diff options
Diffstat (limited to 'src/main/java/com/google/devtools')
3 files changed, 34 insertions, 2 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java index cceed552ba..c3d36a615f 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java @@ -15,6 +15,7 @@ package com.google.devtools.build.lib.sandbox; import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; import com.google.common.io.ByteStreams; import com.google.devtools.build.lib.runtime.CommandEnvironment; import com.google.devtools.build.lib.shell.Command; @@ -40,25 +41,31 @@ final class LinuxSandboxRunner extends SandboxRunner { private final Path execRoot; private final Path sandboxExecRoot; + private final Path sandboxTempDir; private final Path argumentsFilePath; private final Set<Path> writableDirs; private final Set<Path> inaccessiblePaths; + private final Set<Path> bindMounts; private final boolean sandboxDebug; LinuxSandboxRunner( Path execRoot, Path sandboxPath, Path sandboxExecRoot, + Path sandboxTempDir, Set<Path> writableDirs, Set<Path> inaccessiblePaths, + ImmutableSet<Path> bindMounts, boolean verboseFailures, boolean sandboxDebug) { super(sandboxPath, sandboxExecRoot, verboseFailures); this.execRoot = execRoot; this.sandboxExecRoot = sandboxExecRoot; + this.sandboxTempDir = sandboxTempDir; this.argumentsFilePath = sandboxPath.getRelative("linux-sandbox.params"); this.writableDirs = writableDirs; this.inaccessiblePaths = inaccessiblePaths; + this.bindMounts = bindMounts; this.sandboxDebug = sandboxDebug; } @@ -116,6 +123,10 @@ final class LinuxSandboxRunner extends SandboxRunner { fileArgs.add("-D"); } + // Temporary directory of the sandbox. + fileArgs.add("-S"); + fileArgs.add(sandboxTempDir.toString()); + // Working directory of the spawn. fileArgs.add("-W"); fileArgs.add(sandboxExecRoot.toString()); @@ -137,6 +148,11 @@ final class LinuxSandboxRunner extends SandboxRunner { fileArgs.add(inaccessiblePath.getPathString()); } + for (Path bindMount : bindMounts) { + fileArgs.add("-b"); + fileArgs.add(bindMount.getPathString()); + } + if (!allowNetwork) { // Block network access out of the namespace. fileArgs.add("-N"); diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java index be49446a82..0e38d0d891 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java @@ -101,6 +101,7 @@ public class LinuxSandboxedStrategy extends SandboxStrategy { // Each invocation of "exec" gets its own sandbox. Path sandboxPath = SandboxHelpers.getSandboxRoot(blazeDirs, productName, uuid, execCounter); Path sandboxExecRoot = sandboxPath.getRelative("execroot").getRelative(execRoot.getBaseName()); + Path sandboxTempDir = sandboxPath.getRelative("tmp"); try { @@ -110,6 +111,7 @@ public class LinuxSandboxedStrategy extends SandboxStrategy { Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment(), outputs); symlinkedExecRoot.createFileSystem( getMounts(spawn, actionExecutionContext), outputs, writableDirs); + sandboxTempDir.createDirectory(); final SandboxRunner runner; if (fullySupported) { @@ -118,8 +120,10 @@ public class LinuxSandboxedStrategy extends SandboxStrategy { execRoot, sandboxPath, sandboxExecRoot, + sandboxTempDir, getWritableDirs(sandboxExecRoot, spawn.getEnvironment(), outputs), getInaccessiblePaths(), + getBindMounts(blazeDirs), verboseFailures, sandboxOptions.sandboxDebug); } else { @@ -143,4 +147,17 @@ public class LinuxSandboxedStrategy extends SandboxStrategy { } } + private ImmutableSet<Path> getBindMounts(BlazeDirectories blazeDirs) { + Path tmpPath = blazeDirs.getFileSystem().getPath("/tmp"); + ImmutableSet.Builder<Path> bindMounts = ImmutableSet.builder(); + if (blazeDirs.getWorkspace().startsWith(tmpPath)) { + + bindMounts.add(blazeDirs.getWorkspace()); + } + if (blazeDirs.getOutputBase().startsWith(tmpPath)) { + bindMounts.add(blazeDirs.getOutputBase()); + } + return bindMounts.build(); + } + } diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java index 8573ad5fa7..004c8dffbc 100644 --- a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java +++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java @@ -128,7 +128,6 @@ final class SandboxHelpers { return blazeDirs .getOutputBase() .getRelative(productName + "-sandbox") - .getRelative(uuid + "-" + execCounter.getAndIncrement()) - .getRelative(blazeDirs.getExecRoot().getBaseName()); + .getRelative(uuid + "-" + execCounter.getAndIncrement()); } } |