name: "android-build-sandbox" description: "Sandboxed Android Platform Build." description: "No network access and a limited access to local host resources." # All configuration options are described in # https://github.com/google/nsjail/blob/master/config.proto # Run once then exit mode: ONCE # No time limit time_limit: 0 # Limits memory usage rlimit_as_type: SOFT # Maximum size of core dump files rlimit_core_type: SOFT # Limits use of CPU time rlimit_cpu_type: SOFT # Maximum file size rlimit_fsize_type: SOFT # Maximum number of file descriptors opened rlimit_nofile_type: SOFT # Maximum stack size rlimit_stack_type: SOFT # Maximum number of threads rlimit_nproc_type: SOFT # Allow terminal control # This let's users cancel jobs with CTRL-C # without exiting the jail skip_setsid: true # Below are all the host paths that shall be mounted # to the sandbox # Mount proc as read/write. mount { dst: "/proc" fstype: "proc" rw: true } # The user must mount the source to /src using --bindmount # It will be set as the initial working directory cwd: "/src" # The sandbox User ID was chosen arbitrarily uidmap { inside_id: "999999" outside_id: "" count: 1 } # The sandbox Group ID was chosen arbitrarily gidmap { inside_id: "65534" outside_id: "" count: 1 } # By default nsjail does not propagate the environment into the jail. We need # the path to be set up. There are a few ways to solve this problem, but to # avoid an undocumented dependency we are explict about the path we inject. envar: "PATH=/usr/bin:/usr/sbin:/bin:/sbin" # Some tools in the build toolchain expect a $HOME to be set # Point $HOME to /tmp in case the toolchain needs to write something out there envar: "HOME=/tmp" mount { dst: "/tmp" fstype: "tmpfs" rw: true is_bind: false } # Map the working User ID to a username # Some tools like Java need a valid username mount { src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash" dst: "/etc/passwd" mandatory: false } # Define default group mount { src_content: "nogroup::65534:nogroup" dst: "/etc/group" mandatory: false } # Empty mtab file needed for some build scripts that check for images being mounted mount { src_content: "\n" dst: "/etc/mtab" mandatory: false } # Explicitly mount required device file nodes # # This will enable a chroot based NsJail sandbox. A chroot does not provide # device file nodes. So just mount the required device file nodes directly # from the host. # # Note that this has no effect in a docker container, since in that case # NsJail will just mount the container device nodes. When we use NsJail # in a docker container we mount the full file system root. So the container # device nodes were already mounted in the NsJail. # Some tools (like llvm-link) look for file descriptors in /dev/fd mount { src: "/proc/self/fd" dst: "/dev/fd" is_symlink: true mandatory: false } # /dev/null is a very commonly used for silencing output mount { src: "/dev/null" dst: "/dev/null" rw: true is_bind: true } # /dev/urandom used during the creation of system.img mount { src: "/dev/urandom" dst: "/dev/urandom" rw: true is_bind: true } # /dev/random used by test scripts mount { src: "/dev/random" dst: "/dev/random" rw: true is_bind: true } # /dev/zero is required to make vendor-qemu.img mount { src: "/dev/zero" dst: "/dev/zero" is_bind: true }