diff options
author | 2017-08-11 12:14:56 +0200 | |
---|---|---|
committer | 2017-08-11 15:42:51 +0200 | |
commit | 5398d80d62131609b94ad90f788da5179585f8c9 (patch) | |
tree | b99e643c7a9515c7a5b7def49f438cf8cf66d48c /src | |
parent | 92d425fa73837bd53a5d5d82b73c6b33012f26c7 (diff) |
Support executing as root in the linux sandbox.
linux-sandbox has a useful option -R, that runs the spawn as fake
root. However, it's not exposed to Bazel rules. Here, we do that via
the "requires-fakeroot" tag.
One possible usecase: In combination with "block-network",
"requires-fakeroot" makes it possible to integration test services
that insist on listening on privileged ports.
Unsurprisingly, this is incompatible with --sandbox_fake_username.
Change-Id: I9e8ab4d4abf0e45626e005ff21f73e6c17de0788
PiperOrigin-RevId: 164961019
Diffstat (limited to 'src')
3 files changed, 38 insertions, 10 deletions
diff --git a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html index f6d1ea656b..67a87e3006 100644 --- a/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html +++ b/src/main/java/com/google/devtools/build/docgen/templates/attributes/common/tags.html @@ -33,6 +33,11 @@ network from inside the sandbox. In this case, only communication with localhost is allowed. </li> + + <li><code>requires-fakeroot</code> runs the test or action as uid and gid 0 (i.e., the root + user). This is only supported on Linux. This tag takes precedence over the + <code class='flag'>--sandbox_fake_username</code> command-line option. + </li> </ul> <p> diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java index 9e80c56d90..d0930d65fc 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java @@ -114,14 +114,16 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner { Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment()); ImmutableSet<PathFragment> outputs = SandboxHelpers.getOutputFiles(spawn); Duration timeout = policy.getTimeout(); - List<String> arguments = computeCommandLine( - spawn, - timeout, - linuxSandbox, - writableDirs, - getTmpfsPaths(), - getReadOnlyBindMounts(blazeDirs, sandboxExecRoot), - allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn)); + List<String> arguments = + computeCommandLine( + spawn, + timeout, + linuxSandbox, + writableDirs, + getTmpfsPaths(), + getReadOnlyBindMounts(blazeDirs, sandboxExecRoot), + allowNetwork || SandboxHelpers.shouldAllowNetwork(spawn), + spawn.getExecutionInfo().containsKey("requires-fakeroot")); SandboxedSpawn sandbox = new SymlinkedSandboxedSpawn( sandboxPath, @@ -141,7 +143,8 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner { Set<Path> writableDirs, Set<Path> tmpfsPaths, Map<Path, Path> bindMounts, - boolean allowNetwork) { + boolean allowNetwork, + boolean requiresFakeRoot) { List<String> commandLineArgs = new ArrayList<>(); commandLineArgs.add(linuxSandbox.getPathString()); @@ -192,7 +195,10 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner { commandLineArgs.add("-H"); } - if (getSandboxOptions().sandboxFakeUsername) { + if (requiresFakeRoot) { + // Use fake root. + commandLineArgs.add("-R"); + } else if (getSandboxOptions().sandboxFakeUsername) { // Use a fake username ("nobody") inside the sandbox. commandLineArgs.add("-U"); } diff --git a/src/test/shell/bazel/bazel_sandboxing_test.sh b/src/test/shell/bazel/bazel_sandboxing_test.sh index 08528f8c1d..6dd875f525 100755 --- a/src/test/shell/bazel/bazel_sandboxing_test.sh +++ b/src/test/shell/bazel/bazel_sandboxing_test.sh @@ -460,6 +460,23 @@ bazel build examples/genrule:works &> ${TEST_log} EOF } +function test_requires_root() { + cat > test.sh <<'EOF' +#!/bin/sh +([ $(id -u) = "0" ] && [ $(id -g) = "0" ]) || exit 1 +EOF + chmod +x test.sh + cat > BUILD <<'EOF' +sh_test( + name = "test", + srcs = ["test.sh"], + tags = ["requires-fakeroot"], +) +EOF + bazel test --test_output=errors :test || fail "test did not pass" + bazel test --nocache_test_results --sandbox_fake_username --test_output=errors :test || fail "test did not pass" +} + # Tests that /proc/self == /proc/$$. This should always be true unless the PID namespace is active without /proc being remounted correctly. function test_sandbox_proc_self() { bazel build examples/genrule:check_proc_works >& $TEST_log || fail "build should have succeeded" |