nsjail support verification should respect BUILD_BROKEN* flag for SrcDir

This ensures that soong_ui is successful in setting up its own nsjail in
workflows that externally make the source tree ReadOnly (e.g. a nested
nsjail in multitree).

Test: TH
Change-Id: I6d0ec4a9fffda1d4e5996f475da611e1deb0888d

ui/build/sandbox_config.go

@@ -27,6 +27,15 @@ func (sc *SandboxConfig) SrcDirIsRO() bool {
 	return sc.srcDirIsRO
 }
 
+// Return the mount flag of the source directory in the nsjail command
+func (sc *SandboxConfig) SrcDirMountFlag() string {
+	ret := "-B" // Read-write
+	if sc.SrcDirIsRO() {
+		ret = "-R" // Read-only
+	}
+	return ret
+}
+
 func (sc *SandboxConfig) SetSrcDirRWAllowlist(allowlist []string) {
 	sc.srcDirRWAllowlist = allowlist
 }

ui/build/sandbox_linux.go

@@ -101,7 +101,7 @@ func (c *Cmd) sandboxSupported() bool {
 			// srcDir is /tmp/.* in integration tests, which is a child dir of /tmp
 			// nsjail throws an error if a child dir is mounted before its parent
 			"-B", "/tmp",
-			"-B", sandboxConfig.srcDir,
+			c.config.sandboxConfig.SrcDirMountFlag(), sandboxConfig.srcDir,
 			"-B", sandboxConfig.outDir,
 		}
 
@@ -148,13 +148,6 @@ func (c *Cmd) sandboxSupported() bool {
 func (c *Cmd) wrapSandbox() {
 	wd, _ := os.Getwd()
 
-	var srcDirMountFlag string
-	if c.config.sandboxConfig.SrcDirIsRO() {
-		srcDirMountFlag = "-R"
-	} else {
-		srcDirMountFlag = "-B" //Read-Write
-	}
-
 	sandboxArgs := []string{
 		// The executable to run
 		"-x", c.Path,
@@ -195,7 +188,7 @@ func (c *Cmd) wrapSandbox() {
 		"-B", "/tmp",
 
 		// Mount source
-		srcDirMountFlag, sandboxConfig.srcDir,
+		c.config.sandboxConfig.SrcDirMountFlag(), sandboxConfig.srcDir,
 
 		//Mount out dir as read-write
 		"-B", sandboxConfig.outDir,