diff options
Diffstat (limited to 'src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java')
-rw-r--r-- | src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java deleted file mode 100644 index a30d96de72..0000000000 --- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java +++ /dev/null @@ -1,145 +0,0 @@ -// Copyright 2014 The Bazel Authors. All rights reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package com.google.devtools.build.lib.sandbox; - -import static java.nio.charset.StandardCharsets.UTF_8; - -import com.google.common.collect.ImmutableMap; -import com.google.common.io.ByteStreams; -import com.google.devtools.build.lib.runtime.CommandEnvironment; -import com.google.devtools.build.lib.shell.Command; -import com.google.devtools.build.lib.shell.CommandException; -import com.google.devtools.build.lib.vfs.Path; -import java.io.BufferedWriter; -import java.io.File; -import java.io.IOException; -import java.io.OutputStreamWriter; -import java.io.PrintWriter; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.Set; - -/** - * Helper class for running the namespace sandbox. This runner prepares environment inside the - * sandbox, handles sandbox output, performs cleanup and changes invocation if necessary. - */ -final class DarwinSandboxRunner extends SandboxRunner { - private static final String SANDBOX_EXEC = "/usr/bin/sandbox-exec"; - - private final Path sandboxExecRoot; - private final Path sandboxConfigPath; - private final Set<Path> writableDirs; - private final Set<Path> inaccessiblePaths; - - DarwinSandboxRunner( - Path sandboxPath, - Path sandboxExecRoot, - Set<Path> writableDirs, - Set<Path> inaccessiblePaths, - boolean verboseFailures) { - super(verboseFailures); - this.sandboxExecRoot = sandboxExecRoot; - this.sandboxConfigPath = sandboxPath.getRelative("sandbox.sb"); - this.writableDirs = writableDirs; - this.inaccessiblePaths = inaccessiblePaths; - } - - static boolean isSupported(CommandEnvironment cmdEnv) { - if (!ProcessWrapperRunner.isSupported(cmdEnv)) { - return false; - } - - List<String> args = new ArrayList<>(); - args.add(SANDBOX_EXEC); - args.add("-p"); - args.add("(version 1) (allow default)"); - args.add("/usr/bin/true"); - - ImmutableMap<String, String> env = ImmutableMap.of(); - File cwd = new File("/usr/bin"); - - Command cmd = new Command(args.toArray(new String[0]), env, cwd); - try { - cmd.execute( - /* stdin */ new byte[] {}, - Command.NO_OBSERVER, - ByteStreams.nullOutputStream(), - ByteStreams.nullOutputStream(), - /* killSubprocessOnInterrupt */ true); - } catch (CommandException e) { - return false; - } - - return true; - } - - @Override - protected Command getCommand( - CommandEnvironment cmdEnv, - List<String> arguments, - Map<String, String> env, - int timeout, - boolean allowNetwork, - boolean useFakeHostname, - boolean useFakeUsername) - throws IOException { - writeConfig(allowNetwork); - - List<String> commandLineArgs = new ArrayList<>(); - commandLineArgs.add(SANDBOX_EXEC); - commandLineArgs.add("-f"); - commandLineArgs.add(sandboxConfigPath.getPathString()); - commandLineArgs.addAll(ProcessWrapperRunner.getCommandLine(cmdEnv, arguments, timeout)); - return new Command(commandLineArgs.toArray(new String[0]), env, sandboxExecRoot.getPathFile()); - } - - private void writeConfig(boolean allowNetwork) throws IOException { - try (PrintWriter out = - new PrintWriter( - new BufferedWriter( - new OutputStreamWriter(sandboxConfigPath.getOutputStream(), UTF_8)))) { - // Note: In Apple's sandbox configuration language, the *last* matching rule wins. - out.println("(version 1)"); - out.println("(debug deny)"); - out.println("(allow default)"); - - if (!allowNetwork) { - out.println("(deny network*)"); - out.println("(allow network* (local ip \"localhost:*\"))"); - out.println("(allow network* (remote ip \"localhost:*\"))"); - } - - // By default, everything is read-only. - out.println("(deny file-write*)"); - - out.println("(allow file-write*"); - for (Path path : writableDirs) { - out.println(" (subpath \"" + path.getPathString() + "\")"); - } - out.println(")"); - - if (!inaccessiblePaths.isEmpty()) { - out.println("(deny file-read*"); - // The sandbox configuration file is not part of a cache key and sandbox-exec doesn't care - // about ordering of paths in expressions, so it's fine if the iteration order is random. - for (Path inaccessiblePath : inaccessiblePaths) { - out.println(" (subpath \"" + inaccessiblePath + "\")"); - } - out.println(")"); - } - } - } -} |