diff options
| author |  philwo <philwo@google.com> | 2017-05-12 23:41:47 +0200 |
|---|---|---|
| committer |  Dmitry Lomov <dslomov@google.com> | 2017-05-15 19:51:02 +0200 |
| commit | db5e06a29fccd31ad8ae13e7d271509807d87d7c (patch) | |
| tree | 3377b285f3dceeec6ac4afc9d1412fc62eb2561e /src/test | |
| parent | 729d48f682a9fcc830729e46a81c8f492ede7274 (diff) | |
Bring back --sandbox_block_path.
This is basically a rollback of https://github.com/bazelbuild/bazel/commit/3e2329a73ffd5d60e5e2babe60ebe5bf322c07da, except this solves the
reason why the feature was removed in the first place. We now create
the helper files necessary to make files unreadable in Linux in Bazel's
Java code and manage their lifetime there.
Request was filed by a user here:
http://stackoverflow.com/questions/43849651/how-to-lock-down-the-bazel-filesystem-sandbox
PiperOrigin-RevId: 155913246
Diffstat (limited to 'src/test')
| -rwxr-xr-x | src/test/shell/bazel/bazel_sandboxing_test.sh | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/src/test/shell/bazel/bazel_sandboxing_test.sh b/src/test/shell/bazel/bazel_sandboxing_test.sh index 3357d27862..b3e4e06f5b 100755 --- a/src/test/shell/bazel/bazel_sandboxing_test.sh +++ b/src/test/shell/bazel/bazel_sandboxing_test.sh @@ -135,11 +135,10 @@ genrule( srcs = [ "a.txt" ], outs = [ "breaks2.txt" ], # The point of this test is to attempt to read something from the filesystem - # that resides outside the sandbox by using an absolute path to that file. + # that is blocked via --sandbox_block_path= and thus should't be accessible. # - # /var/log is an arbitrary choice of directory (we don't mount it in the - # sandbox and it should exist on every linux) which could be changed in - # case it turns out it's necessary to put it in sandbox. + # /var/log is an arbitrary choice of directory that should exist on all Linux + # systems. # cmd = "ls /var/log &> $@", ) @@ -303,6 +302,23 @@ function test_sandbox_undeclared_deps_skylark_with_local_tag() { || fail "Action did not produce output: examples/genrule:skylark_breaks1_works_with_local_tag" } +function test_sandbox_block_filesystem() { + output_file="${BAZEL_GENFILES_DIR}/examples/genrule/breaks2.txt" + + bazel build --sandbox_block_path=/var/log examples/genrule:breaks2 &> $TEST_log \ + && fail "Non-hermetic genrule succeeded: examples/genrule:breaks2" || true + + [ -f "$output_file" ] || + fail "Action did not produce output: $output_file" + + if [ $(wc -l $output_file) -gt 1 ]; then + fail "Output contained more than one line: $output_file" + fi + + fgrep "Permission denied" $output_file || + fail "Output did not contain expected error message: $output_file" +} + function test_sandbox_cyclic_symlink_in_inputs() { bazel build examples/genrule:breaks3 &> $TEST_log \ && fail "Genrule with cyclic symlinks succeeded: examples/genrule:breaks3" || true |