Loading android/rule_builder.go +40 −10 Original line number Diff line number Diff line Loading @@ -463,6 +463,8 @@ func (r *RuleBuilder) Build(name string, desc string) { r.build(name, desc, true) } var sandboxEnvOnceKey = NewOnceKey("sandbox_environment_variables") func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString bool) { name = ninjaNameEscape(name) Loading Loading @@ -580,16 +582,44 @@ func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString b }) } // Only allow the build to access certain environment variables command.DontInheritEnv = proto.Bool(true) command.Env = r.ctx.Config().Once(sandboxEnvOnceKey, func() interface{} { // The list of allowed variables was found by running builds of all // genrules and seeing what failed var result []*sbox_proto.EnvironmentVariable inheritedVars := []string{ "PATH", "JAVA_HOME", "TMPDIR", // Allow RBE variables because the art tests invoke RBE manually "RBE_log_dir", "RBE_platform", "RBE_server_address", // TODO: RBE_exec_root is set to the absolute path to the root of the source // tree, which we don't want sandboxed actions to find. Remap it to ".". "RBE_exec_root", } for _, v := range inheritedVars { result = append(result, &sbox_proto.EnvironmentVariable{ Name: proto.String(v), State: &sbox_proto.EnvironmentVariable_Inherit{ Inherit: true, }, }) } // Set OUT_DIR to the relative path of the sandboxed out directory. // Otherwise, OUT_DIR will be inherited from the rest of the build, // which will allow scripts to escape the sandbox if OUT_DIR is an // absolute path. command.Env = append(command.Env, &sbox_proto.EnvironmentVariable{ result = append(result, &sbox_proto.EnvironmentVariable{ Name: proto.String("OUT_DIR"), State: &sbox_proto.EnvironmentVariable_Value{ Value: sboxOutSubDir, }, }) return result }).([]*sbox_proto.EnvironmentVariable) command.Chdir = proto.Bool(true) } Loading cmd/sbox/sbox.go +4 −1 Original line number Diff line number Diff line Loading @@ -275,7 +275,10 @@ func createEnv(command *sbox_proto.Command) ([]string, error) { if !state.Inherit { return nil, fmt.Errorf("Can't have inherit set to false") } env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name)) val, ok := os.LookupEnv(*envVar.Name) if ok { env = append(env, *envVar.Name+"="+val) } default: return nil, fmt.Errorf("Unhandled state type") } Loading Loading
android/rule_builder.go +40 −10 Original line number Diff line number Diff line Loading @@ -463,6 +463,8 @@ func (r *RuleBuilder) Build(name string, desc string) { r.build(name, desc, true) } var sandboxEnvOnceKey = NewOnceKey("sandbox_environment_variables") func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString bool) { name = ninjaNameEscape(name) Loading Loading @@ -580,16 +582,44 @@ func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString b }) } // Only allow the build to access certain environment variables command.DontInheritEnv = proto.Bool(true) command.Env = r.ctx.Config().Once(sandboxEnvOnceKey, func() interface{} { // The list of allowed variables was found by running builds of all // genrules and seeing what failed var result []*sbox_proto.EnvironmentVariable inheritedVars := []string{ "PATH", "JAVA_HOME", "TMPDIR", // Allow RBE variables because the art tests invoke RBE manually "RBE_log_dir", "RBE_platform", "RBE_server_address", // TODO: RBE_exec_root is set to the absolute path to the root of the source // tree, which we don't want sandboxed actions to find. Remap it to ".". "RBE_exec_root", } for _, v := range inheritedVars { result = append(result, &sbox_proto.EnvironmentVariable{ Name: proto.String(v), State: &sbox_proto.EnvironmentVariable_Inherit{ Inherit: true, }, }) } // Set OUT_DIR to the relative path of the sandboxed out directory. // Otherwise, OUT_DIR will be inherited from the rest of the build, // which will allow scripts to escape the sandbox if OUT_DIR is an // absolute path. command.Env = append(command.Env, &sbox_proto.EnvironmentVariable{ result = append(result, &sbox_proto.EnvironmentVariable{ Name: proto.String("OUT_DIR"), State: &sbox_proto.EnvironmentVariable_Value{ Value: sboxOutSubDir, }, }) return result }).([]*sbox_proto.EnvironmentVariable) command.Chdir = proto.Bool(true) } Loading
cmd/sbox/sbox.go +4 −1 Original line number Diff line number Diff line Loading @@ -275,7 +275,10 @@ func createEnv(command *sbox_proto.Command) ([]string, error) { if !state.Inherit { return nil, fmt.Errorf("Can't have inherit set to false") } env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name)) val, ok := os.LookupEnv(*envVar.Name) if ok { env = append(env, *envVar.Name+"="+val) } default: return nil, fmt.Errorf("Unhandled state type") } Loading
