// Copyright 2018 The Bazel Authors. All rights reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package com.google.devtools.build.lib.sandbox; import static com.google.common.base.Preconditions.checkNotNull; import static java.nio.charset.StandardCharsets.UTF_8; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; import com.google.devtools.build.lib.shell.Subprocess; import com.google.devtools.build.lib.shell.SubprocessBuilder; import com.google.devtools.build.lib.util.OS; import com.google.devtools.build.lib.vfs.Path; import com.google.devtools.build.lib.vfs.PathFragment; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.IOException; import java.io.InputStreamReader; import java.io.OutputStreamWriter; import java.util.List; import java.util.function.Function; import java.util.logging.Logger; import java.util.stream.Collectors; import javax.annotation.Nullable; /** A sandboxfs implementation that uses an external sandboxfs binary to manage the mount point. */ final class RealSandboxfsProcess implements SandboxfsProcess { private static final Logger log = Logger.getLogger(RealSandboxfsProcess.class.getName()); /** Directory on which the sandboxfs is serving. */ private final Path mountPoint; /** * Process handle to the sandboxfs instance. Null only after {@link #destroy()} has been invoked. */ private @Nullable Subprocess process; /** * Writer with which to send data to the sandboxfs instance. Null only after {@link #destroy()} * has been invoked. */ private @Nullable BufferedWriter processStdIn; /** * Reader with which to receive data from the sandboxfs instance. Null only after * {@link #destroy()} has been invoked. */ private @Nullable BufferedReader processStdOut; /** * Shutdown hook to stop the sandboxfs instance on abrupt termination. Null only after * {@link #destroy()} has been invoked. */ private @Nullable Thread shutdownHook; /** * Initializes a new sandboxfs process instance. * * @param process process handle for the already-running sandboxfs instance */ private RealSandboxfsProcess(Path mountPoint, Subprocess process) { this.mountPoint = mountPoint; this.process = process; this.processStdIn = new BufferedWriter( new OutputStreamWriter(process.getOutputStream(), UTF_8)); this.processStdOut = new BufferedReader( new InputStreamReader(process.getInputStream(), UTF_8)); this.shutdownHook = new Thread( () -> { try { this.destroy(); } catch (Exception e) { log.warning("Failed to destroy running sandboxfs instance; mount point may have " + "been left behind: " + e); } }); Runtime.getRuntime().addShutdownHook(shutdownHook); } /** * Mounts a new sandboxfs instance. * *

The root of the file system instance is left unmapped which means that it remains as * read-only throughout the lifetime of this instance. Writable subdirectories can later be * mapped via {@link #map(List)}. * * @param binary path to the sandboxfs binary. This is a {@link PathFragment} and not a * {@link Path} because we want to support "bare" (non-absolute) names for the location of * the sandboxfs binary; such names are automatically looked for in the {@code PATH}. * @param mountPoint directory on which to mount the sandboxfs instance * @param logFile path to the file that will receive all sandboxfs logging output * @return a new handle that represents the running process * @throws IOException if there is a problem starting the process */ static SandboxfsProcess mount(PathFragment binary, Path mountPoint, Path logFile) throws IOException { log.info("Mounting sandboxfs (" + binary + ") onto " + mountPoint); // TODO(jmmv): Before starting a sandboxfs serving instance, we must query the current version // of sandboxfs and check if we support its communication protocol. ImmutableList.Builder argvBuilder = ImmutableList.builder(); argvBuilder.add(binary.getPathString()); // On macOS, we need to allow users other than self to access the sandboxfs instance. This is // necessary because macOS's amfid, which runs as root, has to have access to the binaries // within the sandbox in order to validate signatures. See: // http://julio.meroh.net/2017/10/fighting-execs-sandboxfs-macos.html argvBuilder.add(OS.getCurrent() == OS.DARWIN ? "--allow=other" : "--allow=self"); // TODO(jmmv): Pass flags to enable sandboxfs' debugging support (--listen_address and --debug) // when requested by the user via --sandbox_debug. Tricky because we have to figure out how to // deal with port numbers (which sandboxfs can autoassign, but doesn't currently promise a way // to tell us back what it picked). argvBuilder.add(mountPoint.getPathString()); SubprocessBuilder processBuilder = new SubprocessBuilder(); processBuilder.setArgv(argvBuilder.build()); processBuilder.setStderr(logFile.getPathFile()); processBuilder.setEnv(ImmutableMap.of( // sandboxfs may need to locate fusermount depending on the FUSE implementation so pass the // PATH to the subprocess (which we assume is sufficient). "PATH", System.getenv("PATH"))); Subprocess process = processBuilder.start(); RealSandboxfsProcess sandboxfs = new RealSandboxfsProcess(mountPoint, process); // TODO(jmmv): We should have a better mechanism to wait for sandboxfs to start successfully but // sandboxfs currently provides no interface to do so. Just try to push an empty configuration // and see if it works. try { sandboxfs.reconfigure("[]\n\n"); } catch (IOException e) { destroyProcess(process); throw new IOException("sandboxfs failed to start", e); } return sandboxfs; } @Override public Path getMountPoint() { return mountPoint; } @Override public boolean isAlive() { return process != null && !process.finished(); } /** * Destroys a process and waits for it to exit. * * @param process the process to destroy. */ // TODO(jmmv): This is adapted from Worker.java. Should probably replace both with a new variant // of Uninterruptibles.callUninterruptibly that takes a lambda instead of a callable. private static void destroyProcess(Subprocess process) { process.destroy(); boolean interrupted = false; try { while (true) { try { process.waitFor(); return; } catch (InterruptedException ie) { interrupted = true; } } } finally { if (interrupted) { Thread.currentThread().interrupt(); } } } @Override public synchronized void destroy() { if (shutdownHook != null) { Runtime.getRuntime().removeShutdownHook(shutdownHook); shutdownHook = null; } if (processStdIn != null) { try { processStdIn.close(); } catch (IOException e) { log.warning("Failed to close sandboxfs's stdin pipe: " + e); } processStdIn = null; } if (processStdOut != null) { try { processStdOut.close(); } catch (IOException e) { log.warning("Failed to close sandboxfs's stdout pipe: " + e); } processStdOut = null; } if (process != null) { destroyProcess(process); process = null; } } /** * Pushes a new configuration to sandboxfs and waits for acceptance. * * @param config the configuration chunk to push to sandboxfs * @throws IOException if sandboxfs cannot be reconfigured either because of an error in the * configuration or because we failed to communicate with the subprocess */ private synchronized void reconfigure(String config) throws IOException { checkNotNull(processStdIn, "sandboxfs already has been destroyed"); processStdIn.write(config); processStdIn.flush(); checkNotNull(processStdOut, "sandboxfs has already been destroyed"); String done = processStdOut.readLine(); if (done == null) { throw new IOException("premature end of output from sandboxfs"); } if (!done.equals("Done")) { throw new IOException("received unknown string from sandboxfs: " + done + "; expected Done"); } } @Override public void map(List mappings) throws IOException { Function formatMapping = (mapping) -> String.format( "{\"Map\": {\"Mapping\": \"%s\", \"Target\": \"%s\", \"Writable\": %s}}", mapping.path(), mapping.target(), mapping.writable() ? "true" : "false"); StringBuilder sb = new StringBuilder(); sb.append("[\n"); sb.append(mappings.stream().map(formatMapping).collect(Collectors.joining(",\n"))); sb.append("]\n\n"); reconfigure(sb.toString()); } @Override public void unmap(PathFragment mapping) throws IOException { reconfigure(String.format("[{\"Unmap\": \"%s\"}]\n\n", mapping)); } }