diff options
author | Philipp Wollermann <philwo@google.com> | 2017-05-09 04:04:54 -0400 |
---|---|---|
committer | Kristina Chodorow <kchodorow@google.com> | 2017-05-09 10:54:08 -0400 |
commit | 650669af84556920b6595d7cb57d6bb3aa20e6d8 (patch) | |
tree | 58a98fe3986175a14cd70535a8d7655b8360a512 /src/main/java/com | |
parent | ea71d6dc3d60c4ac937f3236c50b20f2daeefd58 (diff) |
sandbox: Remove special treatment for runUnderPath from Darwin sandbox.
There's no need to make it explicitly readable, because the entire host
filesystem is readable anyway.
Change-Id: I6a63cc93b600250c1c8828ef8d1c9d6133b671d7
PiperOrigin-RevId: 155477093
Diffstat (limited to 'src/main/java/com')
-rw-r--r-- | src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java | 7 | ||||
-rw-r--r-- | src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java | 43 |
2 files changed, 1 insertions, 49 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java index bcdcef3f5d..33de83eddf 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java @@ -44,19 +44,16 @@ final class DarwinSandboxRunner extends SandboxRunner { private final Path sandboxExecRoot; private final Path sandboxConfigPath; private final Set<Path> writableDirs; - private final Path runUnderPath; DarwinSandboxRunner( Path sandboxPath, Path sandboxExecRoot, Set<Path> writableDirs, - Path runUnderPath, boolean verboseFailures) { super(verboseFailures); this.sandboxExecRoot = sandboxExecRoot; this.sandboxConfigPath = sandboxPath.getRelative("sandbox.sb"); this.writableDirs = writableDirs; - this.runUnderPath = runUnderPath; } static boolean isSupported() { @@ -121,10 +118,6 @@ final class DarwinSandboxRunner extends SandboxRunner { out.println("(allow network* (local ip \"localhost:*\"))"); out.println("(allow network* (remote ip \"localhost:*\"))"); - if (runUnderPath != null) { - out.println("(allow file-read* (subpath \"" + runUnderPath + "\"))"); - } - // Almost everything else is read-only. out.println("(deny file-write* (subpath \"/\"))"); diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java index ffdb57211c..62a5c52af1 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java @@ -29,9 +29,7 @@ import com.google.devtools.build.lib.actions.Executor; import com.google.devtools.build.lib.actions.Spawn; import com.google.devtools.build.lib.actions.SpawnActionContext; import com.google.devtools.build.lib.analysis.BlazeDirectories; -import com.google.devtools.build.lib.analysis.config.RunUnder; import com.google.devtools.build.lib.buildtool.BuildRequest; -import com.google.devtools.build.lib.rules.test.TestRunnerAction; import com.google.devtools.build.lib.runtime.CommandEnvironment; import com.google.devtools.build.lib.shell.Command; import com.google.devtools.build.lib.shell.CommandException; @@ -43,7 +41,6 @@ import com.google.devtools.build.lib.vfs.FileSystem; import com.google.devtools.build.lib.vfs.FileSystemUtils; import com.google.devtools.build.lib.vfs.Path; import com.google.devtools.build.lib.vfs.PathFragment; -import com.google.devtools.build.lib.vfs.SearchPath; import com.google.devtools.build.lib.vfs.Symlinks; import java.io.BufferedWriter; import java.io.IOException; @@ -62,7 +59,6 @@ import java.util.concurrent.atomic.AtomicReference; ) public class DarwinSandboxedStrategy extends SandboxStrategy { - private final ImmutableMap<String, String> clientEnv; private final BlazeDirectories blazeDirs; private final Path execRoot; private final boolean sandboxDebug; @@ -85,7 +81,6 @@ public class DarwinSandboxedStrategy extends SandboxStrategy { sandboxBase, verboseFailures, buildRequest.getOptions(SandboxOptions.class)); - this.clientEnv = ImmutableMap.copyOf(cmdEnv.getClientEnv()); this.blazeDirs = cmdEnv.getDirectories(); this.execRoot = blazeDirs.getExecRoot(); this.sandboxDebug = buildRequest.getOptions(SandboxOptions.class).sandboxDebug; @@ -174,7 +169,6 @@ public class DarwinSandboxedStrategy extends SandboxStrategy { StandaloneSpawnStrategy.locallyDeterminedEnv(execRoot, productName, spawn.getEnvironment()); Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment()); - Path runUnderPath = getRunUnderPath(spawn); HardlinkedExecRoot hardlinkedExecRoot = new HardlinkedExecRoot(execRoot, sandboxPath, sandboxExecRoot, errWriter); ImmutableSet<PathFragment> outputs = SandboxHelpers.getOutputFiles(spawn); @@ -187,8 +181,7 @@ public class DarwinSandboxedStrategy extends SandboxStrategy { } DarwinSandboxRunner runner = - new DarwinSandboxRunner( - sandboxPath, sandboxExecRoot, writableDirs, runUnderPath, verboseFailures); + new DarwinSandboxRunner(sandboxPath, sandboxExecRoot, writableDirs, verboseFailures); try { runSpawn( spawn, @@ -299,38 +292,4 @@ public class DarwinSandboxedStrategy extends SandboxStrategy { Preconditions.checkArgument(stat != null, "%s does not exist", source.toString()); finalizedMounts.put(target, source); } - - /** - * If a --run_under= option is set and refers to a command via its path (as opposed to via its - * label), we have to mount this. Note that this is best effort and works fine for shell scripts - * and small binaries, but we can't track any further dependencies of this command. - * - * <p>If --run_under= refers to a label, it is automatically provided in the spawn's input files, - * so mountInputs() will catch that case. - */ - private Path getRunUnderPath(Spawn spawn) { - if (spawn.getResourceOwner() instanceof TestRunnerAction) { - TestRunnerAction testRunnerAction = ((TestRunnerAction) spawn.getResourceOwner()); - RunUnder runUnder = testRunnerAction.getExecutionSettings().getRunUnder(); - if (runUnder != null && runUnder.getCommand() != null) { - PathFragment sourceFragment = PathFragment.create(runUnder.getCommand()); - Path mount; - if (sourceFragment.isAbsolute()) { - mount = blazeDirs.getFileSystem().getPath(sourceFragment); - } else if (blazeDirs.getExecRoot().getRelative(sourceFragment).exists()) { - mount = blazeDirs.getExecRoot().getRelative(sourceFragment); - } else { - List<Path> searchPath = - SearchPath.parse(blazeDirs.getFileSystem(), clientEnv.get("PATH")); - mount = SearchPath.which(searchPath, runUnder.getCommand()); - } - // only need to hardlink when under workspace - Path workspace = blazeDirs.getWorkspace(); - if (mount != null && mount.startsWith(workspace)) { - return mount; - } - } - } - return null; - } } |