| name: "androidx-build-sandbox" |
| description: "Sandboxed AndroidX Build." |
| description: "No network access and a limited access to local host resources." |
| |
| # All configuration options are described in |
| # https://github.com/google/nsjail/blob/master/config.proto |
| |
| # Heavily based on https://source.corp.google.com/android/tools/treble/build/sandbox/nsjail.cfg |
| |
| # Run once then exit |
| mode: ONCE |
| |
| # No time limit |
| time_limit: 0 |
| |
| # Limits memory usage |
| rlimit_as_type: SOFT |
| # Maximum size of core dump files |
| rlimit_core_type: SOFT |
| # Limits use of CPU time |
| rlimit_cpu_type: SOFT |
| # Maximum file size |
| rlimit_fsize_type: SOFT |
| # Maximum number of file descriptors opened |
| rlimit_nofile_type: SOFT |
| # Maximum stack size |
| rlimit_stack_type: SOFT |
| # Maximum number of threads |
| rlimit_nproc_type: SOFT |
| |
| # Allow terminal control |
| # This let's users cancel jobs with CTRL-C |
| # without exiting the jail |
| skip_setsid: true |
| |
| # Below are all the host paths that shall be mounted |
| # to the sandbox |
| |
| # Mount proc as read/write. |
| mount { |
| dst: "/proc" |
| fstype: "proc" |
| rw: true |
| } |
| |
| # The sandbox User ID was chosen arbitrarily |
| uidmap { |
| inside_id: "999999" |
| outside_id: "" |
| count: 1 |
| } |
| |
| # The sandbox Group ID was chosen arbitrarily |
| gidmap { |
| inside_id: "65534" |
| outside_id: "" |
| count: 1 |
| } |
| |
| # AndroidX build heavily relies on ENV variables (OUT_DIR, DIST etc) so we enable them all |
| # since limiting environment variable access is not a particular goal for us |
| keep_env: true |
| |
| mount { |
| dst: "/tmp" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| # Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to |
| # limit access to the external environment. |
| mount { |
| dst: "/dev/shm" |
| fstype: "tmpfs" |
| rw: true |
| is_bind: false |
| } |
| |
| # Map the working User ID to a username |
| # Some tools like Java need a valid username |
| mount { |
| src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash" |
| dst: "/etc/passwd" |
| mandatory: false |
| } |
| |
| # Define default group |
| mount { |
| src_content: "nogroup::65534:nogroup" |
| dst: "/etc/group" |
| mandatory: false |
| } |
| |
| # Empty mtab file needed for some build scripts that check for images being mounted |
| mount { |
| src_content: "\n" |
| dst: "/etc/mtab" |
| mandatory: false |
| } |
| |
| # Explicitly mount required device file nodes |
| # |
| # This will enable a chroot based NsJail sandbox. A chroot does not provide |
| # device file nodes. So just mount the required device file nodes directly |
| # from the host. |
| # |
| # Note that this has no effect in a docker container, since in that case |
| # NsJail will just mount the container device nodes. When we use NsJail |
| # in a docker container we mount the full file system root. So the container |
| # device nodes were already mounted in the NsJail. |
| |
| # /dev/null is a very commonly used for silencing output |
| mount { |
| src: "/dev/null" |
| dst: "/dev/null" |
| rw: true |
| is_bind: true |
| } |
| |
| # UNUSED options |
| # These were set in android/tools/treble, but are not useful to us in AndroidX |
| |
| # Some tools (like llvm-link) look for file descriptors in /dev/fd |
| mount { |
| src: "/proc/self/fd" |
| dst: "/dev/fd" |
| is_symlink: true |
| mandatory: false |
| } |
| |
| # /dev/urandom used during the creation of system.img |
| mount { |
| src: "/dev/urandom" |
| dst: "/dev/urandom" |
| rw: true |
| is_bind: true |
| } |
| |
| # /dev/random used by test scripts |
| mount { |
| src: "/dev/random" |
| dst: "/dev/random" |
| rw: true |
| is_bind: true |
| } |
| |
| # /dev/zero is required to make vendor-qemu.img |
| mount { |
| src: "/dev/zero" |
| dst: "/dev/zero" |
| is_bind: true |
| } |
| |
| # The user must mount the source to /src using --bindmount |
| # It will be set as the initial working directory |
| # cwd: "/src" |
| |