blob: 3854992bd80a14da1cc3a26230574b0d0f6eed19 [file] [log] [blame]
David Saff782181a2022-02-17 21:41:19 +00001name: "androidx-build-sandbox"
2description: "Sandboxed AndroidX Build."
3description: "No network access and a limited access to local host resources."
4
5# All configuration options are described in
6# https://github.com/google/nsjail/blob/master/config.proto
7
8# Heavily based on https://source.corp.google.com/android/tools/treble/build/sandbox/nsjail.cfg
9
10# Run once then exit
11mode: ONCE
12
13# No time limit
14time_limit: 0
15
16# Limits memory usage
17rlimit_as_type: SOFT
18# Maximum size of core dump files
19rlimit_core_type: SOFT
20# Limits use of CPU time
21rlimit_cpu_type: SOFT
22# Maximum file size
23rlimit_fsize_type: SOFT
24# Maximum number of file descriptors opened
25rlimit_nofile_type: SOFT
26# Maximum stack size
27rlimit_stack_type: SOFT
28# Maximum number of threads
29rlimit_nproc_type: SOFT
30
31# Allow terminal control
32# This let's users cancel jobs with CTRL-C
33# without exiting the jail
34skip_setsid: true
35
36# Below are all the host paths that shall be mounted
37# to the sandbox
38
39# Mount proc as read/write.
40mount {
41 dst: "/proc"
42 fstype: "proc"
43 rw: true
44}
45
46# The sandbox User ID was chosen arbitrarily
47uidmap {
48 inside_id: "999999"
49 outside_id: ""
50 count: 1
51}
52
53# The sandbox Group ID was chosen arbitrarily
54gidmap {
55 inside_id: "65534"
56 outside_id: ""
57 count: 1
58}
59
Yigit Boyar6ed95102022-06-02 10:19:01 -070060# AndroidX build heavily relies on ENV variables (OUT_DIR, DIST etc) so we enable them all
61# since limiting environment variable access is not a particular goal for us
62keep_env: true
David Saff782181a2022-02-17 21:41:19 +000063
David Saff782181a2022-02-17 21:41:19 +000064mount {
65 dst: "/tmp"
66 fstype: "tmpfs"
67 rw: true
68 is_bind: false
69}
70
71# Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to
72# limit access to the external environment.
73mount {
74 dst: "/dev/shm"
75 fstype: "tmpfs"
76 rw: true
77 is_bind: false
78}
79
80# Map the working User ID to a username
81# Some tools like Java need a valid username
82mount {
83 src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash"
84 dst: "/etc/passwd"
85 mandatory: false
86}
87
88# Define default group
89mount {
90 src_content: "nogroup::65534:nogroup"
91 dst: "/etc/group"
92 mandatory: false
93}
94
95# Empty mtab file needed for some build scripts that check for images being mounted
96mount {
97 src_content: "\n"
98 dst: "/etc/mtab"
99 mandatory: false
100}
101
102# Explicitly mount required device file nodes
103#
104# This will enable a chroot based NsJail sandbox. A chroot does not provide
105# device file nodes. So just mount the required device file nodes directly
106# from the host.
107#
108# Note that this has no effect in a docker container, since in that case
109# NsJail will just mount the container device nodes. When we use NsJail
110# in a docker container we mount the full file system root. So the container
111# device nodes were already mounted in the NsJail.
112
113# /dev/null is a very commonly used for silencing output
114mount {
115 src: "/dev/null"
116 dst: "/dev/null"
117 rw: true
118 is_bind: true
119}
120
121# UNUSED options
122# These were set in android/tools/treble, but are not useful to us in AndroidX
123
124# Some tools (like llvm-link) look for file descriptors in /dev/fd
125mount {
126 src: "/proc/self/fd"
127 dst: "/dev/fd"
128 is_symlink: true
129 mandatory: false
130}
131
132# /dev/urandom used during the creation of system.img
133mount {
134 src: "/dev/urandom"
135 dst: "/dev/urandom"
136 rw: true
137 is_bind: true
138}
139
140# /dev/random used by test scripts
141mount {
142 src: "/dev/random"
143 dst: "/dev/random"
144 rw: true
145 is_bind: true
146}
147
148# /dev/zero is required to make vendor-qemu.img
149mount {
150 src: "/dev/zero"
151 dst: "/dev/zero"
152 is_bind: true
153}
154
155# The user must mount the source to /src using --bindmount
156# It will be set as the initial working directory
157# cwd: "/src"
158