Support executing as root in the linux sandbox.

linux-sandbox has a useful option -R, that runs the spawn as fake
root. However, it's not exposed to Bazel rules. Here, we do that via
the "requires-fakeroot" tag.

One possible usecase: In combination with "block-network",
"requires-fakeroot" makes it possible to integration test services
that insist on listening on privileged ports.

Unsurprisingly, this is incompatible with --sandbox_fake_username.

Change-Id: I9e8ab4d4abf0e45626e005ff21f73e6c17de0788
PiperOrigin-RevId: 164961019

2 files changed, 21 insertions, 10 deletions

diff --git a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html
index f6d1ea656b..67a87e3006 100644
--- a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html
+++ b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html
@@ -33,6 +33,11 @@
     network from inside the sandbox. In this case, only communication
     with localhost is allowed.
   </li>
+
+  <li><code>requires-fakeroot</code> runs the test or action as uid and gid 0 (i.e., the root
+    user). This is only supported on Linux. This tag takes precedence over the
+    <code class='flag'>--sandbox_fake_username</code> command-line option.
+  </li>
 </ul>
 
 <p>
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
index 9e80c56d90..d0930d65fc 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
@@ -114,14 +114,16 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
     Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment());
     ImmutableSet<PathFragment> outputs = SandboxHelpers.getOutputFiles(spawn);
     Duration timeout = policy.getTimeout();
-    List<String> arguments = computeCommandLine(
-        spawn,
-        timeout,
-        linuxSandbox,
-        writableDirs,
-        getTmpfsPaths(),
-        getReadOnlyBindMounts(blazeDirs, sandboxExecRoot),
-        allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn));
+    List<String> arguments =
+        computeCommandLine(
+            spawn,
+            timeout,
+            linuxSandbox,
+            writableDirs,
+            getTmpfsPaths(),
+            getReadOnlyBindMounts(blazeDirs, sandboxExecRoot),
+            allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn),
+            spawn.getExecutionInfo().containsKey("requires-fakeroot"));
 
     SandboxedSpawn sandbox = new SymlinkedSandboxedSpawn(
         sandboxPath,
@@ -141,7 +143,8 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
       Set<Path> writableDirs,
       Set<Path> tmpfsPaths,
       Map<Path, Path> bindMounts,
-      boolean allowNetwork) {
+      boolean allowNetwork,
+      boolean requiresFakeRoot) {
     List<String> commandLineArgs = new ArrayList<>();
     commandLineArgs.add(linuxSandbox.getPathString());
 
@@ -192,7 +195,10 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
       commandLineArgs.add("-H");
     }
 
-    if (getSandboxOptions().sandboxFakeUsername) {
+    if (requiresFakeRoot) {
+      // Use fake root.
+      commandLineArgs.add("-R");
+    } else if (getSandboxOptions().sandboxFakeUsername) {
       // Use a fake username ("nobody") inside the sandbox.
       commandLineArgs.add("-U");
     }