• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1name: "android-build-sandbox"
2description: "Sandboxed Android Platform Build."
3description: "No network access and a limited access to local host resources."
4
5# All configuration options are described in
6# https://github.com/google/nsjail/blob/master/config.proto
7
8# Run once then exit
9mode: ONCE
10
11# No time limit
12time_limit: 0
13
14# Limits memory usage
15rlimit_as_type: SOFT
16# Maximum size of core dump files
17rlimit_core_type: SOFT
18# Limits use of CPU time
19rlimit_cpu_type: SOFT
20# Maximum file size
21rlimit_fsize_type: SOFT
22# Maximum number of file descriptors opened
23rlimit_nofile_type: SOFT
24# Maximum stack size
25rlimit_stack_type: SOFT
26# Maximum number of threads
27rlimit_nproc_type: SOFT
28
29# Allow terminal control
30# This let's users cancel jobs with CTRL-C
31# without exiting the jail
32skip_setsid: true
33
34# Below are all the host paths that shall be mounted
35# to the sandbox
36
37# Mount proc as read/write.
38mount {
39  dst: "/proc"
40  fstype: "proc"
41  rw: true
42}
43
44# The user must mount the source to /src using --bindmount
45# It will be set as the initial working directory
46cwd: "/src"
47
48# The sandbox User ID was chosen arbitrarily
49uidmap {
50  inside_id: "999999"
51  outside_id: ""
52  count: 1
53}
54
55# The sandbox Group ID was chosen arbitrarily
56gidmap {
57  inside_id: "65534"
58  outside_id: ""
59  count: 1
60}
61
62# By default nsjail does not propagate the environment into the jail. We need
63# the path to be set up. There are a few ways to solve this problem, but to
64# avoid an undocumented dependency we are explict about the path we inject.
65envar: "PATH=/usr/bin:/usr/sbin:/bin:/sbin"
66
67# Some tools in the build toolchain expect a $HOME to be set
68# Point $HOME to /tmp in case the toolchain needs to write something out there
69envar: "HOME=/tmp"
70mount {
71  dst: "/tmp"
72  fstype: "tmpfs"
73  rw: true
74  is_bind: false
75}
76
77# Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to
78# limit access to the external environment.
79mount {
80  dst: "/dev/shm"
81  fstype: "tmpfs"
82  rw: true
83  is_bind: false
84}
85
86# Map the working User ID to a username
87# Some tools like Java need a valid username
88mount {
89  src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash"
90  dst: "/etc/passwd"
91  mandatory: false
92}
93
94# Define default group
95mount {
96  src_content: "nogroup::65534:nogroup"
97  dst: "/etc/group"
98  mandatory: false
99}
100
101# Empty mtab file needed for some build scripts that check for images being mounted
102mount {
103  src_content: "\n"
104  dst: "/etc/mtab"
105  mandatory: false
106}
107
108# Explicitly mount required device file nodes
109#
110# This will enable a chroot based NsJail sandbox. A chroot does not provide
111# device file nodes. So just mount the required device file nodes directly
112# from the host.
113#
114# Note that this has no effect in a docker container, since in that case
115# NsJail will just mount the container device nodes. When we use NsJail
116# in a docker container we mount the full file system root. So the container
117# device nodes were already mounted in the NsJail.
118
119# Some tools (like llvm-link) look for file descriptors in /dev/fd
120mount {
121  src: "/proc/self/fd"
122  dst: "/dev/fd"
123  is_symlink: true
124  mandatory: false
125}
126
127# /dev/null is a very commonly used for silencing output
128mount {
129  src: "/dev/null"
130  dst: "/dev/null"
131  rw: true
132  is_bind: true
133}
134
135# /dev/urandom used during the creation of system.img
136mount {
137  src: "/dev/urandom"
138  dst: "/dev/urandom"
139  rw: true
140  is_bind: true
141}
142
143# /dev/random used by test scripts
144mount {
145  src: "/dev/random"
146  dst: "/dev/random"
147  rw: true
148  is_bind: true
149}
150
151# /dev/zero is required to make vendor-qemu.img
152mount {
153  src: "/dev/zero"
154  dst: "/dev/zero"
155  is_bind: true
156}
157