diff options
| author | Marco Vanotti <mvanotti@google.com> | 2019-08-20 17:08:41 -0700 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2019-08-20 18:47:02 -0700 |
| commit | 4ea67ff893eedeac16a8406659783dcfa6bf8186 (patch) | |
| tree | 7bbeb4e71704270038d9f96aefa390cc5ad08dec /pkg | |
| parent | 6b8391d069ed24abb321ad3e7564292a6d42a997 (diff) | |
pkg/build: use sandbox to build fuchsia.
We have noticed that the build process was being invoked as root. This
change modifies the calls to use osutil.Sandbox before invoking cmds to
build fuchsia.
This is required for the process to use goma, as goma is running under
the syzkaller user.
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/build/fuchsia.go | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/pkg/build/fuchsia.go b/pkg/build/fuchsia.go index 90cc4ed62..a1bff9127 100644 --- a/pkg/build/fuchsia.go +++ b/pkg/build/fuchsia.go @@ -14,6 +14,15 @@ import ( type fuchsia struct{} +func runSandboxed(timeout time.Duration, dir, command string, arg ...string) ([]byte, error) { + cmd := osutil.Command(command, arg...) + cmd.Dir = dir + if err := osutil.Sandbox(cmd, true, false); err != nil { + return nil, err + } + return osutil.Run(timeout, cmd) +} + func (fu fuchsia) build(targetArch, vmType, kernelDir, outputDir, compiler, userspaceDir, cmdlineFile, sysctlFile string, config []byte) error { sysTarget := targets.Get("fuchsia", targetArch) @@ -22,11 +31,11 @@ func (fu fuchsia) build(targetArch, vmType, kernelDir, outputDir, compiler, user } arch := sysTarget.KernelHeaderArch product := fmt.Sprintf("%s.%s", "core", arch) - if _, err := osutil.RunCmd(time.Hour, kernelDir, "scripts/fx", "--dir", "out/"+arch, + if _, err := runSandboxed(time.Hour, kernelDir, "scripts/fx", "--dir", "out/"+arch, "set", product, "--with-base", "//bundles:tools"); err != nil { return err } - if _, err := osutil.RunCmd(time.Hour*2, kernelDir, "scripts/fx", "clean-build"); err != nil { + if _, err := runSandboxed(time.Hour*2, kernelDir, "scripts/fx", "clean-build"); err != nil { return err } @@ -34,7 +43,7 @@ func (fu fuchsia) build(targetArch, vmType, kernelDir, outputDir, compiler, user sshZBI := filepath.Join(kernelDir, "out", arch, "fuchsia-ssh.zbi") kernelZBI := filepath.Join(kernelDir, "out", arch, "fuchsia.zbi") authorizedKeys := fmt.Sprintf("data/ssh/authorized_keys=%s", filepath.Join(kernelDir, ".ssh", "authorized_keys")) - if _, err := osutil.RunCmd(time.Minute, kernelDir, "out/"+arch+".zircon/tools/zbi", + if _, err := runSandboxed(time.Minute, kernelDir, "out/"+arch+".zircon/tools/zbi", "-o", sshZBI, kernelZBI, "--entry", authorizedKeys); err != nil { return err } |