Sandbox the OUT_DIR environment variable Currently, OUT_DIR is inherited from the parent process, leading to scripts being able to find the output directory when the enviornment variable is set to an absolute path. When sandboxing a command, also rewrite the OUT_DIR environment variable to the sandboxed one, so that scripts can't find the real out dir. Bug: 307824623 Test: Presubmits Change-Id: I325071121a60bddc4105df680fbdfe3d11dc94e2

commit: 1ead86c1a5340458b744c38c3377f5f99bc3e0c7 [log] [tgz]
author: Cole Faust <colefaust@google.com> Fri Aug 23 14:41:51 2024 -0700
committer: Cole Faust <colefaust@google.com> Mon Aug 26 11:12:10 2024 -0700
tree: 671a31187eeca397c585350ee762a89973e7919a
parent: 079871cd55bb72337197c2782fa9fb64476b506a [diff] [blame]
diff --git a/android/rule_builder.go b/android/rule_builder.go
index 464aca4..95e2b92 100644
--- a/android/rule_builder.go
+++ b/android/rule_builder.go

@@ -580,6 +580,16 @@
 				})
 			}
 
+			// Set OUT_DIR to the relative path of the sandboxed out directory.
+			// Otherwise, OUT_DIR will be inherited from the rest of the build,
+			// which will allow scripts to escape the sandbox if OUT_DIR is an
+			// absolute path.
+			command.Env = append(command.Env, &sbox_proto.EnvironmentVariable{
+				Name: proto.String("OUT_DIR"),
+				State: &sbox_proto.EnvironmentVariable_Value{
+					Value: sboxOutSubDir,
+				},
+			})
 			command.Chdir = proto.Bool(true)
 		}
commit	1ead86c1a5340458b744c38c3377f5f99bc3e0c7	[log] [tgz]
author	Cole Faust <colefaust@google.com>	Fri Aug 23 14:41:51 2024 -0700
committer	Cole Faust <colefaust@google.com>	Mon Aug 26 11:12:10 2024 -0700
tree	671a31187eeca397c585350ee762a89973e7919a
parent	079871cd55bb72337197c2782fa9fb64476b506a [diff] [blame]