king
/
v811_spc009
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
v811_spc009/tools/treble/build/sandbox/nsjail.cfg

157 lines
3.5 KiB
Raw Permalink Blame History

name: "android-build-sandbox"
description: "Sandboxed Android Platform Build."
description: "No network access and a limited access to local host resources."
# All configuration options are described in
# https://github.com/google/nsjail/blob/master/config.proto
# Run once then exit
mode: ONCE
# No time limit
time_limit: 0
# Limits memory usage
rlimit_as_type: SOFT
# Maximum size of core dump files
rlimit_core_type: SOFT
# Limits use of CPU time
rlimit_cpu_type: SOFT
# Maximum file size
rlimit_fsize_type: SOFT
# Maximum number of file descriptors opened
rlimit_nofile_type: SOFT
# Maximum stack size
rlimit_stack_type: SOFT
# Maximum number of threads
rlimit_nproc_type: SOFT
# Allow terminal control
# This let's users cancel jobs with CTRL-C
# without exiting the jail
skip_setsid: true
# Below are all the host paths that shall be mounted
# to the sandbox
# Mount proc as read/write.
mount {
dst: "/proc"
fstype: "proc"
rw: true
}
# The user must mount the source to /src using --bindmount
# It will be set as the initial working directory
cwd: "/src"
# The sandbox User ID was chosen arbitrarily
uidmap {
inside_id: "999999"
outside_id: ""
count: 1
}
# The sandbox Group ID was chosen arbitrarily
gidmap {
inside_id: "65534"
outside_id: ""
count: 1
}
# By default nsjail does not propagate the environment into the jail. We need
# the path to be set up. There are a few ways to solve this problem, but to
# avoid an undocumented dependency we are explict about the path we inject.
envar: "PATH=/usr/bin:/usr/sbin:/bin:/sbin"
# Some tools in the build toolchain expect a $HOME to be set
# Point $HOME to /tmp in case the toolchain needs to write something out there
envar: "HOME=/tmp"
mount {
dst: "/tmp"
fstype: "tmpfs"
rw: true
is_bind: false
}
# Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to
# limit access to the external environment.
mount {
dst: "/dev/shm"
fstype: "tmpfs"
rw: true
is_bind: false
}
# Map the working User ID to a username
# Some tools like Java need a valid username
mount {
src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash"
dst: "/etc/passwd"
mandatory: false
}
# Define default group
mount {
src_content: "nogroup::65534:nogroup"
dst: "/etc/group"
mandatory: false
}
# Empty mtab file needed for some build scripts that check for images being mounted
mount {
src_content: "\n"
dst: "/etc/mtab"
mandatory: false
}
# Explicitly mount required device file nodes
#
# This will enable a chroot based NsJail sandbox. A chroot does not provide
# device file nodes. So just mount the required device file nodes directly
# from the host.
#
# Note that this has no effect in a docker container, since in that case
# NsJail will just mount the container device nodes. When we use NsJail
# in a docker container we mount the full file system root. So the container
# device nodes were already mounted in the NsJail.
# Some tools (like llvm-link) look for file descriptors in /dev/fd
mount {
src: "/proc/self/fd"
dst: "/dev/fd"
is_symlink: true
mandatory: false
}
# /dev/null is a very commonly used for silencing output
mount {
src: "/dev/null"
dst: "/dev/null"
rw: true
is_bind: true
}
# /dev/urandom used during the creation of system.img
mount {
src: "/dev/urandom"
dst: "/dev/urandom"
rw: true
is_bind: true
}
# /dev/random used by test scripts
mount {
src: "/dev/random"
dst: "/dev/random"
rw: true
is_bind: true
}
# /dev/zero is required to make vendor-qemu.img
mount {
src: "/dev/zero"
dst: "/dev/zero"
is_bind: true
}
Reference in new issue View Git Blame Copy Permalink