From 4ea67ff893eedeac16a8406659783dcfa6bf8186 Mon Sep 17 00:00:00 2001 From: Marco Vanotti Date: Tue, 20 Aug 2019 17:08:41 -0700 Subject: pkg/build: use sandbox to build fuchsia. We have noticed that the build process was being invoked as root. This change modifies the calls to use osutil.Sandbox before invoking cmds to build fuchsia. This is required for the process to use goma, as goma is running under the syzkaller user. --- pkg/build/fuchsia.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'pkg') diff --git a/pkg/build/fuchsia.go b/pkg/build/fuchsia.go index 90cc4ed62..a1bff9127 100644 --- a/pkg/build/fuchsia.go +++ b/pkg/build/fuchsia.go @@ -14,6 +14,15 @@ import ( type fuchsia struct{} +func runSandboxed(timeout time.Duration, dir, command string, arg ...string) ([]byte, error) { + cmd := osutil.Command(command, arg...) + cmd.Dir = dir + if err := osutil.Sandbox(cmd, true, false); err != nil { + return nil, err + } + return osutil.Run(timeout, cmd) +} + func (fu fuchsia) build(targetArch, vmType, kernelDir, outputDir, compiler, userspaceDir, cmdlineFile, sysctlFile string, config []byte) error { sysTarget := targets.Get("fuchsia", targetArch) @@ -22,11 +31,11 @@ func (fu fuchsia) build(targetArch, vmType, kernelDir, outputDir, compiler, user } arch := sysTarget.KernelHeaderArch product := fmt.Sprintf("%s.%s", "core", arch) - if _, err := osutil.RunCmd(time.Hour, kernelDir, "scripts/fx", "--dir", "out/"+arch, + if _, err := runSandboxed(time.Hour, kernelDir, "scripts/fx", "--dir", "out/"+arch, "set", product, "--with-base", "//bundles:tools"); err != nil { return err } - if _, err := osutil.RunCmd(time.Hour*2, kernelDir, "scripts/fx", "clean-build"); err != nil { + if _, err := runSandboxed(time.Hour*2, kernelDir, "scripts/fx", "clean-build"); err != nil { return err } @@ -34,7 +43,7 @@ func (fu fuchsia) build(targetArch, vmType, kernelDir, outputDir, compiler, user sshZBI := filepath.Join(kernelDir, "out", arch, "fuchsia-ssh.zbi") kernelZBI := filepath.Join(kernelDir, "out", arch, "fuchsia.zbi") authorizedKeys := fmt.Sprintf("data/ssh/authorized_keys=%s", filepath.Join(kernelDir, ".ssh", "authorized_keys")) - if _, err := osutil.RunCmd(time.Minute, kernelDir, "out/"+arch+".zircon/tools/zbi", + if _, err := runSandboxed(time.Minute, kernelDir, "out/"+arch+".zircon/tools/zbi", "-o", sshZBI, kernelZBI, "--entry", authorizedKeys); err != nil { return err } -- cgit mrf-deployment