1name: "android-build-sandbox" 2description: "Sandboxed Android Platform Build." 3description: "No network access and a limited access to local host resources." 4 5# All configuration options are described in 6# https://github.com/google/nsjail/blob/master/config.proto 7 8# Run once then exit 9mode: ONCE 10 11# No time limit 12time_limit: 0 13 14# Limits memory usage 15rlimit_as_type: SOFT 16# Maximum size of core dump files 17rlimit_core_type: SOFT 18# Limits use of CPU time 19rlimit_cpu_type: SOFT 20# Maximum file size 21rlimit_fsize_type: SOFT 22# Maximum number of file descriptors opened 23rlimit_nofile_type: SOFT 24# Maximum stack size 25rlimit_stack_type: SOFT 26# Maximum number of threads 27rlimit_nproc_type: SOFT 28 29# Allow terminal control 30# This let's users cancel jobs with CTRL-C 31# without exiting the jail 32skip_setsid: true 33 34# Below are all the host paths that shall be mounted 35# to the sandbox 36 37# Mount proc as read/write. 38mount { 39 dst: "/proc" 40 fstype: "proc" 41 rw: true 42} 43 44# The user must mount the source to /src using --bindmount 45# It will be set as the initial working directory 46cwd: "/src" 47 48# The sandbox User ID was chosen arbitrarily 49uidmap { 50 inside_id: "999999" 51 outside_id: "" 52 count: 1 53} 54 55# The sandbox Group ID was chosen arbitrarily 56gidmap { 57 inside_id: "65534" 58 outside_id: "" 59 count: 1 60} 61 62# By default nsjail does not propagate the environment into the jail. We need 63# the path to be set up. There are a few ways to solve this problem, but to 64# avoid an undocumented dependency we are explict about the path we inject. 65envar: "PATH=/usr/bin:/usr/sbin:/bin:/sbin" 66 67# Some tools in the build toolchain expect a $HOME to be set 68# Point $HOME to /tmp in case the toolchain needs to write something out there 69envar: "HOME=/tmp" 70mount { 71 dst: "/tmp" 72 fstype: "tmpfs" 73 rw: true 74 is_bind: false 75} 76 77# Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to 78# limit access to the external environment. 79mount { 80 dst: "/dev/shm" 81 fstype: "tmpfs" 82 rw: true 83 is_bind: false 84} 85 86# Map the working User ID to a username 87# Some tools like Java need a valid username 88mount { 89 src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash" 90 dst: "/etc/passwd" 91 mandatory: false 92} 93 94# Define default group 95mount { 96 src_content: "nogroup::65534:nogroup" 97 dst: "/etc/group" 98 mandatory: false 99} 100 101# Empty mtab file needed for some build scripts that check for images being mounted 102mount { 103 src_content: "\n" 104 dst: "/etc/mtab" 105 mandatory: false 106} 107 108# Explicitly mount required device file nodes 109# 110# This will enable a chroot based NsJail sandbox. A chroot does not provide 111# device file nodes. So just mount the required device file nodes directly 112# from the host. 113# 114# Note that this has no effect in a docker container, since in that case 115# NsJail will just mount the container device nodes. When we use NsJail 116# in a docker container we mount the full file system root. So the container 117# device nodes were already mounted in the NsJail. 118 119# Some tools (like llvm-link) look for file descriptors in /dev/fd 120mount { 121 src: "/proc/self/fd" 122 dst: "/dev/fd" 123 is_symlink: true 124 mandatory: false 125} 126 127# /dev/null is a very commonly used for silencing output 128mount { 129 src: "/dev/null" 130 dst: "/dev/null" 131 rw: true 132 is_bind: true 133} 134 135# /dev/urandom used during the creation of system.img 136mount { 137 src: "/dev/urandom" 138 dst: "/dev/urandom" 139 rw: true 140 is_bind: true 141} 142 143# /dev/random used by test scripts 144mount { 145 src: "/dev/random" 146 dst: "/dev/random" 147 rw: true 148 is_bind: true 149} 150 151# /dev/zero is required to make vendor-qemu.img 152mount { 153 src: "/dev/zero" 154 dst: "/dev/zero" 155 is_bind: true 156} 157