tequilaOS/platform_build_soong
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge changes I2e370952,I811cc8e1

Browse source 
* changes:
  Remove TEMPORARY_DISABLE_PATH_RESTRICTIONS
  nsjail: Always remount /tmp before src/out/dist
This commit is contained in:
Treehugger Robot 2020-05-04 22:11:18 +00:00 committed by Gerrit Code Review
commit f39f6a4772
3 changed files with 9 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
cmd/path_interposer/main.go
View file

@ -53,14 +53,7 @@ func main() {
os.Exit(1) os.Exit(1)
} }
disableError := false
if e, ok := os.LookupEnv("TEMPORARY_DISABLE_PATH_RESTRICTIONS"); ok {
disableError = e == "1" || e == "y" || e == "yes" || e == "on" || e == "true"
}
exitCode, err := Main(os.Stdout, os.Stderr, interposer, os.Args, mainOpts{ exitCode, err := Main(os.Stdout, os.Stderr, interposer, os.Args, mainOpts{
disableError: disableError,
sendLog: paths.SendLog, sendLog: paths.SendLog,
config: paths.GetConfig, config: paths.GetConfig,
lookupParents: lookupParents, lookupParents: lookupParents,
@ -79,8 +72,6 @@ If a tool isn't in the allowed list, a log will be posted to the unix domain
socket at <interposer>_log.`) socket at <interposer>_log.`)
type mainOpts struct { type mainOpts struct {
disableError bool
sendLog func(logSocket string, entry *paths.LogEntry, done chan interface{}) sendLog func(logSocket string, entry *paths.LogEntry, done chan interface{})
config func(name string) paths.PathConfig config func(name string) paths.PathConfig
lookupParents func() []paths.LogProcess lookupParents func() []paths.LogProcess
@ -131,7 +122,7 @@ func Main(stdout, stderr io.Writer, interposer string, args []string, opts mainO
}, waitForLog) }, waitForLog)
defer func() { <-waitForLog }() defer func() { <-waitForLog }()
} }
if config.Error && !opts.disableError { if config.Error {
return 1, fmt.Errorf("%q is not allowed to be used. See https://android.googlesource.com/platform/build/+/master/Changes.md#PATH_Tools for more information.", base) return 1, fmt.Errorf("%q is not allowed to be used. See https://android.googlesource.com/platform/build/+/master/Changes.md#PATH_Tools for more information.", base)
} }
} }

7
ui/build/path.go
View file

@ -177,9 +177,12 @@ func SetupPath(ctx Context, config Config) {
execs = append(execs, parsePathDir(pathEntry)...) execs = append(execs, parsePathDir(pathEntry)...)
} }
allowAllSymlinks := config.Environment().IsEnvTrue("TEMPORARY_DISABLE_PATH_RESTRICTIONS") if config.Environment().IsEnvTrue("TEMPORARY_DISABLE_PATH_RESTRICTIONS") {
ctx.Fatalln("TEMPORARY_DISABLE_PATH_RESTRICTIONS was a temporary migration method, and is now obsolete.")
}
for _, name := range execs { for _, name := range execs {
if !paths.GetConfig(name).Symlink && !allowAllSymlinks { if !paths.GetConfig(name).Symlink {
continue continue
} }

6
ui/build/sandbox_linux.go
View file

@ -181,15 +181,15 @@ func (c *Cmd) wrapSandbox() {
// For now, just map everything. Make most things readonly. // For now, just map everything. Make most things readonly.
"-R", "/", "-R", "/",
// Mount a writable tmp dir
"-B", "/tmp",
// Mount source are read-write // Mount source are read-write
"-B", sandboxConfig.srcDir, "-B", sandboxConfig.srcDir,
//Mount out dir as read-write //Mount out dir as read-write
"-B", sandboxConfig.outDir, "-B", sandboxConfig.outDir,
// Mount a writable tmp dir
"-B", "/tmp",
// Disable newcgroup for now, since it may require newer kernels // Disable newcgroup for now, since it may require newer kernels
// TODO: try out cgroups // TODO: try out cgroups
"--disable_clone_newcgroup", "--disable_clone_newcgroup",