Support executing as root in the linux sandbox.

linux-sandbox has a useful option -R, that runs the spawn as fake
root. However, it's not exposed to Bazel rules. Here, we do that via
the "requires-fakeroot" tag.

One possible usecase: In combination with "block-network",
"requires-fakeroot" makes it possible to integration test services
that insist on listening on privileged ports.

Unsurprisingly, this is incompatible with --sandbox_fake_username.

Change-Id: I9e8ab4d4abf0e45626e005ff21f73e6c17de0788
PiperOrigin-RevId: 164961019

3 files changed, 38 insertions, 10 deletions

diff --git a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html
index f6d1ea656b..67a87e3006 100644
--- a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html
+++ b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html
@@ -33,6 +33,11 @@
     network from inside the sandbox. In this case, only communication
     with localhost is allowed.
   </li>
+
+  <li><code>requires-fakeroot</code> runs the test or action as uid and gid 0 (i.e., the root
+    user). This is only supported on Linux. This tag takes precedence over the
+    <code class='flag'>--sandbox_fake_username</code> command-line option.
+  </li>
 </ul>
 
 <p>
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
index 9e80c56d90..d0930d65fc 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
@@ -114,14 +114,16 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
     Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment());
     ImmutableSet<PathFragment> outputs = SandboxHelpers.getOutputFiles(spawn);
     Duration timeout = policy.getTimeout();
-    List<String> arguments = computeCommandLine(
-        spawn,
-        timeout,
-        linuxSandbox,
-        writableDirs,
-        getTmpfsPaths(),
-        getReadOnlyBindMounts(blazeDirs, sandboxExecRoot),
-        allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn));
+    List<String> arguments =
+        computeCommandLine(
+            spawn,
+            timeout,
+            linuxSandbox,
+            writableDirs,
+            getTmpfsPaths(),
+            getReadOnlyBindMounts(blazeDirs, sandboxExecRoot),
+            allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn),
+            spawn.getExecutionInfo().containsKey("requires-fakeroot"));
 
     SandboxedSpawn sandbox = new SymlinkedSandboxedSpawn(
         sandboxPath,
@@ -141,7 +143,8 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
       Set<Path> writableDirs,
       Set<Path> tmpfsPaths,
       Map<Path, Path> bindMounts,
-      boolean allowNetwork) {
+      boolean allowNetwork,
+      boolean requiresFakeRoot) {
     List<String> commandLineArgs = new ArrayList<>();
     commandLineArgs.add(linuxSandbox.getPathString());
 
@@ -192,7 +195,10 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
       commandLineArgs.add("-H");
     }
 
-    if (getSandboxOptions().sandboxFakeUsername) {
+    if (requiresFakeRoot) {
+      // Use fake root.
+      commandLineArgs.add("-R");
+    } else if (getSandboxOptions().sandboxFakeUsername) {
       // Use a fake username ("nobody") inside the sandbox.
       commandLineArgs.add("-U");
     }
diff --git a/src/test/shell/bazel/bazel_sandboxing_test.sh b/src/test/shell/bazel/bazel_sandboxing_test.sh
index 08528f8c1d..6dd875f525 100755
--- a/src/test/shell/bazel/bazel_sandboxing_test.sh
+++ b/src/test/shell/bazel/bazel_sandboxing_test.sh
@@ -460,6 +460,23 @@ bazel build examples/genrule:works &> ${TEST_log}
 EOF
 }
 
+function test_requires_root() {
+  cat > test.sh <<'EOF'
+#!/bin/sh
+([ $(id -u) = "0" ] && [ $(id -g) = "0" ]) || exit 1
+EOF
+  chmod +x test.sh
+  cat > BUILD <<'EOF'
+sh_test(
+  name = "test",
+  srcs = ["test.sh"],
+  tags = ["requires-fakeroot"],
+)
+EOF
+  bazel test --test_output=errors :test || fail "test did not pass"
+  bazel test --nocache_test_results --sandbox_fake_username --test_output=errors :test || fail "test did not pass"
+}
+
 # Tests that /proc/self == /proc/$$. This should always be true unless the PID namespace is active without /proc being remounted correctly.
 function test_sandbox_proc_self() {
   bazel build examples/genrule:check_proc_works >& $TEST_log || fail "build should have succeeded"