diff options
author | philwo <philwo@google.com> | 2017-05-12 23:41:47 +0200 |
---|---|---|
committer | Dmitry Lomov <dslomov@google.com> | 2017-05-15 19:51:02 +0200 |
commit | db5e06a29fccd31ad8ae13e7d271509807d87d7c (patch) | |
tree | 3377b285f3dceeec6ac4afc9d1412fc62eb2561e /src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java | |
parent | 729d48f682a9fcc830729e46a81c8f492ede7274 (diff) |
Bring back --sandbox_block_path.
This is basically a rollback of https://github.com/bazelbuild/bazel/commit/3e2329a73ffd5d60e5e2babe60ebe5bf322c07da, except this solves the
reason why the feature was removed in the first place. We now create
the helper files necessary to make files unreadable in Linux in Bazel's
Java code and manage their lifetime there.
Request was filed by a user here:
http://stackoverflow.com/questions/43849651/how-to-lock-down-the-bazel-filesystem-sandbox
PiperOrigin-RevId: 155913246
Diffstat (limited to 'src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java')
-rw-r--r-- | src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java index 0e12fe869b..3b4d1e2ff7 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java @@ -42,16 +42,19 @@ final class DarwinSandboxRunner extends SandboxRunner { private final Path sandboxExecRoot; private final Path sandboxConfigPath; private final Set<Path> writableDirs; + private final Set<Path> inaccessiblePaths; DarwinSandboxRunner( Path sandboxPath, Path sandboxExecRoot, Set<Path> writableDirs, + Set<Path> inaccessiblePaths, boolean verboseFailures) { super(verboseFailures); this.sandboxExecRoot = sandboxExecRoot; this.sandboxConfigPath = sandboxPath.getRelative("sandbox.sb"); this.writableDirs = writableDirs; + this.inaccessiblePaths = inaccessiblePaths; } static boolean isSupported(CommandEnvironment cmdEnv) { @@ -127,6 +130,16 @@ final class DarwinSandboxRunner extends SandboxRunner { for (Path path : writableDirs) { allowWriteSubpath(out, path); } + + if (!inaccessiblePaths.isEmpty()) { + out.println("(deny file-read*"); + // The sandbox configuration file is not part of a cache key and sandbox-exec doesn't care + // about ordering of paths in expressions, so it's fine if the iteration order is random. + for (Path inaccessiblePath : inaccessiblePaths) { + out.println(" (subpath \"" + inaccessiblePath + "\")"); + } + out.println(")"); + } } } |