Add a new flag --sandbox_tmpfs_path, which asks the sandbox to mount an empty, writable directory at a specified path when running actions. (Supported on Linux only for now.)

RELNOTES: Added a new flag --sandbox_tmpfs_path, which asks the sandbox to mount an empty, writable directory at a specified path when running actions. (Supported on Linux only for now.) -- MOS_MIGRATED_REVID=134526345
author: Philipp Wollermann <philwo@google.com> 2016-09-28 13:13:31 +0000
committer: Yun Peng <pcloudy@google.com> 2016-09-28 14:01:39 +0000
commit: 8b88f64e92679543b48770bf530ca724a4d7214d (patch)
tree: 4f637cc907dff030f020b4f32b9f2996e8ef023b /src/main/java
parent: a1cf35928c20b9a5bde490934f95df7813fb2e5e (diff)
3 files changed, 28 insertions, 3 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java
index c3d36a615f..b0491c4b72 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java
@@ -15,7 +15,6 @@
 package com.google.devtools.build.lib.sandbox;
 
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
 import com.google.common.io.ByteStreams;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
 import com.google.devtools.build.lib.shell.Command;
@@ -45,6 +44,7 @@ final class LinuxSandboxRunner extends SandboxRunner {
   private final Path argumentsFilePath;
   private final Set<Path> writableDirs;
   private final Set<Path> inaccessiblePaths;
+  private final Set<Path> tmpfsPaths;
   private final Set<Path> bindMounts;
   private final boolean sandboxDebug;
 
@@ -55,7 +55,8 @@ final class LinuxSandboxRunner extends SandboxRunner {
       Path sandboxTempDir,
       Set<Path> writableDirs,
       Set<Path> inaccessiblePaths,
-      ImmutableSet<Path> bindMounts,
+      Set<Path> tmpfsPaths,
+      Set<Path> bindMounts,
       boolean verboseFailures,
       boolean sandboxDebug) {
     super(sandboxPath, sandboxExecRoot, verboseFailures);
@@ -65,6 +66,7 @@ final class LinuxSandboxRunner extends SandboxRunner {
     this.argumentsFilePath = sandboxPath.getRelative("linux-sandbox.params");
     this.writableDirs = writableDirs;
     this.inaccessiblePaths = inaccessiblePaths;
+    this.tmpfsPaths = tmpfsPaths;
     this.bindMounts = bindMounts;
     this.sandboxDebug = sandboxDebug;
   }
@@ -148,6 +150,11 @@ final class LinuxSandboxRunner extends SandboxRunner {
       fileArgs.add(inaccessiblePath.getPathString());
     }
 
+    for (Path tmpfsPath : tmpfsPaths) {
+      fileArgs.add("-e");
+      fileArgs.add(tmpfsPath.getPathString());
+    }
+
     for (Path bindMount : bindMounts) {
       fileArgs.add("-b");
       fileArgs.add(bindMount.getPathString());
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
index b052bdb3e4..92f6234cc6 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
@@ -143,6 +143,7 @@ public class LinuxSandboxedStrategy extends SandboxStrategy {
           sandboxTempDir,
           getWritableDirs(sandboxExecRoot, spawn.getEnvironment()),
           getInaccessiblePaths(),
+          getTmpfsPaths(),
           getBindMounts(blazeDirs),
           verboseFailures,
           sandboxOptions.sandboxDebug);
@@ -151,11 +152,18 @@ public class LinuxSandboxedStrategy extends SandboxStrategy {
     }
   }
 
+  private ImmutableSet<Path> getTmpfsPaths() {
+    ImmutableSet.Builder<Path> tmpfsPaths = ImmutableSet.builder();
+    for (String tmpfsPath : sandboxOptions.sandboxTmpfsPath) {
+      tmpfsPaths.add(blazeDirs.getFileSystem().getPath(tmpfsPath));
+    }
+    return tmpfsPaths.build();
+  }
+
   private ImmutableSet<Path> getBindMounts(BlazeDirectories blazeDirs) {
     Path tmpPath = blazeDirs.getFileSystem().getPath("/tmp");
     ImmutableSet.Builder<Path> bindMounts = ImmutableSet.builder();
     if (blazeDirs.getWorkspace().startsWith(tmpPath)) {
-
       bindMounts.add(blazeDirs.getWorkspace());
     }
     if (blazeDirs.getOutputBase().startsWith(tmpPath)) {
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
index 00ac908406..909e07cc76 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
@@ -49,4 +49,14 @@ public class SandboxOptions extends OptionsBase {
     help = "For sandboxed actions, disallow access to this path."
   )
   public List<String> sandboxBlockPath;
+
+  @Option(
+      name = "sandbox_tmpfs_path",
+      allowMultiple = true,
+      defaultValue = "",
+      category = "config",
+      help = "For sandboxed actions, mount an empty, writable directory at this path"
+          + " (if supported by the sandboxing implementation, ignored otherwise)."
+  )
+  public List<String> sandboxTmpfsPath;
 }
author	Philipp Wollermann <philwo@google.com>	2016-09-28 13:13:31 +0000
committer	Yun Peng <pcloudy@google.com>	2016-09-28 14:01:39 +0000
commit	8b88f64e92679543b48770bf530ca724a4d7214d (patch)
tree	4f637cc907dff030f020b4f32b9f2996e8ef023b /src/main/java
parent	a1cf35928c20b9a5bde490934f95df7813fb2e5e (diff)