff] [blame]44 /**
rupertsda009412017-12-22 16:59:38 -0800[diff] [blame]45 * Creates a sandboxed spawn runner that uses the {@code linux-sandbox} tool.
46 *
47 * @param cmdEnv the command environment to use
48 * @param sandboxBase path to the sandbox base directory
Philipp Wollermann23e1c5d2018-03-23 07:39:27 -0700[diff] [blame]49 * @param timeoutKillDelay additional grace period before killing timing out commands
jmmvbd923e72018-04-10 14:01:34 -0700[diff] [blame]50 * @param sandboxfsProcess instance of the sandboxfs process to use; may be null for none, in
51 * which case the runner uses a symlinked sandbox
jmmvc2ba4a02019-03-18 14:51:45 -0700[diff] [blame^]52 * @param sandboxfsMapSymlinkTargets map the targets of symlinks within the sandbox if true
rupertsda009412017-12-22 16:59:38 -0800[diff] [blame]53 */
54 static LinuxSandboxedSpawnRunner create(
jmmvc2ba4a02019-03-18 14:51:45 -0700[diff] [blame^]55 CommandEnvironment cmdEnv,
56 Path sandboxBase,
57 Duration timeoutKillDelay,
58 @Nullable SandboxfsProcess sandboxfsProcess,
59 boolean sandboxfsMapSymlinkTargets)
60 throws IOException {
philwodb5e06a2017-05-12 23:41:47 +0200[diff] [blame]61 Path inaccessibleHelperFile = sandboxBase.getRelative("inaccessibleHelperFile");
62 FileSystemUtils.touchFile(inaccessibleHelperFile);
63 inaccessibleHelperFile.setReadable(false);
64 inaccessibleHelperFile.setWritable(false);
65 inaccessibleHelperFile.setExecutable(false);
66
67 Path inaccessibleHelperDir = sandboxBase.getRelative("inaccessibleHelperDir");
68 inaccessibleHelperDir.createDirectory();
69 inaccessibleHelperDir.setReadable(false);
70 inaccessibleHelperDir.setWritable(false);
71 inaccessibleHelperDir.setExecutable(false);
72
ulfjack19befaf2017-07-24 11:09:40 +0200[diff] [blame]73 return new LinuxSandboxedSpawnRunner(
philwodb5e06a2017-05-12 23:41:47 +0200[diff] [blame]74 cmdEnv,
philwodb5e06a2017-05-12 23:41:47 +0200[diff] [blame]75 sandboxBase,
philwodb5e06a2017-05-12 23:41:47 +0200[diff] [blame]76 inaccessibleHelperFile,
philwo7f085372017-07-18 16:31:34 +0200[diff] [blame]77 inaccessibleHelperDir,
jmmvbd923e72018-04-10 14:01:34 -0700[diff] [blame]78 timeoutKillDelay,
jmmvc2ba4a02019-03-18 14:51:45 -0700[diff] [blame^]79 sandboxfsProcess,
80 sandboxfsMapSymlinkTargets);
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]81 }
Han-Wen Nienhuysd08b27f2015-02-25 16:45:20 +0100[diff] [blame]82}