sandbox: Remove special treatment for runUnderPath from Darwin sandbox.

There's no need to make it explicitly readable, because the entire host filesystem is readable anyway. Change-Id: I6a63cc93b600250c1c8828ef8d1c9d6133b671d7 PiperOrigin-RevId: 155477093
author: Philipp Wollermann <philwo@google.com> 2017-05-09 04:04:54 -0400
committer: Kristina Chodorow <kchodorow@google.com> 2017-05-09 10:54:08 -0400
commit: 650669af84556920b6595d7cb57d6bb3aa20e6d8 (patch)
tree: 58a98fe3986175a14cd70535a8d7655b8360a512
parent: ea71d6dc3d60c4ac937f3236c50b20f2daeefd58 (diff)
2 files changed, 1 insertions, 49 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
index bcdcef3f5d..33de83eddf 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
@@ -44,19 +44,16 @@ final class DarwinSandboxRunner extends SandboxRunner {
   private final Path sandboxExecRoot;
   private final Path sandboxConfigPath;
   private final Set<Path> writableDirs;
-  private final Path runUnderPath;
 
   DarwinSandboxRunner(
       Path sandboxPath,
       Path sandboxExecRoot,
       Set<Path> writableDirs,
-      Path runUnderPath,
       boolean verboseFailures) {
     super(verboseFailures);
     this.sandboxExecRoot = sandboxExecRoot;
     this.sandboxConfigPath = sandboxPath.getRelative("sandbox.sb");
     this.writableDirs = writableDirs;
-    this.runUnderPath = runUnderPath;
   }
 
   static boolean isSupported() {
@@ -121,10 +118,6 @@ final class DarwinSandboxRunner extends SandboxRunner {
       out.println("(allow network* (local ip \"localhost:*\"))");
       out.println("(allow network* (remote ip \"localhost:*\"))");
 
-      if (runUnderPath != null) {
-        out.println("(allow file-read* (subpath \"" + runUnderPath + "\"))");
-      }
-
       // Almost everything else is read-only.
       out.println("(deny file-write* (subpath \"/\"))");
 
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java
index ffdb57211c..62a5c52af1 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java
@@ -29,9 +29,7 @@ import com.google.devtools.build.lib.actions.Executor;
 import com.google.devtools.build.lib.actions.Spawn;
 import com.google.devtools.build.lib.actions.SpawnActionContext;
 import com.google.devtools.build.lib.analysis.BlazeDirectories;
-import com.google.devtools.build.lib.analysis.config.RunUnder;
 import com.google.devtools.build.lib.buildtool.BuildRequest;
-import com.google.devtools.build.lib.rules.test.TestRunnerAction;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
 import com.google.devtools.build.lib.shell.Command;
 import com.google.devtools.build.lib.shell.CommandException;
@@ -43,7 +41,6 @@ import com.google.devtools.build.lib.vfs.FileSystem;
 import com.google.devtools.build.lib.vfs.FileSystemUtils;
 import com.google.devtools.build.lib.vfs.Path;
 import com.google.devtools.build.lib.vfs.PathFragment;
-import com.google.devtools.build.lib.vfs.SearchPath;
 import com.google.devtools.build.lib.vfs.Symlinks;
 import java.io.BufferedWriter;
 import java.io.IOException;
@@ -62,7 +59,6 @@ import java.util.concurrent.atomic.AtomicReference;
 )
 public class DarwinSandboxedStrategy extends SandboxStrategy {
 
-  private final ImmutableMap<String, String> clientEnv;
   private final BlazeDirectories blazeDirs;
   private final Path execRoot;
   private final boolean sandboxDebug;
@@ -85,7 +81,6 @@ public class DarwinSandboxedStrategy extends SandboxStrategy {
         sandboxBase,
         verboseFailures,
         buildRequest.getOptions(SandboxOptions.class));
-    this.clientEnv = ImmutableMap.copyOf(cmdEnv.getClientEnv());
     this.blazeDirs = cmdEnv.getDirectories();
     this.execRoot = blazeDirs.getExecRoot();
     this.sandboxDebug = buildRequest.getOptions(SandboxOptions.class).sandboxDebug;
@@ -174,7 +169,6 @@ public class DarwinSandboxedStrategy extends SandboxStrategy {
         StandaloneSpawnStrategy.locallyDeterminedEnv(execRoot, productName, spawn.getEnvironment());
 
     Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment());
-    Path runUnderPath = getRunUnderPath(spawn);
     HardlinkedExecRoot hardlinkedExecRoot =
         new HardlinkedExecRoot(execRoot, sandboxPath, sandboxExecRoot, errWriter);
     ImmutableSet<PathFragment> outputs = SandboxHelpers.getOutputFiles(spawn);
@@ -187,8 +181,7 @@ public class DarwinSandboxedStrategy extends SandboxStrategy {
     }
 
     DarwinSandboxRunner runner =
-        new DarwinSandboxRunner(
-            sandboxPath, sandboxExecRoot, writableDirs, runUnderPath, verboseFailures);
+        new DarwinSandboxRunner(sandboxPath, sandboxExecRoot, writableDirs, verboseFailures);
     try {
       runSpawn(
           spawn,
@@ -299,38 +292,4 @@ public class DarwinSandboxedStrategy extends SandboxStrategy {
     Preconditions.checkArgument(stat != null, "%s does not exist", source.toString());
     finalizedMounts.put(target, source);
   }
-
-  /**
-   * If a --run_under= option is set and refers to a command via its path (as opposed to via its
-   * label), we have to mount this. Note that this is best effort and works fine for shell scripts
-   * and small binaries, but we can't track any further dependencies of this command.
-   *
-   * <p>If --run_under= refers to a label, it is automatically provided in the spawn's input files,
-   * so mountInputs() will catch that case.
-   */
-  private Path getRunUnderPath(Spawn spawn) {
-    if (spawn.getResourceOwner() instanceof TestRunnerAction) {
-      TestRunnerAction testRunnerAction = ((TestRunnerAction) spawn.getResourceOwner());
-      RunUnder runUnder = testRunnerAction.getExecutionSettings().getRunUnder();
-      if (runUnder != null && runUnder.getCommand() != null) {
-        PathFragment sourceFragment = PathFragment.create(runUnder.getCommand());
-        Path mount;
-        if (sourceFragment.isAbsolute()) {
-          mount = blazeDirs.getFileSystem().getPath(sourceFragment);
-        } else if (blazeDirs.getExecRoot().getRelative(sourceFragment).exists()) {
-          mount = blazeDirs.getExecRoot().getRelative(sourceFragment);
-        } else {
-          List<Path> searchPath =
-              SearchPath.parse(blazeDirs.getFileSystem(), clientEnv.get("PATH"));
-          mount = SearchPath.which(searchPath, runUnder.getCommand());
-        }
-        // only need to hardlink when under workspace
-        Path workspace = blazeDirs.getWorkspace();
-        if (mount != null && mount.startsWith(workspace)) {
-          return mount;
-        }
-      }
-    }
-    return null;
-  }
 }
author	Philipp Wollermann <philwo@google.com>	2017-05-09 04:04:54 -0400
committer	Kristina Chodorow <kchodorow@google.com>	2017-05-09 10:54:08 -0400
commit	650669af84556920b6595d7cb57d6bb3aa20e6d8 (patch)
tree	58a98fe3986175a14cd70535a8d7655b8360a512
parent	ea71d6dc3d60c4ac937f3236c50b20f2daeefd58 (diff)