Loading android/rule_builder.go +10 −0 Original line number Diff line number Diff line Loading @@ -580,6 +580,16 @@ func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString b }) } // Set OUT_DIR to the relative path of the sandboxed out directory. // Otherwise, OUT_DIR will be inherited from the rest of the build, // which will allow scripts to escape the sandbox if OUT_DIR is an // absolute path. command.Env = append(command.Env, &sbox_proto.EnvironmentVariable{ Name: proto.String("OUT_DIR"), State: &sbox_proto.EnvironmentVariable_Value{ Value: sboxOutSubDir, }, }) command.Chdir = proto.Bool(true) } Loading cmd/sbox/sbox.go +51 −0 Original line number Diff line number Diff line Loading @@ -27,6 +27,7 @@ import ( "os" "os/exec" "path/filepath" "regexp" "strconv" "strings" "time" Loading @@ -51,6 +52,8 @@ const ( sandboxDirPlaceholder = "__SBOX_SANDBOX_DIR__" ) var envVarNameRegex = regexp.MustCompile("^[a-zA-Z0-9_-]+$") func init() { flag.StringVar(&sandboxesRoot, "sandbox-path", "", "root of temp directory to put the sandbox into") Loading Loading @@ -238,6 +241,48 @@ func readManifest(file string) (*sbox_proto.Manifest, error) { return &manifest, nil } func createEnv(command *sbox_proto.Command) ([]string, error) { env := []string{} if command.DontInheritEnv == nil || !*command.DontInheritEnv { env = os.Environ() } for _, envVar := range command.Env { if envVar.Name == nil || !envVarNameRegex.MatchString(*envVar.Name) { name := "nil" if envVar.Name != nil { name = *envVar.Name } return nil, fmt.Errorf("Invalid environment variable name: %q", name) } if envVar.State == nil { return nil, fmt.Errorf("Must set state") } switch state := envVar.State.(type) { case *sbox_proto.EnvironmentVariable_Value: env = append(env, *envVar.Name+"="+state.Value) case *sbox_proto.EnvironmentVariable_Unset: if !state.Unset { return nil, fmt.Errorf("Can't have unset set to false") } prefix := *envVar.Name + "=" for i := 0; i < len(env); i++ { if strings.HasPrefix(env[i], prefix) { env = append(env[:i], env[i+1:]...) i-- } } case *sbox_proto.EnvironmentVariable_Inherit: if !state.Inherit { return nil, fmt.Errorf("Can't have inherit set to false") } env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name)) default: return nil, fmt.Errorf("Unhandled state type") } } return env, nil } // runCommand runs a single command from a manifest. If the command references the // __SBOX_DEPFILE__ placeholder it returns the name of the depfile that was used. func runCommand(command *sbox_proto.Command, tempDir string, commandIndex int) (depFile string, err error) { Loading Loading @@ -313,6 +358,12 @@ func runCommand(command *sbox_proto.Command, tempDir string, commandIndex int) ( return "", fmt.Errorf("Failed to update PATH: %w", err) } } cmd.Env, err = createEnv(command) if err != nil { return "", err } err = cmd.Run() if err != nil { Loading cmd/sbox/sbox_proto/sbox.pb.go +210 −47 Original line number Diff line number Diff line Loading @@ -14,8 +14,8 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 // protoc v3.9.1 // protoc-gen-go v1.33.0 // protoc v3.21.12 // source: sbox.proto package sbox_proto Loading Loading @@ -116,6 +116,13 @@ type Command struct { // A list of files that will be copied before the sandboxed command, and whose contents should be // copied as if they were listed in copy_before. RspFiles []*RspFile `protobuf:"bytes,6,rep,name=rsp_files,json=rspFiles" json:"rsp_files,omitempty"` // The environment variables that will be set or unset while running the command. // Also see dont_inherit_env. Env []*EnvironmentVariable `protobuf:"bytes,7,rep,name=env" json:"env,omitempty"` // By default, all environment variables are inherited from the calling process, but may be // replaced or unset by env. If dont_inherit_env is set, no environment variables will be // inherited, and instead only the variables in env will be defined. DontInheritEnv *bool `protobuf:"varint,8,opt,name=dont_inherit_env,json=dontInheritEnv" json:"dont_inherit_env,omitempty"` } func (x *Command) Reset() { Loading Loading @@ -192,6 +199,129 @@ func (x *Command) GetRspFiles() []*RspFile { return nil } func (x *Command) GetEnv() []*EnvironmentVariable { if x != nil { return x.Env } return nil } func (x *Command) GetDontInheritEnv() bool { if x != nil && x.DontInheritEnv != nil { return *x.DontInheritEnv } return false } type EnvironmentVariable struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields // The name of the environment variable Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` // Types that are assignable to State: // // *EnvironmentVariable_Value // *EnvironmentVariable_Unset // *EnvironmentVariable_Inherit State isEnvironmentVariable_State `protobuf_oneof:"state"` } func (x *EnvironmentVariable) Reset() { *x = EnvironmentVariable{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *EnvironmentVariable) String() string { return protoimpl.X.MessageStringOf(x) } func (*EnvironmentVariable) ProtoMessage() {} func (x *EnvironmentVariable) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use EnvironmentVariable.ProtoReflect.Descriptor instead. func (*EnvironmentVariable) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{2} } func (x *EnvironmentVariable) GetName() string { if x != nil && x.Name != nil { return *x.Name } return "" } func (m *EnvironmentVariable) GetState() isEnvironmentVariable_State { if m != nil { return m.State } return nil } func (x *EnvironmentVariable) GetValue() string { if x, ok := x.GetState().(*EnvironmentVariable_Value); ok { return x.Value } return "" } func (x *EnvironmentVariable) GetUnset() bool { if x, ok := x.GetState().(*EnvironmentVariable_Unset); ok { return x.Unset } return false } func (x *EnvironmentVariable) GetInherit() bool { if x, ok := x.GetState().(*EnvironmentVariable_Inherit); ok { return x.Inherit } return false } type isEnvironmentVariable_State interface { isEnvironmentVariable_State() } type EnvironmentVariable_Value struct { // The value to set the environment variable to. Value string `protobuf:"bytes,2,opt,name=value,oneof"` } type EnvironmentVariable_Unset struct { // This environment variable should be unset in the command. Unset bool `protobuf:"varint,3,opt,name=unset,oneof"` } type EnvironmentVariable_Inherit struct { // This environment variable should be inherited from the parent process. // Can be combined with dont_inherit_env to only inherit certain environment // variables. Inherit bool `protobuf:"varint,4,opt,name=inherit,oneof"` } func (*EnvironmentVariable_Value) isEnvironmentVariable_State() {} func (*EnvironmentVariable_Unset) isEnvironmentVariable_State() {} func (*EnvironmentVariable_Inherit) isEnvironmentVariable_State() {} // Copy describes a from-to pair of files to copy. The paths may be relative, the root that they // are relative to is specific to the context the Copy is used in and will be different for // from and to. Loading @@ -209,7 +339,7 @@ type Copy struct { func (x *Copy) Reset() { *x = Copy{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[2] mi := &file_sbox_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } Loading @@ -222,7 +352,7 @@ func (x *Copy) String() string { func (*Copy) ProtoMessage() {} func (x *Copy) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[2] mi := &file_sbox_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { Loading @@ -235,7 +365,7 @@ func (x *Copy) ProtoReflect() protoreflect.Message { // Deprecated: Use Copy.ProtoReflect.Descriptor instead. func (*Copy) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{2} return file_sbox_proto_rawDescGZIP(), []int{3} } func (x *Copy) GetFrom() string { Loading Loading @@ -274,7 +404,7 @@ type RspFile struct { func (x *RspFile) Reset() { *x = RspFile{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[3] mi := &file_sbox_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } Loading @@ -287,7 +417,7 @@ func (x *RspFile) String() string { func (*RspFile) ProtoMessage() {} func (x *RspFile) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[3] mi := &file_sbox_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { Loading @@ -300,7 +430,7 @@ func (x *RspFile) ProtoReflect() protoreflect.Message { // Deprecated: Use RspFile.ProtoReflect.Descriptor instead. func (*RspFile) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{3} return file_sbox_proto_rawDescGZIP(), []int{4} } func (x *RspFile) GetFile() string { Loading Loading @@ -330,7 +460,7 @@ type PathMapping struct { func (x *PathMapping) Reset() { *x = PathMapping{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[4] mi := &file_sbox_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } Loading @@ -343,7 +473,7 @@ func (x *PathMapping) String() string { func (*PathMapping) ProtoMessage() {} func (x *PathMapping) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[4] mi := &file_sbox_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { Loading @@ -356,7 +486,7 @@ func (x *PathMapping) ProtoReflect() protoreflect.Message { // Deprecated: Use PathMapping.ProtoReflect.Descriptor instead. func (*PathMapping) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{4} return file_sbox_proto_rawDescGZIP(), []int{5} } func (x *PathMapping) GetFrom() string { Loading @@ -383,7 +513,7 @@ var file_sbox_proto_rawDesc = []byte{ 0x08, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x64, 0x65, 0x70, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x44, 0x65, 0x70, 0x66, 0x69, 0x6c, 0x65, 0x22, 0xdc, 0x01, 0x0a, 0x07, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x12, 0x2b, 0x0a, 0x0b, 0x22, 0xb3, 0x02, 0x0a, 0x07, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x12, 0x2b, 0x0a, 0x0b, 0x63, 0x6f, 0x70, 0x79, 0x5f, 0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x43, 0x6f, 0x70, 0x79, 0x52, 0x0a, 0x63, 0x6f, 0x70, 0x79, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x68, 0x64, Loading @@ -396,23 +526,37 @@ var file_sbox_proto_rawDesc = []byte{ 0x73, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x2a, 0x0a, 0x09, 0x72, 0x73, 0x70, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x52, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x52, 0x08, 0x72, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x4a, 0x0a, 0x04, 0x43, 0x6f, 0x70, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x12, 0x1e, 0x0a, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x22, 0x55, 0x0a, 0x07, 0x52, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x36, 0x0a, 0x0d, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0c, 0x70, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x31, 0x0a, 0x0b, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x42, 0x23, 0x5a, 0x21, 0x61, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x2f, 0x73, 0x6f, 0x6f, 0x6e, 0x67, 0x2f, 0x63, 0x6d, 0x64, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x52, 0x08, 0x72, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x2b, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x56, 0x61, 0x72, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x12, 0x28, 0x0a, 0x10, 0x64, 0x6f, 0x6e, 0x74, 0x5f, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x65, 0x6e, 0x76, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x64, 0x6f, 0x6e, 0x74, 0x49, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x45, 0x6e, 0x76, 0x22, 0x7e, 0x0a, 0x13, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x56, 0x61, 0x72, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x16, 0x0a, 0x05, 0x75, 0x6e, 0x73, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x05, 0x75, 0x6e, 0x73, 0x65, 0x74, 0x12, 0x1a, 0x0a, 0x07, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x07, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x42, 0x07, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x4a, 0x0a, 0x04, 0x43, 0x6f, 0x70, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x12, 0x1e, 0x0a, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x22, 0x55, 0x0a, 0x07, 0x52, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x36, 0x0a, 0x0d, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0c, 0x70, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x31, 0x0a, 0x0b, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x42, 0x23, 0x5a, 0x21, 0x61, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x2f, 0x73, 0x6f, 0x6f, 0x6e, 0x67, 0x2f, 0x63, 0x6d, 0x64, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, } var ( Loading @@ -427,25 +571,27 @@ func file_sbox_proto_rawDescGZIP() []byte { return file_sbox_proto_rawDescData } var file_sbox_proto_msgTypes = make([]protoimpl.MessageInfo, 5) var file_sbox_proto_msgTypes = make([]protoimpl.MessageInfo, 6) var file_sbox_proto_goTypes = []interface{}{ (*Manifest)(nil), // 0: sbox.Manifest (*Command)(nil), // 1: sbox.Command (*Copy)(nil), // 2: sbox.Copy (*RspFile)(nil), // 3: sbox.RspFile (*PathMapping)(nil), // 4: sbox.PathMapping (*EnvironmentVariable)(nil), // 2: sbox.EnvironmentVariable (*Copy)(nil), // 3: sbox.Copy (*RspFile)(nil), // 4: sbox.RspFile (*PathMapping)(nil), // 5: sbox.PathMapping } var file_sbox_proto_depIdxs = []int32{ 1, // 0: sbox.Manifest.commands:type_name -> sbox.Command 2, // 1: sbox.Command.copy_before:type_name -> sbox.Copy 2, // 2: sbox.Command.copy_after:type_name -> sbox.Copy 3, // 3: sbox.Command.rsp_files:type_name -> sbox.RspFile 4, // 4: sbox.RspFile.path_mappings:type_name -> sbox.PathMapping 5, // [5:5] is the sub-list for method output_type 5, // [5:5] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name 5, // [5:5] is the sub-list for extension extendee 0, // [0:5] is the sub-list for field type_name 3, // 1: sbox.Command.copy_before:type_name -> sbox.Copy 3, // 2: sbox.Command.copy_after:type_name -> sbox.Copy 4, // 3: sbox.Command.rsp_files:type_name -> sbox.RspFile 2, // 4: sbox.Command.env:type_name -> sbox.EnvironmentVariable 5, // 5: sbox.RspFile.path_mappings:type_name -> sbox.PathMapping 6, // [6:6] is the sub-list for method output_type 6, // [6:6] is the sub-list for method input_type 6, // [6:6] is the sub-list for extension type_name 6, // [6:6] is the sub-list for extension extendee 0, // [0:6] is the sub-list for field type_name } func init() { file_sbox_proto_init() } Loading Loading @@ -479,7 +625,7 @@ func file_sbox_proto_init() { } } file_sbox_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Copy); i { switch v := v.(*EnvironmentVariable); i { case 0: return &v.state case 1: Loading @@ -491,7 +637,7 @@ func file_sbox_proto_init() { } } file_sbox_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*RspFile); i { switch v := v.(*Copy); i { case 0: return &v.state case 1: Loading @@ -503,6 +649,18 @@ func file_sbox_proto_init() { } } file_sbox_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*RspFile); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_sbox_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*PathMapping); i { case 0: return &v.state Loading @@ -515,13 +673,18 @@ func file_sbox_proto_init() { } } } file_sbox_proto_msgTypes[2].OneofWrappers = []interface{}{ (*EnvironmentVariable_Value)(nil), (*EnvironmentVariable_Unset)(nil), (*EnvironmentVariable_Inherit)(nil), } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sbox_proto_rawDesc, NumEnums: 0, NumMessages: 5, NumMessages: 6, NumExtensions: 0, NumServices: 0, }, Loading cmd/sbox/sbox_proto/sbox.proto +24 −0 Original line number Diff line number Diff line Loading @@ -51,6 +51,30 @@ message Command { // A list of files that will be copied before the sandboxed command, and whose contents should be // copied as if they were listed in copy_before. repeated RspFile rsp_files = 6; // The environment variables that will be set or unset while running the command. // Also see dont_inherit_env. repeated EnvironmentVariable env = 7; // By default, all environment variables are inherited from the calling process, but may be // replaced or unset by env. If dont_inherit_env is set, no environment variables will be // inherited, and instead only the variables in env will be defined. optional bool dont_inherit_env = 8; } message EnvironmentVariable { // The name of the environment variable required string name = 1; oneof state { // The value to set the environment variable to. string value = 2; // This environment variable should be unset in the command. bool unset = 3; // This environment variable should be inherited from the parent process. // Can be combined with dont_inherit_env to only inherit certain environment // variables. bool inherit = 4; } } // Copy describes a from-to pair of files to copy. The paths may be relative, the root that they Loading Loading
android/rule_builder.go +10 −0 Original line number Diff line number Diff line Loading @@ -580,6 +580,16 @@ func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString b }) } // Set OUT_DIR to the relative path of the sandboxed out directory. // Otherwise, OUT_DIR will be inherited from the rest of the build, // which will allow scripts to escape the sandbox if OUT_DIR is an // absolute path. command.Env = append(command.Env, &sbox_proto.EnvironmentVariable{ Name: proto.String("OUT_DIR"), State: &sbox_proto.EnvironmentVariable_Value{ Value: sboxOutSubDir, }, }) command.Chdir = proto.Bool(true) } Loading
cmd/sbox/sbox.go +51 −0 Original line number Diff line number Diff line Loading @@ -27,6 +27,7 @@ import ( "os" "os/exec" "path/filepath" "regexp" "strconv" "strings" "time" Loading @@ -51,6 +52,8 @@ const ( sandboxDirPlaceholder = "__SBOX_SANDBOX_DIR__" ) var envVarNameRegex = regexp.MustCompile("^[a-zA-Z0-9_-]+$") func init() { flag.StringVar(&sandboxesRoot, "sandbox-path", "", "root of temp directory to put the sandbox into") Loading Loading @@ -238,6 +241,48 @@ func readManifest(file string) (*sbox_proto.Manifest, error) { return &manifest, nil } func createEnv(command *sbox_proto.Command) ([]string, error) { env := []string{} if command.DontInheritEnv == nil || !*command.DontInheritEnv { env = os.Environ() } for _, envVar := range command.Env { if envVar.Name == nil || !envVarNameRegex.MatchString(*envVar.Name) { name := "nil" if envVar.Name != nil { name = *envVar.Name } return nil, fmt.Errorf("Invalid environment variable name: %q", name) } if envVar.State == nil { return nil, fmt.Errorf("Must set state") } switch state := envVar.State.(type) { case *sbox_proto.EnvironmentVariable_Value: env = append(env, *envVar.Name+"="+state.Value) case *sbox_proto.EnvironmentVariable_Unset: if !state.Unset { return nil, fmt.Errorf("Can't have unset set to false") } prefix := *envVar.Name + "=" for i := 0; i < len(env); i++ { if strings.HasPrefix(env[i], prefix) { env = append(env[:i], env[i+1:]...) i-- } } case *sbox_proto.EnvironmentVariable_Inherit: if !state.Inherit { return nil, fmt.Errorf("Can't have inherit set to false") } env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name)) default: return nil, fmt.Errorf("Unhandled state type") } } return env, nil } // runCommand runs a single command from a manifest. If the command references the // __SBOX_DEPFILE__ placeholder it returns the name of the depfile that was used. func runCommand(command *sbox_proto.Command, tempDir string, commandIndex int) (depFile string, err error) { Loading Loading @@ -313,6 +358,12 @@ func runCommand(command *sbox_proto.Command, tempDir string, commandIndex int) ( return "", fmt.Errorf("Failed to update PATH: %w", err) } } cmd.Env, err = createEnv(command) if err != nil { return "", err } err = cmd.Run() if err != nil { Loading
cmd/sbox/sbox_proto/sbox.pb.go +210 −47 Original line number Diff line number Diff line Loading @@ -14,8 +14,8 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 // protoc v3.9.1 // protoc-gen-go v1.33.0 // protoc v3.21.12 // source: sbox.proto package sbox_proto Loading Loading @@ -116,6 +116,13 @@ type Command struct { // A list of files that will be copied before the sandboxed command, and whose contents should be // copied as if they were listed in copy_before. RspFiles []*RspFile `protobuf:"bytes,6,rep,name=rsp_files,json=rspFiles" json:"rsp_files,omitempty"` // The environment variables that will be set or unset while running the command. // Also see dont_inherit_env. Env []*EnvironmentVariable `protobuf:"bytes,7,rep,name=env" json:"env,omitempty"` // By default, all environment variables are inherited from the calling process, but may be // replaced or unset by env. If dont_inherit_env is set, no environment variables will be // inherited, and instead only the variables in env will be defined. DontInheritEnv *bool `protobuf:"varint,8,opt,name=dont_inherit_env,json=dontInheritEnv" json:"dont_inherit_env,omitempty"` } func (x *Command) Reset() { Loading Loading @@ -192,6 +199,129 @@ func (x *Command) GetRspFiles() []*RspFile { return nil } func (x *Command) GetEnv() []*EnvironmentVariable { if x != nil { return x.Env } return nil } func (x *Command) GetDontInheritEnv() bool { if x != nil && x.DontInheritEnv != nil { return *x.DontInheritEnv } return false } type EnvironmentVariable struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields // The name of the environment variable Name *string `protobuf:"bytes,1,req,name=name" json:"name,omitempty"` // Types that are assignable to State: // // *EnvironmentVariable_Value // *EnvironmentVariable_Unset // *EnvironmentVariable_Inherit State isEnvironmentVariable_State `protobuf_oneof:"state"` } func (x *EnvironmentVariable) Reset() { *x = EnvironmentVariable{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *EnvironmentVariable) String() string { return protoimpl.X.MessageStringOf(x) } func (*EnvironmentVariable) ProtoMessage() {} func (x *EnvironmentVariable) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use EnvironmentVariable.ProtoReflect.Descriptor instead. func (*EnvironmentVariable) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{2} } func (x *EnvironmentVariable) GetName() string { if x != nil && x.Name != nil { return *x.Name } return "" } func (m *EnvironmentVariable) GetState() isEnvironmentVariable_State { if m != nil { return m.State } return nil } func (x *EnvironmentVariable) GetValue() string { if x, ok := x.GetState().(*EnvironmentVariable_Value); ok { return x.Value } return "" } func (x *EnvironmentVariable) GetUnset() bool { if x, ok := x.GetState().(*EnvironmentVariable_Unset); ok { return x.Unset } return false } func (x *EnvironmentVariable) GetInherit() bool { if x, ok := x.GetState().(*EnvironmentVariable_Inherit); ok { return x.Inherit } return false } type isEnvironmentVariable_State interface { isEnvironmentVariable_State() } type EnvironmentVariable_Value struct { // The value to set the environment variable to. Value string `protobuf:"bytes,2,opt,name=value,oneof"` } type EnvironmentVariable_Unset struct { // This environment variable should be unset in the command. Unset bool `protobuf:"varint,3,opt,name=unset,oneof"` } type EnvironmentVariable_Inherit struct { // This environment variable should be inherited from the parent process. // Can be combined with dont_inherit_env to only inherit certain environment // variables. Inherit bool `protobuf:"varint,4,opt,name=inherit,oneof"` } func (*EnvironmentVariable_Value) isEnvironmentVariable_State() {} func (*EnvironmentVariable_Unset) isEnvironmentVariable_State() {} func (*EnvironmentVariable_Inherit) isEnvironmentVariable_State() {} // Copy describes a from-to pair of files to copy. The paths may be relative, the root that they // are relative to is specific to the context the Copy is used in and will be different for // from and to. Loading @@ -209,7 +339,7 @@ type Copy struct { func (x *Copy) Reset() { *x = Copy{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[2] mi := &file_sbox_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } Loading @@ -222,7 +352,7 @@ func (x *Copy) String() string { func (*Copy) ProtoMessage() {} func (x *Copy) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[2] mi := &file_sbox_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { Loading @@ -235,7 +365,7 @@ func (x *Copy) ProtoReflect() protoreflect.Message { // Deprecated: Use Copy.ProtoReflect.Descriptor instead. func (*Copy) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{2} return file_sbox_proto_rawDescGZIP(), []int{3} } func (x *Copy) GetFrom() string { Loading Loading @@ -274,7 +404,7 @@ type RspFile struct { func (x *RspFile) Reset() { *x = RspFile{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[3] mi := &file_sbox_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } Loading @@ -287,7 +417,7 @@ func (x *RspFile) String() string { func (*RspFile) ProtoMessage() {} func (x *RspFile) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[3] mi := &file_sbox_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { Loading @@ -300,7 +430,7 @@ func (x *RspFile) ProtoReflect() protoreflect.Message { // Deprecated: Use RspFile.ProtoReflect.Descriptor instead. func (*RspFile) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{3} return file_sbox_proto_rawDescGZIP(), []int{4} } func (x *RspFile) GetFile() string { Loading Loading @@ -330,7 +460,7 @@ type PathMapping struct { func (x *PathMapping) Reset() { *x = PathMapping{} if protoimpl.UnsafeEnabled { mi := &file_sbox_proto_msgTypes[4] mi := &file_sbox_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } Loading @@ -343,7 +473,7 @@ func (x *PathMapping) String() string { func (*PathMapping) ProtoMessage() {} func (x *PathMapping) ProtoReflect() protoreflect.Message { mi := &file_sbox_proto_msgTypes[4] mi := &file_sbox_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { Loading @@ -356,7 +486,7 @@ func (x *PathMapping) ProtoReflect() protoreflect.Message { // Deprecated: Use PathMapping.ProtoReflect.Descriptor instead. func (*PathMapping) Descriptor() ([]byte, []int) { return file_sbox_proto_rawDescGZIP(), []int{4} return file_sbox_proto_rawDescGZIP(), []int{5} } func (x *PathMapping) GetFrom() string { Loading @@ -383,7 +513,7 @@ var file_sbox_proto_rawDesc = []byte{ 0x08, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x64, 0x65, 0x70, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x44, 0x65, 0x70, 0x66, 0x69, 0x6c, 0x65, 0x22, 0xdc, 0x01, 0x0a, 0x07, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x12, 0x2b, 0x0a, 0x0b, 0x22, 0xb3, 0x02, 0x0a, 0x07, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x12, 0x2b, 0x0a, 0x0b, 0x63, 0x6f, 0x70, 0x79, 0x5f, 0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x43, 0x6f, 0x70, 0x79, 0x52, 0x0a, 0x63, 0x6f, 0x70, 0x79, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x68, 0x64, Loading @@ -396,23 +526,37 @@ var file_sbox_proto_rawDesc = []byte{ 0x73, 0x68, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x69, 0x6e, 0x70, 0x75, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x2a, 0x0a, 0x09, 0x72, 0x73, 0x70, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x52, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x52, 0x08, 0x72, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x4a, 0x0a, 0x04, 0x43, 0x6f, 0x70, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x12, 0x1e, 0x0a, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x22, 0x55, 0x0a, 0x07, 0x52, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x36, 0x0a, 0x0d, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0c, 0x70, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x31, 0x0a, 0x0b, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x42, 0x23, 0x5a, 0x21, 0x61, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x2f, 0x73, 0x6f, 0x6f, 0x6e, 0x67, 0x2f, 0x63, 0x6d, 0x64, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x52, 0x08, 0x72, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x12, 0x2b, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x56, 0x61, 0x72, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x12, 0x28, 0x0a, 0x10, 0x64, 0x6f, 0x6e, 0x74, 0x5f, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x5f, 0x65, 0x6e, 0x76, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x64, 0x6f, 0x6e, 0x74, 0x49, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x45, 0x6e, 0x76, 0x22, 0x7e, 0x0a, 0x13, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x56, 0x61, 0x72, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x16, 0x0a, 0x05, 0x75, 0x6e, 0x73, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x05, 0x75, 0x6e, 0x73, 0x65, 0x74, 0x12, 0x1a, 0x0a, 0x07, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x07, 0x69, 0x6e, 0x68, 0x65, 0x72, 0x69, 0x74, 0x42, 0x07, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x4a, 0x0a, 0x04, 0x43, 0x6f, 0x70, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x12, 0x1e, 0x0a, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x65, 0x78, 0x65, 0x63, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x22, 0x55, 0x0a, 0x07, 0x52, 0x73, 0x70, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x36, 0x0a, 0x0d, 0x70, 0x61, 0x74, 0x68, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x73, 0x62, 0x6f, 0x78, 0x2e, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x0c, 0x70, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x31, 0x0a, 0x0b, 0x50, 0x61, 0x74, 0x68, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x01, 0x20, 0x02, 0x28, 0x09, 0x52, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x02, 0x20, 0x02, 0x28, 0x09, 0x52, 0x02, 0x74, 0x6f, 0x42, 0x23, 0x5a, 0x21, 0x61, 0x6e, 0x64, 0x72, 0x6f, 0x69, 0x64, 0x2f, 0x73, 0x6f, 0x6f, 0x6e, 0x67, 0x2f, 0x63, 0x6d, 0x64, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x2f, 0x73, 0x62, 0x6f, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, } var ( Loading @@ -427,25 +571,27 @@ func file_sbox_proto_rawDescGZIP() []byte { return file_sbox_proto_rawDescData } var file_sbox_proto_msgTypes = make([]protoimpl.MessageInfo, 5) var file_sbox_proto_msgTypes = make([]protoimpl.MessageInfo, 6) var file_sbox_proto_goTypes = []interface{}{ (*Manifest)(nil), // 0: sbox.Manifest (*Command)(nil), // 1: sbox.Command (*Copy)(nil), // 2: sbox.Copy (*RspFile)(nil), // 3: sbox.RspFile (*PathMapping)(nil), // 4: sbox.PathMapping (*EnvironmentVariable)(nil), // 2: sbox.EnvironmentVariable (*Copy)(nil), // 3: sbox.Copy (*RspFile)(nil), // 4: sbox.RspFile (*PathMapping)(nil), // 5: sbox.PathMapping } var file_sbox_proto_depIdxs = []int32{ 1, // 0: sbox.Manifest.commands:type_name -> sbox.Command 2, // 1: sbox.Command.copy_before:type_name -> sbox.Copy 2, // 2: sbox.Command.copy_after:type_name -> sbox.Copy 3, // 3: sbox.Command.rsp_files:type_name -> sbox.RspFile 4, // 4: sbox.RspFile.path_mappings:type_name -> sbox.PathMapping 5, // [5:5] is the sub-list for method output_type 5, // [5:5] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name 5, // [5:5] is the sub-list for extension extendee 0, // [0:5] is the sub-list for field type_name 3, // 1: sbox.Command.copy_before:type_name -> sbox.Copy 3, // 2: sbox.Command.copy_after:type_name -> sbox.Copy 4, // 3: sbox.Command.rsp_files:type_name -> sbox.RspFile 2, // 4: sbox.Command.env:type_name -> sbox.EnvironmentVariable 5, // 5: sbox.RspFile.path_mappings:type_name -> sbox.PathMapping 6, // [6:6] is the sub-list for method output_type 6, // [6:6] is the sub-list for method input_type 6, // [6:6] is the sub-list for extension type_name 6, // [6:6] is the sub-list for extension extendee 0, // [0:6] is the sub-list for field type_name } func init() { file_sbox_proto_init() } Loading Loading @@ -479,7 +625,7 @@ func file_sbox_proto_init() { } } file_sbox_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Copy); i { switch v := v.(*EnvironmentVariable); i { case 0: return &v.state case 1: Loading @@ -491,7 +637,7 @@ func file_sbox_proto_init() { } } file_sbox_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*RspFile); i { switch v := v.(*Copy); i { case 0: return &v.state case 1: Loading @@ -503,6 +649,18 @@ func file_sbox_proto_init() { } } file_sbox_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*RspFile); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_sbox_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*PathMapping); i { case 0: return &v.state Loading @@ -515,13 +673,18 @@ func file_sbox_proto_init() { } } } file_sbox_proto_msgTypes[2].OneofWrappers = []interface{}{ (*EnvironmentVariable_Value)(nil), (*EnvironmentVariable_Unset)(nil), (*EnvironmentVariable_Inherit)(nil), } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sbox_proto_rawDesc, NumEnums: 0, NumMessages: 5, NumMessages: 6, NumExtensions: 0, NumServices: 0, }, Loading
cmd/sbox/sbox_proto/sbox.proto +24 −0 Original line number Diff line number Diff line Loading @@ -51,6 +51,30 @@ message Command { // A list of files that will be copied before the sandboxed command, and whose contents should be // copied as if they were listed in copy_before. repeated RspFile rsp_files = 6; // The environment variables that will be set or unset while running the command. // Also see dont_inherit_env. repeated EnvironmentVariable env = 7; // By default, all environment variables are inherited from the calling process, but may be // replaced or unset by env. If dont_inherit_env is set, no environment variables will be // inherited, and instead only the variables in env will be defined. optional bool dont_inherit_env = 8; } message EnvironmentVariable { // The name of the environment variable required string name = 1; oneof state { // The value to set the environment variable to. string value = 2; // This environment variable should be unset in the command. bool unset = 3; // This environment variable should be inherited from the parent process. // Can be combined with dont_inherit_env to only inherit certain environment // variables. bool inherit = 4; } } // Copy describes a from-to pair of files to copy. The paths may be relative, the root that they Loading
