1*333d2b36SAndroid Build Coastguard Worker// Copyright 2017 Google Inc. All rights reserved. 2*333d2b36SAndroid Build Coastguard Worker// 3*333d2b36SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*333d2b36SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*333d2b36SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*333d2b36SAndroid Build Coastguard Worker// 7*333d2b36SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*333d2b36SAndroid Build Coastguard Worker// 9*333d2b36SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*333d2b36SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*333d2b36SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*333d2b36SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*333d2b36SAndroid Build Coastguard Worker// limitations under the License. 14*333d2b36SAndroid Build Coastguard Worker 15*333d2b36SAndroid Build Coastguard Workerpackage build 16*333d2b36SAndroid Build Coastguard Worker 17*333d2b36SAndroid Build Coastguard Workerimport ( 18*333d2b36SAndroid Build Coastguard Worker "bytes" 19*333d2b36SAndroid Build Coastguard Worker "os" 20*333d2b36SAndroid Build Coastguard Worker "os/exec" 21*333d2b36SAndroid Build Coastguard Worker "os/user" 22*333d2b36SAndroid Build Coastguard Worker "path/filepath" 23*333d2b36SAndroid Build Coastguard Worker "strings" 24*333d2b36SAndroid Build Coastguard Worker "sync" 25*333d2b36SAndroid Build Coastguard Worker) 26*333d2b36SAndroid Build Coastguard Worker 27*333d2b36SAndroid Build Coastguard Workertype Sandbox struct { 28*333d2b36SAndroid Build Coastguard Worker Enabled bool 29*333d2b36SAndroid Build Coastguard Worker DisableWhenUsingGoma bool 30*333d2b36SAndroid Build Coastguard Worker 31*333d2b36SAndroid Build Coastguard Worker AllowBuildBrokenUsesNetwork bool 32*333d2b36SAndroid Build Coastguard Worker} 33*333d2b36SAndroid Build Coastguard Worker 34*333d2b36SAndroid Build Coastguard Workervar ( 35*333d2b36SAndroid Build Coastguard Worker noSandbox = Sandbox{} 36*333d2b36SAndroid Build Coastguard Worker basicSandbox = Sandbox{ 37*333d2b36SAndroid Build Coastguard Worker Enabled: true, 38*333d2b36SAndroid Build Coastguard Worker } 39*333d2b36SAndroid Build Coastguard Worker 40*333d2b36SAndroid Build Coastguard Worker dumpvarsSandbox = basicSandbox 41*333d2b36SAndroid Build Coastguard Worker katiSandbox = basicSandbox 42*333d2b36SAndroid Build Coastguard Worker soongSandbox = basicSandbox 43*333d2b36SAndroid Build Coastguard Worker ninjaSandbox = Sandbox{ 44*333d2b36SAndroid Build Coastguard Worker Enabled: true, 45*333d2b36SAndroid Build Coastguard Worker DisableWhenUsingGoma: true, 46*333d2b36SAndroid Build Coastguard Worker 47*333d2b36SAndroid Build Coastguard Worker AllowBuildBrokenUsesNetwork: true, 48*333d2b36SAndroid Build Coastguard Worker } 49*333d2b36SAndroid Build Coastguard Worker) 50*333d2b36SAndroid Build Coastguard Worker 51*333d2b36SAndroid Build Coastguard Workerconst ( 52*333d2b36SAndroid Build Coastguard Worker nsjailPath = "prebuilts/build-tools/linux-x86/bin/nsjail" 53*333d2b36SAndroid Build Coastguard Worker) 54*333d2b36SAndroid Build Coastguard Worker 55*333d2b36SAndroid Build Coastguard Workervar sandboxConfig struct { 56*333d2b36SAndroid Build Coastguard Worker once sync.Once 57*333d2b36SAndroid Build Coastguard Worker 58*333d2b36SAndroid Build Coastguard Worker working bool 59*333d2b36SAndroid Build Coastguard Worker group string 60*333d2b36SAndroid Build Coastguard Worker srcDir string 61*333d2b36SAndroid Build Coastguard Worker outDir string 62*333d2b36SAndroid Build Coastguard Worker distDir string 63*333d2b36SAndroid Build Coastguard Worker} 64*333d2b36SAndroid Build Coastguard Worker 65*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) sandboxSupported() bool { 66*333d2b36SAndroid Build Coastguard Worker if !c.Sandbox.Enabled { 67*333d2b36SAndroid Build Coastguard Worker return false 68*333d2b36SAndroid Build Coastguard Worker } 69*333d2b36SAndroid Build Coastguard Worker 70*333d2b36SAndroid Build Coastguard Worker // Goma is incompatible with PID namespaces and Mount namespaces. b/122767582 71*333d2b36SAndroid Build Coastguard Worker if c.Sandbox.DisableWhenUsingGoma && c.config.UseGoma() { 72*333d2b36SAndroid Build Coastguard Worker return false 73*333d2b36SAndroid Build Coastguard Worker } 74*333d2b36SAndroid Build Coastguard Worker 75*333d2b36SAndroid Build Coastguard Worker sandboxConfig.once.Do(func() { 76*333d2b36SAndroid Build Coastguard Worker sandboxConfig.group = "nogroup" 77*333d2b36SAndroid Build Coastguard Worker if _, err := user.LookupGroup(sandboxConfig.group); err != nil { 78*333d2b36SAndroid Build Coastguard Worker sandboxConfig.group = "nobody" 79*333d2b36SAndroid Build Coastguard Worker } 80*333d2b36SAndroid Build Coastguard Worker 81*333d2b36SAndroid Build Coastguard Worker // These directories will be bind mounted 82*333d2b36SAndroid Build Coastguard Worker // so we need full non-symlink paths 83*333d2b36SAndroid Build Coastguard Worker sandboxConfig.srcDir = absPath(c.ctx, ".") 84*333d2b36SAndroid Build Coastguard Worker if derefPath, err := filepath.EvalSymlinks(sandboxConfig.srcDir); err == nil { 85*333d2b36SAndroid Build Coastguard Worker sandboxConfig.srcDir = absPath(c.ctx, derefPath) 86*333d2b36SAndroid Build Coastguard Worker } 87*333d2b36SAndroid Build Coastguard Worker sandboxConfig.outDir = absPath(c.ctx, c.config.OutDir()) 88*333d2b36SAndroid Build Coastguard Worker if derefPath, err := filepath.EvalSymlinks(sandboxConfig.outDir); err == nil { 89*333d2b36SAndroid Build Coastguard Worker sandboxConfig.outDir = absPath(c.ctx, derefPath) 90*333d2b36SAndroid Build Coastguard Worker } 91*333d2b36SAndroid Build Coastguard Worker sandboxConfig.distDir = absPath(c.ctx, c.config.DistDir()) 92*333d2b36SAndroid Build Coastguard Worker if derefPath, err := filepath.EvalSymlinks(sandboxConfig.distDir); err == nil { 93*333d2b36SAndroid Build Coastguard Worker sandboxConfig.distDir = absPath(c.ctx, derefPath) 94*333d2b36SAndroid Build Coastguard Worker } 95*333d2b36SAndroid Build Coastguard Worker 96*333d2b36SAndroid Build Coastguard Worker sandboxArgs := []string{ 97*333d2b36SAndroid Build Coastguard Worker "-H", "android-build", 98*333d2b36SAndroid Build Coastguard Worker "-e", 99*333d2b36SAndroid Build Coastguard Worker "-u", "nobody", 100*333d2b36SAndroid Build Coastguard Worker "-g", sandboxConfig.group, 101*333d2b36SAndroid Build Coastguard Worker "-R", "/", 102*333d2b36SAndroid Build Coastguard Worker // Mount tmp before srcDir 103*333d2b36SAndroid Build Coastguard Worker // srcDir is /tmp/.* in integration tests, which is a child dir of /tmp 104*333d2b36SAndroid Build Coastguard Worker // nsjail throws an error if a child dir is mounted before its parent 105*333d2b36SAndroid Build Coastguard Worker "-B", "/tmp", 106*333d2b36SAndroid Build Coastguard Worker c.config.sandboxConfig.SrcDirMountFlag(), sandboxConfig.srcDir, 107*333d2b36SAndroid Build Coastguard Worker "-B", sandboxConfig.outDir, 108*333d2b36SAndroid Build Coastguard Worker } 109*333d2b36SAndroid Build Coastguard Worker 110*333d2b36SAndroid Build Coastguard Worker if _, err := os.Stat(sandboxConfig.distDir); !os.IsNotExist(err) { 111*333d2b36SAndroid Build Coastguard Worker //Mount dist dir as read-write if it already exists 112*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, "-B", 113*333d2b36SAndroid Build Coastguard Worker sandboxConfig.distDir) 114*333d2b36SAndroid Build Coastguard Worker } 115*333d2b36SAndroid Build Coastguard Worker 116*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, 117*333d2b36SAndroid Build Coastguard Worker "--disable_clone_newcgroup", 118*333d2b36SAndroid Build Coastguard Worker "--", 119*333d2b36SAndroid Build Coastguard Worker "/bin/bash", "-c", `if [ $(hostname) == "android-build" ]; then echo "Android" "Success"; else echo Failure; fi`) 120*333d2b36SAndroid Build Coastguard Worker 121*333d2b36SAndroid Build Coastguard Worker cmd := exec.CommandContext(c.ctx.Context, nsjailPath, sandboxArgs...) 122*333d2b36SAndroid Build Coastguard Worker 123*333d2b36SAndroid Build Coastguard Worker cmd.Env = c.config.Environment().Environ() 124*333d2b36SAndroid Build Coastguard Worker 125*333d2b36SAndroid Build Coastguard Worker c.ctx.Verboseln(cmd.Args) 126*333d2b36SAndroid Build Coastguard Worker data, err := cmd.CombinedOutput() 127*333d2b36SAndroid Build Coastguard Worker if err == nil && bytes.Contains(data, []byte("Android Success")) { 128*333d2b36SAndroid Build Coastguard Worker sandboxConfig.working = true 129*333d2b36SAndroid Build Coastguard Worker return 130*333d2b36SAndroid Build Coastguard Worker } 131*333d2b36SAndroid Build Coastguard Worker 132*333d2b36SAndroid Build Coastguard Worker c.ctx.Println("Build sandboxing disabled due to nsjail error.") 133*333d2b36SAndroid Build Coastguard Worker 134*333d2b36SAndroid Build Coastguard Worker for _, line := range strings.Split(strings.TrimSpace(string(data)), "\n") { 135*333d2b36SAndroid Build Coastguard Worker c.ctx.Verboseln(line) 136*333d2b36SAndroid Build Coastguard Worker } 137*333d2b36SAndroid Build Coastguard Worker 138*333d2b36SAndroid Build Coastguard Worker if err == nil { 139*333d2b36SAndroid Build Coastguard Worker c.ctx.Verboseln("nsjail exited successfully, but without the correct output") 140*333d2b36SAndroid Build Coastguard Worker } else if e, ok := err.(*exec.ExitError); ok { 141*333d2b36SAndroid Build Coastguard Worker c.ctx.Verbosef("nsjail failed with %v", e.ProcessState.String()) 142*333d2b36SAndroid Build Coastguard Worker } else { 143*333d2b36SAndroid Build Coastguard Worker c.ctx.Verbosef("nsjail failed with %v", err) 144*333d2b36SAndroid Build Coastguard Worker } 145*333d2b36SAndroid Build Coastguard Worker }) 146*333d2b36SAndroid Build Coastguard Worker 147*333d2b36SAndroid Build Coastguard Worker return sandboxConfig.working 148*333d2b36SAndroid Build Coastguard Worker} 149*333d2b36SAndroid Build Coastguard Worker 150*333d2b36SAndroid Build Coastguard Worker// Assumes input path is absolute, clean, and if applicable, an evaluated 151*333d2b36SAndroid Build Coastguard Worker// symlink. If path is not a subdirectory of src dir or relative path 152*333d2b36SAndroid Build Coastguard Worker// cannot be determined, return the input untouched. 153*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) relFromSrcDir(path string) string { 154*333d2b36SAndroid Build Coastguard Worker if !strings.HasPrefix(path, sandboxConfig.srcDir) { 155*333d2b36SAndroid Build Coastguard Worker return path 156*333d2b36SAndroid Build Coastguard Worker } 157*333d2b36SAndroid Build Coastguard Worker 158*333d2b36SAndroid Build Coastguard Worker rel, err := filepath.Rel(sandboxConfig.srcDir, path) 159*333d2b36SAndroid Build Coastguard Worker if err != nil { 160*333d2b36SAndroid Build Coastguard Worker return path 161*333d2b36SAndroid Build Coastguard Worker } 162*333d2b36SAndroid Build Coastguard Worker 163*333d2b36SAndroid Build Coastguard Worker return rel 164*333d2b36SAndroid Build Coastguard Worker} 165*333d2b36SAndroid Build Coastguard Worker 166*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) dirArg(path string) string { 167*333d2b36SAndroid Build Coastguard Worker if !c.config.UseABFS() { 168*333d2b36SAndroid Build Coastguard Worker return path 169*333d2b36SAndroid Build Coastguard Worker } 170*333d2b36SAndroid Build Coastguard Worker 171*333d2b36SAndroid Build Coastguard Worker rel := c.relFromSrcDir(path) 172*333d2b36SAndroid Build Coastguard Worker 173*333d2b36SAndroid Build Coastguard Worker return path + ":" + filepath.Join(abfsSrcDir, rel) 174*333d2b36SAndroid Build Coastguard Worker} 175*333d2b36SAndroid Build Coastguard Worker 176*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) srcDirArg() string { 177*333d2b36SAndroid Build Coastguard Worker return c.dirArg(sandboxConfig.srcDir) 178*333d2b36SAndroid Build Coastguard Worker} 179*333d2b36SAndroid Build Coastguard Worker 180*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) outDirArg() string { 181*333d2b36SAndroid Build Coastguard Worker return c.dirArg(sandboxConfig.outDir) 182*333d2b36SAndroid Build Coastguard Worker} 183*333d2b36SAndroid Build Coastguard Worker 184*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) distDirArg() string { 185*333d2b36SAndroid Build Coastguard Worker return c.dirArg(sandboxConfig.distDir) 186*333d2b36SAndroid Build Coastguard Worker} 187*333d2b36SAndroid Build Coastguard Worker 188*333d2b36SAndroid Build Coastguard Worker// When configured to use ABFS, we need to allow the creation of the /src 189*333d2b36SAndroid Build Coastguard Worker// directory. Therefore, we cannot mount the root "/" directory as read-only. 190*333d2b36SAndroid Build Coastguard Worker// Instead, we individually mount the children of "/" as RO. 191*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) readMountArgs() []string { 192*333d2b36SAndroid Build Coastguard Worker if !c.config.UseABFS() { 193*333d2b36SAndroid Build Coastguard Worker // For now, just map everything. Make most things readonly. 194*333d2b36SAndroid Build Coastguard Worker return []string{"-R", "/"} 195*333d2b36SAndroid Build Coastguard Worker } 196*333d2b36SAndroid Build Coastguard Worker 197*333d2b36SAndroid Build Coastguard Worker entries, err := os.ReadDir("/") 198*333d2b36SAndroid Build Coastguard Worker if err != nil { 199*333d2b36SAndroid Build Coastguard Worker // If we can't read "/", just use the default non-ABFS behavior. 200*333d2b36SAndroid Build Coastguard Worker return []string{"-R", "/"} 201*333d2b36SAndroid Build Coastguard Worker } 202*333d2b36SAndroid Build Coastguard Worker 203*333d2b36SAndroid Build Coastguard Worker args := make([]string, 0, 2*len(entries)) 204*333d2b36SAndroid Build Coastguard Worker for _, ent := range entries { 205*333d2b36SAndroid Build Coastguard Worker args = append(args, "-R", "/"+ent.Name()) 206*333d2b36SAndroid Build Coastguard Worker } 207*333d2b36SAndroid Build Coastguard Worker 208*333d2b36SAndroid Build Coastguard Worker return args 209*333d2b36SAndroid Build Coastguard Worker} 210*333d2b36SAndroid Build Coastguard Worker 211*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) workDir() string { 212*333d2b36SAndroid Build Coastguard Worker if !c.config.UseABFS() { 213*333d2b36SAndroid Build Coastguard Worker wd, _ := os.Getwd() 214*333d2b36SAndroid Build Coastguard Worker return wd 215*333d2b36SAndroid Build Coastguard Worker } 216*333d2b36SAndroid Build Coastguard Worker 217*333d2b36SAndroid Build Coastguard Worker return abfsSrcDir 218*333d2b36SAndroid Build Coastguard Worker} 219*333d2b36SAndroid Build Coastguard Worker 220*333d2b36SAndroid Build Coastguard Workerfunc (c *Cmd) wrapSandbox() { 221*333d2b36SAndroid Build Coastguard Worker wd := c.workDir() 222*333d2b36SAndroid Build Coastguard Worker 223*333d2b36SAndroid Build Coastguard Worker var sandboxArgs []string 224*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, 225*333d2b36SAndroid Build Coastguard Worker // The executable to run 226*333d2b36SAndroid Build Coastguard Worker "-x", c.Path, 227*333d2b36SAndroid Build Coastguard Worker 228*333d2b36SAndroid Build Coastguard Worker // Set the hostname to something consistent 229*333d2b36SAndroid Build Coastguard Worker "-H", "android-build", 230*333d2b36SAndroid Build Coastguard Worker 231*333d2b36SAndroid Build Coastguard Worker // Use the current working dir 232*333d2b36SAndroid Build Coastguard Worker "--cwd", wd, 233*333d2b36SAndroid Build Coastguard Worker 234*333d2b36SAndroid Build Coastguard Worker // No time limit 235*333d2b36SAndroid Build Coastguard Worker "-t", "0", 236*333d2b36SAndroid Build Coastguard Worker 237*333d2b36SAndroid Build Coastguard Worker // Keep all environment variables, we already filter them out 238*333d2b36SAndroid Build Coastguard Worker // in soong_ui 239*333d2b36SAndroid Build Coastguard Worker "-e", 240*333d2b36SAndroid Build Coastguard Worker 241*333d2b36SAndroid Build Coastguard Worker // Mount /proc read-write, necessary to run a nested nsjail or minijail0 242*333d2b36SAndroid Build Coastguard Worker "--proc_rw", 243*333d2b36SAndroid Build Coastguard Worker 244*333d2b36SAndroid Build Coastguard Worker // Use a consistent user & group. 245*333d2b36SAndroid Build Coastguard Worker // Note that these are mapped back to the real UID/GID when 246*333d2b36SAndroid Build Coastguard Worker // doing filesystem operations, so they're rather arbitrary. 247*333d2b36SAndroid Build Coastguard Worker "-u", "nobody", 248*333d2b36SAndroid Build Coastguard Worker "-g", sandboxConfig.group, 249*333d2b36SAndroid Build Coastguard Worker 250*333d2b36SAndroid Build Coastguard Worker // Set high values, as nsjail uses low defaults. 251*333d2b36SAndroid Build Coastguard Worker "--rlimit_as", "soft", 252*333d2b36SAndroid Build Coastguard Worker "--rlimit_core", "soft", 253*333d2b36SAndroid Build Coastguard Worker "--rlimit_cpu", "soft", 254*333d2b36SAndroid Build Coastguard Worker "--rlimit_fsize", "soft", 255*333d2b36SAndroid Build Coastguard Worker "--rlimit_nofile", "soft", 256*333d2b36SAndroid Build Coastguard Worker ) 257*333d2b36SAndroid Build Coastguard Worker 258*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, 259*333d2b36SAndroid Build Coastguard Worker c.readMountArgs()..., 260*333d2b36SAndroid Build Coastguard Worker ) 261*333d2b36SAndroid Build Coastguard Worker 262*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, 263*333d2b36SAndroid Build Coastguard Worker // Mount a writable tmp dir 264*333d2b36SAndroid Build Coastguard Worker "-B", "/tmp", 265*333d2b36SAndroid Build Coastguard Worker 266*333d2b36SAndroid Build Coastguard Worker // Mount source 267*333d2b36SAndroid Build Coastguard Worker c.config.sandboxConfig.SrcDirMountFlag(), c.srcDirArg(), 268*333d2b36SAndroid Build Coastguard Worker 269*333d2b36SAndroid Build Coastguard Worker //Mount out dir as read-write 270*333d2b36SAndroid Build Coastguard Worker "-B", c.outDirArg(), 271*333d2b36SAndroid Build Coastguard Worker 272*333d2b36SAndroid Build Coastguard Worker // Disable newcgroup for now, since it may require newer kernels 273*333d2b36SAndroid Build Coastguard Worker // TODO: try out cgroups 274*333d2b36SAndroid Build Coastguard Worker "--disable_clone_newcgroup", 275*333d2b36SAndroid Build Coastguard Worker 276*333d2b36SAndroid Build Coastguard Worker // Only log important warnings / errors 277*333d2b36SAndroid Build Coastguard Worker "-q", 278*333d2b36SAndroid Build Coastguard Worker ) 279*333d2b36SAndroid Build Coastguard Worker if c.config.UseABFS() { 280*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, "-B", "{ABFS_DIR}") 281*333d2b36SAndroid Build Coastguard Worker } 282*333d2b36SAndroid Build Coastguard Worker 283*333d2b36SAndroid Build Coastguard Worker // Mount srcDir RW allowlists as Read-Write 284*333d2b36SAndroid Build Coastguard Worker if len(c.config.sandboxConfig.SrcDirRWAllowlist()) > 0 && !c.config.sandboxConfig.SrcDirIsRO() { 285*333d2b36SAndroid Build Coastguard Worker errMsg := `Product source tree has been set as ReadWrite, RW allowlist not necessary. 286*333d2b36SAndroid Build Coastguard Worker To recover, either 287*333d2b36SAndroid Build Coastguard Worker 1. Unset BUILD_BROKEN_SRC_DIR_IS_WRITABLE #or 288*333d2b36SAndroid Build Coastguard Worker 2. Unset BUILD_BROKEN_SRC_DIR_RW_ALLOWLIST` 289*333d2b36SAndroid Build Coastguard Worker c.ctx.Fatalln(errMsg) 290*333d2b36SAndroid Build Coastguard Worker } 291*333d2b36SAndroid Build Coastguard Worker for _, srcDirChild := range c.config.sandboxConfig.SrcDirRWAllowlist() { 292*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, "-B", srcDirChild) 293*333d2b36SAndroid Build Coastguard Worker } 294*333d2b36SAndroid Build Coastguard Worker 295*333d2b36SAndroid Build Coastguard Worker if _, err := os.Stat(sandboxConfig.distDir); !os.IsNotExist(err) { 296*333d2b36SAndroid Build Coastguard Worker //Mount dist dir as read-write if it already exists 297*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, "-B", c.distDirArg()) 298*333d2b36SAndroid Build Coastguard Worker } 299*333d2b36SAndroid Build Coastguard Worker 300*333d2b36SAndroid Build Coastguard Worker if c.Sandbox.AllowBuildBrokenUsesNetwork && c.config.BuildBrokenUsesNetwork() { 301*333d2b36SAndroid Build Coastguard Worker c.ctx.Printf("AllowBuildBrokenUsesNetwork: %v", c.Sandbox.AllowBuildBrokenUsesNetwork) 302*333d2b36SAndroid Build Coastguard Worker c.ctx.Printf("BuildBrokenUsesNetwork: %v", c.config.BuildBrokenUsesNetwork()) 303*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, "-N") 304*333d2b36SAndroid Build Coastguard Worker } else if dlv, _ := c.config.Environment().Get("SOONG_DELVE"); dlv != "" { 305*333d2b36SAndroid Build Coastguard Worker // The debugger is enabled and soong_build will pause until a remote delve process connects, allow 306*333d2b36SAndroid Build Coastguard Worker // network connections. 307*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, "-N") 308*333d2b36SAndroid Build Coastguard Worker } 309*333d2b36SAndroid Build Coastguard Worker 310*333d2b36SAndroid Build Coastguard Worker // Stop nsjail from parsing arguments 311*333d2b36SAndroid Build Coastguard Worker sandboxArgs = append(sandboxArgs, "--") 312*333d2b36SAndroid Build Coastguard Worker 313*333d2b36SAndroid Build Coastguard Worker c.Args = append(sandboxArgs, c.Args[1:]...) 314*333d2b36SAndroid Build Coastguard Worker c.Path = nsjailPath 315*333d2b36SAndroid Build Coastguard Worker 316*333d2b36SAndroid Build Coastguard Worker env := Environment(c.Env) 317*333d2b36SAndroid Build Coastguard Worker if _, hasUser := env.Get("USER"); hasUser { 318*333d2b36SAndroid Build Coastguard Worker env.Set("USER", "nobody") 319*333d2b36SAndroid Build Coastguard Worker } 320*333d2b36SAndroid Build Coastguard Worker c.Env = []string(env) 321*333d2b36SAndroid Build Coastguard Worker} 322