diff options
| author |  Brian Silverman <bsilver16384@gmail.com> | 2015-11-04 16:41:47 +0000 |
|---|---|---|
| committer |  John Field <jfield@google.com> | 2015-11-05 16:49:23 +0000 |
| commit | 89a28dc9271c623bb55d65f1d82a499dccf23eb8 (patch) | |
| tree | cec0c73f203573b33c0fd36149a620e588536bc9 /src/test/shell | |
| parent | c7c505398bb056952fc14cae045ee708eaf7d35b (diff) | |
Hook up the network sandboxing code
RELNOTES: Tests, genrules, and Skylark actions without the
"requires-network" tag will no longer be able to access the network.
--
Change-Id: I6f7ad209142c6cfa2ad0318adf3dcfbc9af3d724
Reviewed-on: https://bazel-review.git.corp.google.com/#/c/2221/
MOS_MIGRATED_REVID=107043709
Diffstat (limited to 'src/test/shell')
| -rwxr-xr-x | src/test/shell/bazel/bazel_sandboxing_test.sh | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/test/shell/bazel/bazel_sandboxing_test.sh b/src/test/shell/bazel/bazel_sandboxing_test.sh index 8d4f110d50..c1e3c86d8b 100755 --- a/src/test/shell/bazel/bazel_sandboxing_test.sh +++ b/src/test/shell/bazel/bazel_sandboxing_test.sh @@ -23,6 +23,8 @@ source ${src_dir}/test-setup.sh \ || { echo "test-setup.sh not found!" >&2; exit 1; } source ${src_dir}/bazel_sandboxing_test_utils.sh \ || { echo "bazel_sandboxing_test_utils.sh not found!" >&2; exit 1; } +source ${src_dir}/remote_helpers.sh \ + || { echo "remote_helpers.sh not found!" >&2; exit 1; } function set_up { mkdir -p examples/genrule @@ -43,6 +45,8 @@ EOF ln -s $PWD/examples/genrule/symlinks/ok/sub examples/genrule/symlinks/a/b ln -s ../x.txt examples/genrule/symlinks/a/b/x.txt + echo 'stuff to serve' > file_to_serve + cat << 'EOF' > examples/genrule/BUILD genrule( name = "works", @@ -280,6 +284,64 @@ function test_sandbox_cyclic_symlink_in_inputs() { } } +function test_sandbox_network_access() { + serve_file file_to_serve + cat << EOF >> examples/genrule/BUILD + +genrule( + name = "breaks4", + outs = [ "breaks4.txt" ], + cmd = "curl -o \$@ localhost:${nc_port}", +) +EOF + bazel build --genrule_strategy=sandboxed \ + examples/genrule:breaks1 \ + && fail "Non-hermetic genrule succeeded: examples/genrule:breaks4" || true + [ ! -f "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4.txt" ] || { + output=$(cat "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4.txt") + fail "Non-hermetic genrule breaks1 suceeded with following output: $(output)" + } + kill_nc +} + +function test_sandbox_network_access_with_local() { + serve_file file_to_serve + cat << EOF >> examples/genrule/BUILD + +genrule( + name = "breaks4_works_with_local", + outs = [ "breaks4_works_with_local.txt" ], + cmd = "curl -o \$@ localhost:${nc_port}", + tags = [ "local" ], +) +EOF + bazel build --genrule_strategy=sandboxed \ + examples/genrule:breaks4_works_with_local \ + || fail "Non-hermetic genrule failed even though tags=['local']: examples/genrule:breaks4_works_with_local" + [ -f "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4_works_with_local.txt" ] \ + || fail "Genrule didn't produce output: examples/genrule:breaks4_works_with_local" + kill_nc +} + +function test_sandbox_network_access_with_requires_network() { + serve_file file_to_serve + cat << EOF >> examples/genrule/BUILD + +genrule( + name = "breaks4_works_with_requires_network", + outs = [ "breaks4_works_with_requires_network.txt" ], + cmd = "curl -o \$@ localhost:${nc_port}", + tags = [ "requires-network" ], +) +EOF + bazel build --genrule_strategy=sandboxed \ + examples/genrule:breaks4_works_with_requires_network \ + || fail "Non-hermetic genrule failed even though tags=['requires-network']: examples/genrule:breaks4_works_with_requires_network" + [ -f "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4_works_with_requires_network.txt" ] \ + || fail "Genrule didn't produce output: examples/genrule:breaks4_works_with_requires_network" + kill_nc +} + check_kernel_version check_sandbox_allowed || exit 0 run_suite "sandbox" |