Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc0bc1b3 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Sandbox environment variables" into main am: 2f33c04a 

Original change: https://android-review.googlesource.com/c/platform/build/soong/+/3245994



Change-Id: I2af033a7fbbef8928553efffe79b26d55d36e96a
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents e1b039d1 2f33c04a

android/rule_builder.go

+40 −10
Original line number Diff line number Diff line
@@ -463,6 +463,8 @@ func (r *RuleBuilder) Build(name string, desc string) { 
	r.build(name, desc, true)

}



var sandboxEnvOnceKey = NewOnceKey("sandbox_environment_variables")



func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString bool) {

	name = ninjaNameEscape(name)
@@ -580,16 +582,44 @@ func (r *RuleBuilder) build(name string, desc string, ninjaEscapeCommandString b 
				})

			}



			// Only allow the build to access certain environment variables

			command.DontInheritEnv = proto.Bool(true)

			command.Env = r.ctx.Config().Once(sandboxEnvOnceKey, func() interface{} {

				// The list of allowed variables was found by running builds of all

				// genrules and seeing what failed

				var result []*sbox_proto.EnvironmentVariable

				inheritedVars := []string{

					"PATH",

					"JAVA_HOME",

					"TMPDIR",

					// Allow RBE variables because the art tests invoke RBE manually

					"RBE_log_dir",

					"RBE_platform",

					"RBE_server_address",

					// TODO: RBE_exec_root is set to the absolute path to the root of the source

					// tree, which we don't want sandboxed actions to find. Remap it to ".".

					"RBE_exec_root",

				}

				for _, v := range inheritedVars {

					result = append(result, &sbox_proto.EnvironmentVariable{

						Name: proto.String(v),

						State: &sbox_proto.EnvironmentVariable_Inherit{

							Inherit: true,

						},

					})

				}

				// Set OUT_DIR to the relative path of the sandboxed out directory.

				// Otherwise, OUT_DIR will be inherited from the rest of the build,

				// which will allow scripts to escape the sandbox if OUT_DIR is an

				// absolute path.

			command.Env = append(command.Env, &sbox_proto.EnvironmentVariable{

				result = append(result, &sbox_proto.EnvironmentVariable{

					Name: proto.String("OUT_DIR"),

					State: &sbox_proto.EnvironmentVariable_Value{

						Value: sboxOutSubDir,

					},

				})

				return result

			}).([]*sbox_proto.EnvironmentVariable)

			command.Chdir = proto.Bool(true)

		}

cmd/sbox/sbox.go

+4 −1
Original line number Diff line number Diff line
@@ -275,7 +275,10 @@ func createEnv(command *sbox_proto.Command) ([]string, error) { 
			if !state.Inherit {

				return nil, fmt.Errorf("Can't have inherit set to false")

			}

			env = append(env, *envVar.Name+"="+os.Getenv(*envVar.Name))

			val, ok := os.LookupEnv(*envVar.Name)

			if ok {

				env = append(env, *envVar.Name+"="+val)

			}

		default:

			return nil, fmt.Errorf("Unhandled state type")

		}