diff options
author | 2017-08-11 12:14:56 +0200 | |
---|---|---|
committer | 2017-08-11 15:42:51 +0200 | |
commit | 5398d80d62131609b94ad90f788da5179585f8c9 (patch) | |
tree | b99e643c7a9515c7a5b7def49f438cf8cf66d48c /src/main | |
parent | 92d425fa73837bd53a5d5d82b73c6b33012f26c7 (diff) |
Support executing as root in the linux sandbox.
linux-sandbox has a useful option -R, that runs the spawn as fake
root. However, it's not exposed to Bazel rules. Here, we do that via
the "requires-fakeroot" tag.
One possible usecase: In combination with "block-network",
"requires-fakeroot" makes it possible to integration test services
that insist on listening on privileged ports.
Unsurprisingly, this is incompatible with --sandbox_fake_username.
Change-Id: I9e8ab4d4abf0e45626e005ff21f73e6c17de0788
PiperOrigin-RevId: 164961019
Diffstat (limited to 'src/main')
-rw-r--r-- | src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html | 5 | ||||
-rw-r--r-- | src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java | 26 |
2 files changed, 21 insertions, 10 deletions
diff --git a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html index f6d1ea656b..67a87e3006 100644 --- a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html +++ b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html @@ -33,6 +33,11 @@ network from inside the sandbox. In this case, only communication with localhost is allowed. </li> + + <li><code>requires-fakeroot</code> runs the test or action as uid and gid 0 (i.e., the root + user). This is only supported on Linux. This tag takes precedence over the + <code class='flag'>--sandbox_fake_username</code> command-line option. + </li> </ul> <p> diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java index 9e80c56d90..d0930d65fc 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java @@ -114,14 +114,16 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner { Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment()); ImmutableSet<PathFragment> outputs = SandboxHelpers.getOutputFiles(spawn); Duration timeout = policy.getTimeout(); - List<String> arguments = computeCommandLine( - spawn, - timeout, - linuxSandbox, - writableDirs, - getTmpfsPaths(), - getReadOnlyBindMounts(blazeDirs, sandboxExecRoot), - allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn)); + List<String> arguments = + computeCommandLine( + spawn, + timeout, + linuxSandbox, + writableDirs, + getTmpfsPaths(), + getReadOnlyBindMounts(blazeDirs, sandboxExecRoot), + allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn), + spawn.getExecutionInfo().containsKey("requires-fakeroot")); SandboxedSpawn sandbox = new SymlinkedSandboxedSpawn( sandboxPath, @@ -141,7 +143,8 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner { Set<Path> writableDirs, Set<Path> tmpfsPaths, Map<Path, Path> bindMounts, - boolean allowNetwork) { + boolean allowNetwork, + boolean requiresFakeRoot) { List<String> commandLineArgs = new ArrayList<>(); commandLineArgs.add(linuxSandbox.getPathString()); @@ -192,7 +195,10 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner { commandLineArgs.add("-H"); } - if (getSandboxOptions().sandboxFakeUsername) { + if (requiresFakeRoot) { + // Use fake root. + commandLineArgs.add("-R"); + } else if (getSandboxOptions().sandboxFakeUsername) { // Use a fake username ("nobody") inside the sandbox. commandLineArgs.add("-U"); } |