1*105f6285SAndroid Build Coastguard Workername: "android-build-sandbox" 2*105f6285SAndroid Build Coastguard Workerdescription: "Sandboxed Android Platform Build." 3*105f6285SAndroid Build Coastguard Workerdescription: "No network access and a limited access to local host resources." 4*105f6285SAndroid Build Coastguard Worker 5*105f6285SAndroid Build Coastguard Worker# All configuration options are described in 6*105f6285SAndroid Build Coastguard Worker# https://github.com/google/nsjail/blob/master/config.proto 7*105f6285SAndroid Build Coastguard Worker 8*105f6285SAndroid Build Coastguard Worker# Run once then exit 9*105f6285SAndroid Build Coastguard Workermode: ONCE 10*105f6285SAndroid Build Coastguard Worker 11*105f6285SAndroid Build Coastguard Worker# No time limit 12*105f6285SAndroid Build Coastguard Workertime_limit: 0 13*105f6285SAndroid Build Coastguard Worker 14*105f6285SAndroid Build Coastguard Worker# Limits memory usage 15*105f6285SAndroid Build Coastguard Workerrlimit_as_type: SOFT 16*105f6285SAndroid Build Coastguard Worker# Maximum size of core dump files 17*105f6285SAndroid Build Coastguard Workerrlimit_core_type: SOFT 18*105f6285SAndroid Build Coastguard Worker# Limits use of CPU time 19*105f6285SAndroid Build Coastguard Workerrlimit_cpu_type: SOFT 20*105f6285SAndroid Build Coastguard Worker# Maximum file size 21*105f6285SAndroid Build Coastguard Workerrlimit_fsize_type: SOFT 22*105f6285SAndroid Build Coastguard Worker# Maximum number of file descriptors opened 23*105f6285SAndroid Build Coastguard Workerrlimit_nofile_type: SOFT 24*105f6285SAndroid Build Coastguard Worker# Maximum stack size 25*105f6285SAndroid Build Coastguard Workerrlimit_stack_type: SOFT 26*105f6285SAndroid Build Coastguard Worker# Maximum number of threads 27*105f6285SAndroid Build Coastguard Workerrlimit_nproc_type: SOFT 28*105f6285SAndroid Build Coastguard Worker 29*105f6285SAndroid Build Coastguard Worker# Allow terminal control 30*105f6285SAndroid Build Coastguard Worker# This let's users cancel jobs with CTRL-C 31*105f6285SAndroid Build Coastguard Worker# without exiting the jail 32*105f6285SAndroid Build Coastguard Workerskip_setsid: true 33*105f6285SAndroid Build Coastguard Worker 34*105f6285SAndroid Build Coastguard Worker# Below are all the host paths that shall be mounted 35*105f6285SAndroid Build Coastguard Worker# to the sandbox 36*105f6285SAndroid Build Coastguard Worker 37*105f6285SAndroid Build Coastguard Worker# Mount proc as read/write. 38*105f6285SAndroid Build Coastguard Workermount { 39*105f6285SAndroid Build Coastguard Worker dst: "/proc" 40*105f6285SAndroid Build Coastguard Worker fstype: "proc" 41*105f6285SAndroid Build Coastguard Worker rw: true 42*105f6285SAndroid Build Coastguard Worker} 43*105f6285SAndroid Build Coastguard Worker 44*105f6285SAndroid Build Coastguard Worker# The user must mount the source to /src using --bindmount 45*105f6285SAndroid Build Coastguard Worker# It will be set as the initial working directory 46*105f6285SAndroid Build Coastguard Workercwd: "/src" 47*105f6285SAndroid Build Coastguard Worker 48*105f6285SAndroid Build Coastguard Worker# The sandbox User ID was chosen arbitrarily 49*105f6285SAndroid Build Coastguard Workeruidmap { 50*105f6285SAndroid Build Coastguard Worker inside_id: "999999" 51*105f6285SAndroid Build Coastguard Worker outside_id: "" 52*105f6285SAndroid Build Coastguard Worker count: 1 53*105f6285SAndroid Build Coastguard Worker} 54*105f6285SAndroid Build Coastguard Worker 55*105f6285SAndroid Build Coastguard Worker# The sandbox Group ID was chosen arbitrarily 56*105f6285SAndroid Build Coastguard Workergidmap { 57*105f6285SAndroid Build Coastguard Worker inside_id: "65534" 58*105f6285SAndroid Build Coastguard Worker outside_id: "" 59*105f6285SAndroid Build Coastguard Worker count: 1 60*105f6285SAndroid Build Coastguard Worker} 61*105f6285SAndroid Build Coastguard Worker 62*105f6285SAndroid Build Coastguard Worker# By default nsjail does not propagate the environment into the jail. We need 63*105f6285SAndroid Build Coastguard Worker# the path to be set up. There are a few ways to solve this problem, but to 64*105f6285SAndroid Build Coastguard Worker# avoid an undocumented dependency we are explict about the path we inject. 65*105f6285SAndroid Build Coastguard Workerenvar: "PATH=/usr/bin:/usr/sbin:/bin:/sbin" 66*105f6285SAndroid Build Coastguard Worker 67*105f6285SAndroid Build Coastguard Worker# Some tools in the build toolchain expect a $HOME to be set 68*105f6285SAndroid Build Coastguard Worker# Point $HOME to /tmp in case the toolchain needs to write something out there 69*105f6285SAndroid Build Coastguard Workerenvar: "HOME=/tmp" 70*105f6285SAndroid Build Coastguard Workermount { 71*105f6285SAndroid Build Coastguard Worker dst: "/tmp" 72*105f6285SAndroid Build Coastguard Worker fstype: "tmpfs" 73*105f6285SAndroid Build Coastguard Worker rw: true 74*105f6285SAndroid Build Coastguard Worker is_bind: false 75*105f6285SAndroid Build Coastguard Worker} 76*105f6285SAndroid Build Coastguard Worker 77*105f6285SAndroid Build Coastguard Worker# Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to 78*105f6285SAndroid Build Coastguard Worker# limit access to the external environment. 79*105f6285SAndroid Build Coastguard Workermount { 80*105f6285SAndroid Build Coastguard Worker dst: "/dev/shm" 81*105f6285SAndroid Build Coastguard Worker fstype: "tmpfs" 82*105f6285SAndroid Build Coastguard Worker rw: true 83*105f6285SAndroid Build Coastguard Worker is_bind: false 84*105f6285SAndroid Build Coastguard Worker} 85*105f6285SAndroid Build Coastguard Worker 86*105f6285SAndroid Build Coastguard Worker# Map the working User ID to a username 87*105f6285SAndroid Build Coastguard Worker# Some tools like Java need a valid username 88*105f6285SAndroid Build Coastguard Workermount { 89*105f6285SAndroid Build Coastguard Worker src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash" 90*105f6285SAndroid Build Coastguard Worker dst: "/etc/passwd" 91*105f6285SAndroid Build Coastguard Worker mandatory: false 92*105f6285SAndroid Build Coastguard Worker} 93*105f6285SAndroid Build Coastguard Worker 94*105f6285SAndroid Build Coastguard Worker# Define default group 95*105f6285SAndroid Build Coastguard Workermount { 96*105f6285SAndroid Build Coastguard Worker src_content: "nogroup::65534:nogroup" 97*105f6285SAndroid Build Coastguard Worker dst: "/etc/group" 98*105f6285SAndroid Build Coastguard Worker mandatory: false 99*105f6285SAndroid Build Coastguard Worker} 100*105f6285SAndroid Build Coastguard Worker 101*105f6285SAndroid Build Coastguard Worker# Empty mtab file needed for some build scripts that check for images being mounted 102*105f6285SAndroid Build Coastguard Workermount { 103*105f6285SAndroid Build Coastguard Worker src_content: "\n" 104*105f6285SAndroid Build Coastguard Worker dst: "/etc/mtab" 105*105f6285SAndroid Build Coastguard Worker mandatory: false 106*105f6285SAndroid Build Coastguard Worker} 107*105f6285SAndroid Build Coastguard Worker 108*105f6285SAndroid Build Coastguard Worker# Explicitly mount required device file nodes 109*105f6285SAndroid Build Coastguard Worker# 110*105f6285SAndroid Build Coastguard Worker# This will enable a chroot based NsJail sandbox. A chroot does not provide 111*105f6285SAndroid Build Coastguard Worker# device file nodes. So just mount the required device file nodes directly 112*105f6285SAndroid Build Coastguard Worker# from the host. 113*105f6285SAndroid Build Coastguard Worker# 114*105f6285SAndroid Build Coastguard Worker# Note that this has no effect in a docker container, since in that case 115*105f6285SAndroid Build Coastguard Worker# NsJail will just mount the container device nodes. When we use NsJail 116*105f6285SAndroid Build Coastguard Worker# in a docker container we mount the full file system root. So the container 117*105f6285SAndroid Build Coastguard Worker# device nodes were already mounted in the NsJail. 118*105f6285SAndroid Build Coastguard Worker 119*105f6285SAndroid Build Coastguard Worker# Some tools (like llvm-link) look for file descriptors in /dev/fd 120*105f6285SAndroid Build Coastguard Workermount { 121*105f6285SAndroid Build Coastguard Worker src: "/proc/self/fd" 122*105f6285SAndroid Build Coastguard Worker dst: "/dev/fd" 123*105f6285SAndroid Build Coastguard Worker is_symlink: true 124*105f6285SAndroid Build Coastguard Worker mandatory: false 125*105f6285SAndroid Build Coastguard Worker} 126*105f6285SAndroid Build Coastguard Worker 127*105f6285SAndroid Build Coastguard Worker# /dev/null is a very commonly used for silencing output 128*105f6285SAndroid Build Coastguard Workermount { 129*105f6285SAndroid Build Coastguard Worker src: "/dev/null" 130*105f6285SAndroid Build Coastguard Worker dst: "/dev/null" 131*105f6285SAndroid Build Coastguard Worker rw: true 132*105f6285SAndroid Build Coastguard Worker is_bind: true 133*105f6285SAndroid Build Coastguard Worker} 134*105f6285SAndroid Build Coastguard Worker 135*105f6285SAndroid Build Coastguard Worker# /dev/urandom used during the creation of system.img 136*105f6285SAndroid Build Coastguard Workermount { 137*105f6285SAndroid Build Coastguard Worker src: "/dev/urandom" 138*105f6285SAndroid Build Coastguard Worker dst: "/dev/urandom" 139*105f6285SAndroid Build Coastguard Worker rw: true 140*105f6285SAndroid Build Coastguard Worker is_bind: true 141*105f6285SAndroid Build Coastguard Worker} 142*105f6285SAndroid Build Coastguard Worker 143*105f6285SAndroid Build Coastguard Worker# /dev/random used by test scripts 144*105f6285SAndroid Build Coastguard Workermount { 145*105f6285SAndroid Build Coastguard Worker src: "/dev/random" 146*105f6285SAndroid Build Coastguard Worker dst: "/dev/random" 147*105f6285SAndroid Build Coastguard Worker rw: true 148*105f6285SAndroid Build Coastguard Worker is_bind: true 149*105f6285SAndroid Build Coastguard Worker} 150*105f6285SAndroid Build Coastguard Worker 151*105f6285SAndroid Build Coastguard Worker# /dev/zero is required to make vendor-qemu.img 152*105f6285SAndroid Build Coastguard Workermount { 153*105f6285SAndroid Build Coastguard Worker src: "/dev/zero" 154*105f6285SAndroid Build Coastguard Worker dst: "/dev/zero" 155*105f6285SAndroid Build Coastguard Worker is_bind: true 156*105f6285SAndroid Build Coastguard Worker} 157*105f6285SAndroid Build Coastguard Worker 158*105f6285SAndroid Build Coastguard Worker# /dev/stdin used during the creation files in external/cronet 159*105f6285SAndroid Build Coastguard Workermount { 160*105f6285SAndroid Build Coastguard Worker src: "/proc/self/fd/0" 161*105f6285SAndroid Build Coastguard Worker dst: "/dev/stdin" 162*105f6285SAndroid Build Coastguard Worker is_symlink: true 163*105f6285SAndroid Build Coastguard Worker} 164