1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
// Copyright 2018 The Bazel Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.devtools.build.lib.sandbox;
import static com.google.common.base.Preconditions.checkNotNull;
import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.devtools.build.lib.shell.Subprocess;
import com.google.devtools.build.lib.shell.SubprocessBuilder;
import com.google.devtools.build.lib.util.OS;
import com.google.devtools.build.lib.vfs.Path;
import com.google.devtools.build.lib.vfs.PathFragment;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.util.List;
import java.util.function.Function;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
/** A sandboxfs implementation that uses an external sandboxfs binary to manage the mount point. */
final class RealSandboxfsProcess implements SandboxfsProcess {
private static final Logger log = Logger.getLogger(RealSandboxfsProcess.class.getName());
/** Directory on which the sandboxfs is serving. */
private final Path mountPoint;
/**
* Process handle to the sandboxfs instance. Null only after {@link #destroy()} has been invoked.
*/
private @Nullable Subprocess process;
/**
* Writer with which to send data to the sandboxfs instance. Null only after {@link #destroy()}
* has been invoked.
*/
private @Nullable BufferedWriter processStdIn;
/**
* Reader with which to receive data from the sandboxfs instance. Null only after
* {@link #destroy()} has been invoked.
*/
private @Nullable BufferedReader processStdOut;
/**
* Shutdown hook to stop the sandboxfs instance on abrupt termination. Null only after
* {@link #destroy()} has been invoked.
*/
private @Nullable Thread shutdownHook;
/**
* Initializes a new sandboxfs process instance.
*
* @param process process handle for the already-running sandboxfs instance
*/
private RealSandboxfsProcess(Path mountPoint, Subprocess process) {
this.mountPoint = mountPoint;
this.process = process;
this.processStdIn = new BufferedWriter(
new OutputStreamWriter(process.getOutputStream(), UTF_8));
this.processStdOut = new BufferedReader(
new InputStreamReader(process.getInputStream(), UTF_8));
this.shutdownHook =
new Thread(
() -> {
try {
this.destroy();
} catch (Exception e) {
log.warning("Failed to destroy running sandboxfs instance; mount point may have "
+ "been left behind: " + e);
}
});
Runtime.getRuntime().addShutdownHook(shutdownHook);
}
/**
* Mounts a new sandboxfs instance.
*
* <p>The root of the file system instance is left unmapped which means that it remains as
* read-only throughout the lifetime of this instance. Writable subdirectories can later be
* mapped via {@link #map(List)}.
*
* @param binary path to the sandboxfs binary. This is a {@link PathFragment} and not a
* {@link Path} because we want to support "bare" (non-absolute) names for the location of
* the sandboxfs binary; such names are automatically looked for in the {@code PATH}.
* @param mountPoint directory on which to mount the sandboxfs instance
* @param logFile path to the file that will receive all sandboxfs logging output
* @return a new handle that represents the running process
* @throws IOException if there is a problem starting the process
*/
static SandboxfsProcess mount(PathFragment binary, Path mountPoint, Path logFile)
throws IOException {
log.info("Mounting sandboxfs (" + binary + ") onto " + mountPoint);
// TODO(jmmv): Before starting a sandboxfs serving instance, we must query the current version
// of sandboxfs and check if we support its communication protocol.
ImmutableList.Builder<String> argvBuilder = ImmutableList.builder();
argvBuilder.add(binary.getPathString());
// On macOS, we need to allow users other than self to access the sandboxfs instance. This is
// necessary because macOS's amfid, which runs as root, has to have access to the binaries
// within the sandbox in order to validate signatures. See:
// http://julio.meroh.net/2017/10/fighting-execs-sandboxfs-macos.html
argvBuilder.add(OS.getCurrent() == OS.DARWIN ? "--allow=other" : "--allow=self");
// TODO(jmmv): Pass flags to enable sandboxfs' debugging support (--listen_address and --debug)
// when requested by the user via --sandbox_debug. Tricky because we have to figure out how to
// deal with port numbers (which sandboxfs can autoassign, but doesn't currently promise a way
// to tell us back what it picked).
argvBuilder.add(mountPoint.getPathString());
SubprocessBuilder processBuilder = new SubprocessBuilder();
processBuilder.setArgv(argvBuilder.build());
processBuilder.setStderr(logFile.getPathFile());
processBuilder.setEnv(ImmutableMap.of(
// sandboxfs may need to locate fusermount depending on the FUSE implementation so pass the
// PATH to the subprocess (which we assume is sufficient).
"PATH", System.getenv("PATH")));
Subprocess process = processBuilder.start();
RealSandboxfsProcess sandboxfs = new RealSandboxfsProcess(mountPoint, process);
// TODO(jmmv): We should have a better mechanism to wait for sandboxfs to start successfully but
// sandboxfs currently provides no interface to do so. Just try to push an empty configuration
// and see if it works.
try {
sandboxfs.reconfigure("[]\n\n");
} catch (IOException e) {
destroyProcess(process);
throw new IOException("sandboxfs failed to start", e);
}
return sandboxfs;
}
@Override
public Path getMountPoint() {
return mountPoint;
}
@Override
public boolean isAlive() {
return process != null && !process.finished();
}
/**
* Destroys a process and waits for it to exit.
*
* @param process the process to destroy.
*/
// TODO(jmmv): This is adapted from Worker.java. Should probably replace both with a new variant
// of Uninterruptibles.callUninterruptibly that takes a lambda instead of a callable.
private static void destroyProcess(Subprocess process) {
process.destroy();
boolean interrupted = false;
try {
while (true) {
try {
process.waitFor();
return;
} catch (InterruptedException ie) {
interrupted = true;
}
}
} finally {
if (interrupted) {
Thread.currentThread().interrupt();
}
}
}
@Override
public synchronized void destroy() {
if (shutdownHook != null) {
Runtime.getRuntime().removeShutdownHook(shutdownHook);
shutdownHook = null;
}
if (processStdIn != null) {
try {
processStdIn.close();
} catch (IOException e) {
log.warning("Failed to close sandboxfs's stdin pipe: " + e);
}
processStdIn = null;
}
if (processStdOut != null) {
try {
processStdOut.close();
} catch (IOException e) {
log.warning("Failed to close sandboxfs's stdout pipe: " + e);
}
processStdOut = null;
}
if (process != null) {
destroyProcess(process);
process = null;
}
}
/**
* Pushes a new configuration to sandboxfs and waits for acceptance.
*
* @param config the configuration chunk to push to sandboxfs
* @throws IOException if sandboxfs cannot be reconfigured either because of an error in the
* configuration or because we failed to communicate with the subprocess
*/
private synchronized void reconfigure(String config) throws IOException {
checkNotNull(processStdIn, "sandboxfs already has been destroyed");
processStdIn.write(config);
processStdIn.flush();
checkNotNull(processStdOut, "sandboxfs has already been destroyed");
String done = processStdOut.readLine();
if (done == null) {
throw new IOException("premature end of output from sandboxfs");
}
if (!done.equals("Done")) {
throw new IOException("received unknown string from sandboxfs: " + done + "; expected Done");
}
}
@Override
public void map(List<Mapping> mappings) throws IOException {
Function<Mapping, String> formatMapping =
(mapping) -> String.format(
"{\"Map\": {\"Mapping\": \"%s\", \"Target\": \"%s\", \"Writable\": %s}}",
mapping.path(), mapping.target(), mapping.writable() ? "true" : "false");
StringBuilder sb = new StringBuilder();
sb.append("[\n");
sb.append(mappings.stream().map(formatMapping).collect(Collectors.joining(",\n")));
sb.append("]\n\n");
reconfigure(sb.toString());
}
@Override
public void unmap(PathFragment mapping) throws IOException {
reconfigure(String.format("[{\"Unmap\": \"%s\"}]\n\n", mapping));
}
}
|
