1name: "androidx-build-sandbox"
2description: "Sandboxed AndroidX Build."
3description: "No network access and a limited access to local host resources."
4
5# All configuration options are described in
6# https://github.com/google/nsjail/blob/master/config.proto
7
8# Heavily based on https://source.corp.google.com/android/tools/treble/build/sandbox/nsjail.cfg
9
10# Run once then exit
11mode: ONCE
12
13# No time limit
14time_limit: 0
15
16# Limits memory usage
17rlimit_as_type: SOFT
18# Maximum size of core dump files
19rlimit_core_type: SOFT
20# Limits use of CPU time
21rlimit_cpu_type: SOFT
22# Maximum file size
23rlimit_fsize_type: SOFT
24# Maximum number of file descriptors opened
25rlimit_nofile_type: SOFT
26# Maximum stack size
27rlimit_stack_type: SOFT
28# Maximum number of threads
29rlimit_nproc_type: SOFT
30
31# Allow terminal control
32# This let's users cancel jobs with CTRL-C
33# without exiting the jail
34skip_setsid: true
35
36# Below are all the host paths that shall be mounted
37# to the sandbox
38
39# Mount proc as read/write.
40mount {
41  dst: "/proc"
42  fstype: "proc"
43  rw: true
44}
45
46# The sandbox User ID was chosen arbitrarily
47uidmap {
48  inside_id: "999999"
49  outside_id: ""
50  count: 1
51}
52
53# The sandbox Group ID was chosen arbitrarily
54gidmap {
55  inside_id: "65534"
56  outside_id: ""
57  count: 1
58}
59
60# AndroidX build heavily relies on ENV variables (OUT_DIR, DIST etc) so we enable them all
61# since limiting environment variable access is not a particular goal for us
62keep_env: true
63
64mount {
65  dst: "/tmp"
66  fstype: "tmpfs"
67  rw: true
68  is_bind: false
69}
70
71# Some tools need /dev/shm to created a named semaphore. Use a new tmpfs to
72# limit access to the external environment.
73mount {
74  dst: "/dev/shm"
75  fstype: "tmpfs"
76  rw: true
77  is_bind: false
78}
79
80# Map the working User ID to a username
81# Some tools like Java need a valid username
82mount {
83  src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash"
84  dst: "/etc/passwd"
85  mandatory: false
86}
87
88# Define default group
89mount {
90  src_content: "nogroup::65534:nogroup"
91  dst: "/etc/group"
92  mandatory: false
93}
94
95# Empty mtab file needed for some build scripts that check for images being mounted
96mount {
97  src_content: "\n"
98  dst: "/etc/mtab"
99  mandatory: false
100}
101
102# Explicitly mount required device file nodes
103#
104# This will enable a chroot based NsJail sandbox. A chroot does not provide
105# device file nodes. So just mount the required device file nodes directly
106# from the host.
107#
108# Note that this has no effect in a docker container, since in that case
109# NsJail will just mount the container device nodes. When we use NsJail
110# in a docker container we mount the full file system root. So the container
111# device nodes were already mounted in the NsJail.
112
113# /dev/null is a very commonly used for silencing output
114mount {
115  src: "/dev/null"
116  dst: "/dev/null"
117  rw: true
118  is_bind: true
119}
120
121# UNUSED options
122# These were set in android/tools/treble, but are not useful to us in AndroidX
123
124# Some tools (like llvm-link) look for file descriptors in /dev/fd
125mount {
126  src: "/proc/self/fd"
127  dst: "/dev/fd"
128  is_symlink: true
129  mandatory: false
130}
131
132# /dev/urandom used during the creation of system.img
133mount {
134  src: "/dev/urandom"
135  dst: "/dev/urandom"
136  rw: true
137  is_bind: true
138}
139
140# /dev/random used by test scripts
141mount {
142  src: "/dev/random"
143  dst: "/dev/random"
144  rw: true
145  is_bind: true
146}
147
148# /dev/zero is required to make vendor-qemu.img
149mount {
150  src: "/dev/zero"
151  dst: "/dev/zero"
152  is_bind: true
153}
154
155# The user must mount the source to /src using --bindmount
156# It will be set as the initial working directory
157# cwd: "/src"
158
159