diff options
| author | 2020-05-04 22:11:18 +0000 | |
|---|---|---|
| committer | 2020-05-04 22:11:18 +0000 | |
| commit | f39f6a4772dd54e2a10aebb3785e90ced1922421 (patch) | |
| tree | e63a1346e0172deda063af20c73b0e298b94dac3 | |
| parent | ede50781442d2827e4571cd04a82dbc6f867a9e5 (diff) | |
| parent | 347ba75679f4a2af4b602a274ad1e6acfe4dade0 (diff) | |
Merge changes I2e370952,I811cc8e1
* changes:
Remove TEMPORARY_DISABLE_PATH_RESTRICTIONS
nsjail: Always remount /tmp before src/out/dist
| -rw-r--r-- | cmd/path_interposer/main.go | 11 | ||||
| -rw-r--r-- | ui/build/path.go | 7 | ||||
| -rw-r--r-- | ui/build/sandbox_linux.go | 6 |
3 files changed, 9 insertions, 15 deletions
diff --git a/cmd/path_interposer/main.go b/cmd/path_interposer/main.go index cd28b9608..a4fe3e489 100644 --- a/cmd/path_interposer/main.go +++ b/cmd/path_interposer/main.go @@ -53,14 +53,7 @@ func main() { os.Exit(1) } - disableError := false - if e, ok := os.LookupEnv("TEMPORARY_DISABLE_PATH_RESTRICTIONS"); ok { - disableError = e == "1" || e == "y" || e == "yes" || e == "on" || e == "true" - } - exitCode, err := Main(os.Stdout, os.Stderr, interposer, os.Args, mainOpts{ - disableError: disableError, - sendLog: paths.SendLog, config: paths.GetConfig, lookupParents: lookupParents, @@ -79,8 +72,6 @@ If a tool isn't in the allowed list, a log will be posted to the unix domain socket at <interposer>_log.`) type mainOpts struct { - disableError bool - sendLog func(logSocket string, entry *paths.LogEntry, done chan interface{}) config func(name string) paths.PathConfig lookupParents func() []paths.LogProcess @@ -131,7 +122,7 @@ func Main(stdout, stderr io.Writer, interposer string, args []string, opts mainO }, waitForLog) defer func() { <-waitForLog }() } - if config.Error && !opts.disableError { + if config.Error { return 1, fmt.Errorf("%q is not allowed to be used. See https://android.googlesource.com/platform/build/+/master/Changes.md#PATH_Tools for more information.", base) } } diff --git a/ui/build/path.go b/ui/build/path.go index c34ba1b52..7122927a6 100644 --- a/ui/build/path.go +++ b/ui/build/path.go @@ -177,9 +177,12 @@ func SetupPath(ctx Context, config Config) { execs = append(execs, parsePathDir(pathEntry)...) } - allowAllSymlinks := config.Environment().IsEnvTrue("TEMPORARY_DISABLE_PATH_RESTRICTIONS") + if config.Environment().IsEnvTrue("TEMPORARY_DISABLE_PATH_RESTRICTIONS") { + ctx.Fatalln("TEMPORARY_DISABLE_PATH_RESTRICTIONS was a temporary migration method, and is now obsolete.") + } + for _, name := range execs { - if !paths.GetConfig(name).Symlink && !allowAllSymlinks { + if !paths.GetConfig(name).Symlink { continue } diff --git a/ui/build/sandbox_linux.go b/ui/build/sandbox_linux.go index 98eb028a8..dab0e756b 100644 --- a/ui/build/sandbox_linux.go +++ b/ui/build/sandbox_linux.go @@ -181,15 +181,15 @@ func (c *Cmd) wrapSandbox() { // For now, just map everything. Make most things readonly. "-R", "/", + // Mount a writable tmp dir + "-B", "/tmp", + // Mount source are read-write "-B", sandboxConfig.srcDir, //Mount out dir as read-write "-B", sandboxConfig.outDir, - // Mount a writable tmp dir - "-B", "/tmp", - // Disable newcgroup for now, since it may require newer kernels // TODO: try out cgroups "--disable_clone_newcgroup", |