Bring back --sandbox_block_path.

This is basically a rollback of https://github.com/bazelbuild/bazel/commit/3e2329a73ffd5d60e5e2babe60ebe5bf322c07da, except this solves the reason why the feature was removed in the first place. We now create the helper files necessary to make files unreadable in Linux in Bazel's Java code and manage their lifetime there. Request was filed by a user here: http://stackoverflow.com/questions/43849651/how-to-lock-down-the-bazel-filesystem-sandbox PiperOrigin-RevId: 155913246
author: philwo <philwo@google.com> 2017-05-12 23:41:47 +0200
committer: Dmitry Lomov <dslomov@google.com> 2017-05-15 19:51:02 +0200
commit: db5e06a29fccd31ad8ae13e7d271509807d87d7c (patch)
tree: 3377b285f3dceeec6ac4afc9d1412fc62eb2561e /src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
parent: 729d48f682a9fcc830729e46a81c8f492ede7274 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
index 0e12fe869b..3b4d1e2ff7 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
@@ -42,16 +42,19 @@ final class DarwinSandboxRunner extends SandboxRunner {
   private final Path sandboxExecRoot;
   private final Path sandboxConfigPath;
   private final Set<Path> writableDirs;
+  private final Set<Path> inaccessiblePaths;
 
   DarwinSandboxRunner(
       Path sandboxPath,
       Path sandboxExecRoot,
       Set<Path> writableDirs,
+      Set<Path> inaccessiblePaths,
       boolean verboseFailures) {
     super(verboseFailures);
     this.sandboxExecRoot = sandboxExecRoot;
     this.sandboxConfigPath = sandboxPath.getRelative("sandbox.sb");
     this.writableDirs = writableDirs;
+    this.inaccessiblePaths = inaccessiblePaths;
   }
 
   static boolean isSupported(CommandEnvironment cmdEnv) {
@@ -127,6 +130,16 @@ final class DarwinSandboxRunner extends SandboxRunner {
       for (Path path : writableDirs) {
         allowWriteSubpath(out, path);
       }
+
+      if (!inaccessiblePaths.isEmpty()) {
+        out.println("(deny file-read*");
+        // The sandbox configuration file is not part of a cache key and sandbox-exec doesn't care
+        // about ordering of paths in expressions, so it's fine if the iteration order is random.
+        for (Path inaccessiblePath : inaccessiblePaths) {
+          out.println("    (subpath \"" + inaccessiblePath + "\")");
+        }
+        out.println(")");
+      }
     }
   }
author	philwo <philwo@google.com>	2017-05-12 23:41:47 +0200
committer	Dmitry Lomov <dslomov@google.com>	2017-05-15 19:51:02 +0200
commit	db5e06a29fccd31ad8ae13e7d271509807d87d7c (patch)
tree	3377b285f3dceeec6ac4afc9d1412fc62eb2561e /src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
parent	729d48f682a9fcc830729e46a81c8f492ede7274 (diff)