From 2f7fc0ff65b73cf2a6bfc1878aae75a7f5bae870 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 16 Nov 2017 13:16:30 +0100
Subject: pkg/kernel: sandbox make invocation

---
 pkg/kernel/kernel.go | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

(limited to 'pkg/kernel/kernel.go')

diff --git a/pkg/kernel/kernel.go b/pkg/kernel/kernel.go
index 2ec573540..2c35bcc40 100644
--- a/pkg/kernel/kernel.go
+++ b/pkg/kernel/kernel.go
@@ -25,21 +25,30 @@ import (
 )
 
 func Build(dir, compiler, config string) error {
-	if err := osutil.CopyFile(config, filepath.Join(dir, ".config")); err != nil {
+	configFile := filepath.Join(dir, ".config")
+	if err := osutil.CopyFile(config, configFile); err != nil {
 		return fmt.Errorf("failed to write config file: %v", err)
 	}
-	return build(dir, compiler)
-}
-
-func build(dir, compiler string) error {
-	const timeout = 10 * time.Minute // default timeout for command invocations
-	if _, err := osutil.RunCmd(timeout, dir, "make", "olddefconfig"); err != nil {
+	if err := osutil.SandboxChown(configFile); err != nil {
+		return err
+	}
+	cmd := osutil.Command("make", "olddefconfig")
+	if err := osutil.Sandbox(cmd, true, true); err != nil {
+		return err
+	}
+	cmd.Dir = dir
+	if _, err := osutil.Run(10*time.Minute, cmd); err != nil {
 		return err
 	}
 	// We build only bzImage as we currently don't use modules.
-	// Build of a large kernel can take a while on a 1 CPU VM.
 	cpu := strconv.Itoa(runtime.NumCPU())
-	if _, err := osutil.RunCmd(3*time.Hour, dir, "make", "bzImage", "-j", cpu, "CC="+compiler); err != nil {
+	cmd = osutil.Command("make", "bzImage", "-j", cpu, "CC="+compiler)
+	if err := osutil.Sandbox(cmd, true, true); err != nil {
+		return err
+	}
+	cmd.Dir = dir
+	// Build of a large kernel can take a while on a 1 CPU VM.
+	if _, err := osutil.Run(3*time.Hour, cmd); err != nil {
 		return err
 	}
 	return nil
-- 
cgit mrf-deployment