name: "android-build-sandbox"
description: "Sandboxed Android Platform Build."
description: "No network access and a limited access to local host resources."

# All configuration options are described in
# https://github.com/google/nsjail/blob/master/config.proto

# Run once then exit
mode: ONCE

# No time limit
time_limit: 0

# Limits memory usage
rlimit_as_type: SOFT
# Maximum size of core dump files
rlimit_core_type: SOFT
# Limits use of CPU time
rlimit_cpu_type: SOFT
# Maximum file size
rlimit_fsize_type: SOFT
# Maximum number of file descriptors opened
rlimit_nofile_type: SOFT
# Maximum stack size
rlimit_stack_type: SOFT
# Maximum number of threads
rlimit_nproc_type: SOFT

# Allow terminal control
# This let's users cancel jobs with CTRL-C
# without exiting the jail
skip_setsid: true

# Below are all the host paths that shall be mounted
# to the sandbox

# Mount proc as read/write.
mount {
  dst: "/proc"
  fstype: "proc"
  rw: true
}

# The user must mount the source to /src using --bindmount
# It will be set as the initial working directory
cwd: "/src"

# The sandbox User ID was chosen arbitrarily
uidmap {
  inside_id: "999999"
  outside_id: ""
  count: 1
}

# The sandbox Group ID was chosen arbitrarily
gidmap {
  inside_id: "65534"
  outside_id: ""
  count: 1
}

# By default nsjail does not propagate the environment into the jail. We need
# the path to be set up. There are a few ways to solve this problem, but to
# avoid an undocumented dependency we are explict about the path we inject.
envar: "PATH=/usr/bin:/usr/sbin:/bin:/sbin"

# Some tools in the build toolchain expect a $HOME to be set
# Point $HOME to /tmp in case the toolchain needs to write something out there
envar: "HOME=/tmp"
mount {
  dst: "/tmp"
  fstype: "tmpfs"
  rw: true
  is_bind: false
}

# Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to
# limit access to the external environment.
mount {
  dst: "/dev/shm"
  fstype: "tmpfs"
  rw: true
  is_bind: false
}

# Map the working User ID to a username
# Some tools like Java need a valid username
mount {
  src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash"
  dst: "/etc/passwd"
  mandatory: false
}

# Define default group
mount {
  src_content: "nogroup::65534:nogroup"
  dst: "/etc/group"
  mandatory: false
}

# Empty mtab file needed for some build scripts that check for images being mounted
mount {
  src_content: "\n"
  dst: "/etc/mtab"
  mandatory: false
}

# Explicitly mount required device file nodes
#
# This will enable a chroot based NsJail sandbox. A chroot does not provide
# device file nodes. So just mount the required device file nodes directly
# from the host.
#
# Note that this has no effect in a docker container, since in that case
# NsJail will just mount the container device nodes. When we use NsJail
# in a docker container we mount the full file system root. So the container
# device nodes were already mounted in the NsJail.

# Some tools (like llvm-link) look for file descriptors in /dev/fd
mount {
  src: "/proc/self/fd"
  dst: "/dev/fd"
  is_symlink: true
  mandatory: false
}

# /dev/null is a very commonly used for silencing output
mount {
  src: "/dev/null"
  dst: "/dev/null"
  rw: true
  is_bind: true
}

# /dev/urandom used during the creation of system.img
mount {
  src: "/dev/urandom"
  dst: "/dev/urandom"
  rw: true
  is_bind: true
}

# /dev/random used by test scripts
mount {
  src: "/dev/random"
  dst: "/dev/random"
  rw: true
  is_bind: true
}

# /dev/zero is required to make vendor-qemu.img
mount {
  src: "/dev/zero"
  dst: "/dev/zero"
  is_bind: true
}