diff options
author | Philipp Wollermann <philwo@google.com> | 2017-03-24 12:35:20 +0000 |
---|---|---|
committer | Philipp Wollermann <philwo@google.com> | 2017-03-27 11:34:38 +0000 |
commit | c2d773ef4c0916a44fd7936f7bbc22ec55102915 (patch) | |
tree | 1e5c307a7b530e76f01b244da218bff2bcc9e669 /src/main/tools | |
parent | b102cf7d234e8c69cfb28a502076ac529138011e (diff) |
sandbox: Improve the check whether the Linux sandbox is supported.
Try to run /bin/true as a test of whether the Linux sandbox works,
instead of just trying to create a bunch of namespaces as a proxy.
This helps resolve issues on Linux distros where the earlier check
worked, but then the sandbox ultimately failed due to other operations
being unsupported.
As an example, Debian Jessie and certain Docker versions seem to allow
the creation of PID namespaces, but forbid mounting a new proc on top of
/proc (see #1972). This resulted in Bazel thinking that sandboxing works
fine, when it actually didn't. The improved check correctly catches this
situation and disabled sandboxing.
--
PiperOrigin-RevId: 151116894
MOS_MIGRATED_REVID=151116894
Diffstat (limited to 'src/main/tools')
-rw-r--r-- | src/main/tools/linux-sandbox-options.cc | 36 |
1 files changed, 2 insertions, 34 deletions
diff --git a/src/main/tools/linux-sandbox-options.cc b/src/main/tools/linux-sandbox-options.cc index 78831e6f03..b83c4f68ba 100644 --- a/src/main/tools/linux-sandbox-options.cc +++ b/src/main/tools/linux-sandbox-options.cc @@ -81,34 +81,6 @@ static void Usage(char *program_name, const char *fmt, ...) { exit(EXIT_FAILURE); } -// Child function used by CheckNamespacesSupported() in call to clone(). -static int CheckNamespacesSupportedChild(void *arg) { return 0; } - -// Check whether the required namespaces are supported. -static int CheckNamespacesSupported() { - const int kStackSize = 1024 * 1024; - vector<char> child_stack(kStackSize); - - pid_t pid = clone(CheckNamespacesSupportedChild, &child_stack.back(), - CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | - CLONE_NEWNET | CLONE_NEWPID | SIGCHLD, - NULL); - if (pid < 0) { - DIE("pid"); - } - - int err; - do { - err = waitpid(pid, NULL, 0); - } while (err < 0 && errno == EINTR); - - if (err < 0) { - DIE("waitpid"); - } - - return EXIT_SUCCESS; -} - static void ValidateIsAbsolutePath(char *path, char *program_name, char flag) { if (path[0] != '/') { Usage(program_name, "The -%c option must be used with absolute paths only.", @@ -124,14 +96,10 @@ static void ParseCommandLine(unique_ptr<vector<char *>> args) { int c; bool source_specified; - while ((c = getopt(args->size(), args->data(), - ":CW:T:t:l:L:w:e:M:m:HNRUD")) != -1) { + while ((c = getopt(args->size(), args->data(), ":W:T:t:l:L:w:e:M:m:HNRUD")) != + -1) { if (c != 'M' && c != 'm') source_specified = false; switch (c) { - case 'C': - // Shortcut for the "does this system support sandboxing" check. - exit(CheckNamespacesSupported()); - break; case 'W': if (opt.working_dir == NULL) { ValidateIsAbsolutePath(optarg, args->front(), static_cast<char>(c)); |