diff options
author | 2015-08-25 12:52:57 +0000 | |
---|---|---|
committer | 2015-08-26 07:37:05 +0000 | |
commit | 43c4a1a1452603bfe5e6883626c5ac91ea4e8eb6 (patch) | |
tree | 257c9f0f924b5b2cf96c208cd53ba4ff40259aca /scripts | |
parent | 988bb21407c3abf97100d90cff2b823dd594ef30 (diff) |
Execute spawns inside sandboxes to improve hermeticity (spawns can no longer use non-declared inputs) and safety (spawns can no longer affect the host system, e.g. accidentally wipe your home directory). This implementation works on Linux only and uses Linux containers ("namespaces").
The strategy works with all actions that Bazel supports (C++ / Java compilation, genrules, test execution, Skylark-based rules, ...) and in tests, Bazel could successfully bootstrap itself and pass the whole test suite using sandboxed execution.
This is not the default behavior yet, but can be activated explicitly by using:
bazel build --genrule_strategy=sandboxed --spawn_strategy=sandboxed //my:stuff
--
MOS_MIGRATED_REVID=101457297
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/bootstrap/compile.sh | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/scripts/bootstrap/compile.sh b/scripts/bootstrap/compile.sh index cd7a5b3e5b..1715316a8a 100755 --- a/scripts/bootstrap/compile.sh +++ b/scripts/bootstrap/compile.sh @@ -308,16 +308,23 @@ fi log "Compiling build-runfiles..." # Clang on Linux requires libstdc++ -run_silent "${CXX}" -o ${OUTPUT_DIR}/build-runfiles -std=c++0x -l stdc++ src/main/tools/build-runfiles.cc +run_silent "${CXX}" -o ${OUTPUT_DIR}/build-runfiles -std=c++0x src/main/tools/build-runfiles.cc -l stdc++ log "Compiling process-wrapper..." -run_silent "${CC}" -o ${OUTPUT_DIR}/process-wrapper -std=c99 src/main/tools/process-wrapper.c +run_silent "${CC}" -o ${OUTPUT_DIR}/process-wrapper -std=c99 src/main/tools/process-wrapper.c src/main/tools/process-tools.c -lm + +log "Compiling namespace-sandbox..." +if [[ $PLATFORM == "linux" ]]; then + run_silent "${CC}" -o ${OUTPUT_DIR}/namespace-sandbox -std=c99 src/main/tools/namespace-sandbox.c src/main/tools/process-tools.c -lm +else + run_silent "${CC}" -o ${OUTPUT_DIR}/namespace-sandbox -std=c99 src/main/tools/namespace-sandbox-dummy.c -lm +fi cp src/main/tools/build_interface_so ${OUTPUT_DIR}/build_interface_so cp src/main/tools/jdk.* ${OUTPUT_DIR} log "Creating Bazel self-extracting archive..." -TO_ZIP="libblaze.jar ${JNILIB} build-runfiles${EXE_EXT} process-wrapper${EXE_EXT} build_interface_so ${MSYS_DLLS} jdk.BUILD" +TO_ZIP="libblaze.jar ${JNILIB} build-runfiles${EXE_EXT} process-wrapper${EXE_EXT} namespace-sandbox${EXE_EXT} build_interface_so ${MSYS_DLLS} jdk.BUILD" (cd ${OUTPUT_DIR}/ ; cat client ${TO_ZIP} | ${MD5SUM} | awk '{ print $1; }' > install_base_key) (cd ${OUTPUT_DIR}/ ; echo "${JAVA_VERSION}" > java.version) |