diff options
| author | Dan Willemsen <dwillemsen@google.com> | 2017-05-03 17:15:47 -0700 |
|---|---|---|
| committer | Dan Willemsen <dwillemsen@google.com> | 2017-05-05 16:25:40 -0700 |
| commit | 269a8c78e7c33a0253073ea6b136583650ab7051 (patch) | |
| tree | c4e28d19bdf0ad9cb07626231996ffa721d805b0 /ui/build/sandbox/darwin/global.sb | |
| parent | 37a2aeb95a7a94a17059e85327796fe7418395a4 (diff) | |
| download | build_soong-269a8c78e7c33a0253073ea6b136583650ab7051.tar.gz build_soong-269a8c78e7c33a0253073ea6b136583650ab7051.tar.bz2 build_soong-269a8c78e7c33a0253073ea6b136583650ab7051.zip | |
Add exec.Cmd wrapper for logging / sandboxing
Wrap os/exec.Cmd to use our Context and Config interfaces for automatic
logging and error handling. It also simplifies environment modification
based on the Config's environment.
This also adds sandboxing on Macs using sandbox-exec. A simple profile
is provided that only logs on violations, though multiproduct_kati on
AOSP has no violations. This isn't applied to ninja, only make / soong /
kati to start with. I measured <5% time increase in reading all
makefiles, and no noticable difference when kati doesn't regenerate.
I'd like to spin up a process to dump violation logs into our log file,
but the log reporting changed over the range of Mac versions that we
support, so that's going to be more complicated. Opening Console.app
works in all cases if you're local -- just search/filter for sandbox.
Linux sandboxing will be implemented later -- the sandbox definition is
opaque enough to support a different implementation.
Test: multiproduct_kati on AOSP master on Mac
Change-Id: I7046229333d0dcc8f426a493e0f7380828879f17
Diffstat (limited to 'ui/build/sandbox/darwin/global.sb')
| -rw-r--r-- | ui/build/sandbox/darwin/global.sb | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/ui/build/sandbox/darwin/global.sb b/ui/build/sandbox/darwin/global.sb new file mode 100644 index 00000000..47d0c434 --- /dev/null +++ b/ui/build/sandbox/darwin/global.sb @@ -0,0 +1,40 @@ +(version 1) + +; TODO: (deny default) +(allow default (with report)) + +; Import apple-defined rules for bsd daemons +(import "bsd.sb") + +; Allow reading of any file +(allow file-read*) + +; Allow writing to $OUT_DIR and $DIST_DIR +(allow file-write* + (subpath (param "OUT_DIR")) + (subpath (param "DIST_DIR"))) + +; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore +(deny file-write* (with no-log) + (subpath (string-append (param "HOME") "/.oracle_jre_usage"))) + +; Allow writes to user-specific temp folders (Java stores hsperfdata there) +(allow file-write* + (subpath "/private/var/folders")) + +; Allow writing to the terminal +(allow file-write-data + (subpath "/dev/tty")) + +; Java +(allow mach-lookup + (global-name "com.apple.SystemConfiguration.configd") ; Java + (global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong + (global-name "com.apple.FSEvents") ; xcodebuild in Soong + (global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong + (global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong +) + +; Allow executing any file +(allow process-exec*) +(allow process-fork) |