commit f7cd03e1788a1102e50682de1dab2367a2eb192d
author Inseob Kim <inseob@google.com> Fri Sep 06 17:25:00 2024 +0900
committer Inseob Kim <inseob@google.com> Fri Sep 27 00:15:15 2024 +0000
tree 8c39cfb88dd297cf66326374323833ace858d8ca
parent fc79aabd8451270a39b1553785e325b06cfbf0b3

Add nsjail support to genrule

By setting `use_nsjail: true`, nsjail will be used instead of soong
sbox. The usage of nsjail must be highly restricted for now.

Bug: 364178791
Test: m lk.bin
Change-Id: Iffd1404093a1165b4384fdec58525fe16f7ed7af

genrule/Android.bp

diff --git a/genrule/Android.bp b/genrule/Android.bp
index f4197e6..49df480 100644
--- a/genrule/Android.bp
+++ b/genrule/Android.bp
@@ -25,3 +25,53 @@
     // Used by plugins
     visibility: ["//visibility:public"],
 }
+
+genrule {
+    name: "nsjail_genrule_test_input",
+    cmd: "echo nsjail_genrule_test_input > $(out)",
+    out: ["nsjail_genrule_test_input.txt"],
+}
+
+// Pseudo-test that's run on checkbuilds to verify consistent directory
+// structure for genrules using sbox or nsjail.
+genrule_defaults {
+    name: "nsjail_genrule_test_gen_defaults",
+    // verify both relative paths and its contents
+    cmd: "(echo $(out) $(genDir) && sha256sum " +
+        "$(location get_clang_version) " +
+        "$(location py3-cmd) " +
+        "$(location genrule.go) " +
+        "$(location :nsjail_genrule_test_input) " +
+        "$(locations *.go)) | sed 's@\\./@@g' > $(out)",
+    tools: [
+        "get_clang_version", // random tool
+        "py3-cmd", // random prebuilt tool
+    ],
+    tool_files: ["genrule.go"], // random local file
+    srcs: [
+        ":nsjail_genrule_test_input", // random OutputFileProducer
+        "*.go", // random glob
+    ],
+    out: ["nsjail_genrule_test.txt"],
+}
+
+genrule {
+    name: "nsjail_genrule_test_gen_without_nsjail",
+    defaults: ["nsjail_genrule_test_gen_defaults"],
+}
+
+genrule {
+    name: "nsjail_genrule_test_gen_with_nsjail",
+    defaults: ["nsjail_genrule_test_gen_defaults"],
+    use_nsjail: true,
+}
+
+genrule {
+    name: "nsjail_genrule_test",
+    srcs: [
+        ":nsjail_genrule_test_gen_without_nsjail",
+        ":nsjail_genrule_test_gen_with_nsjail",
+    ],
+    cmd: "diff $(in) > $(out)",
+    out: ["nsjail_genrule_test"],
+}

genrule/genrule.go

diff --git a/genrule/genrule.go b/genrule/genrule.go
index a48038b..0aecc45 100644
--- a/genrule/genrule.go
+++ b/genrule/genrule.go
@@ -21,6 +21,7 @@
 import (
 	"fmt"
 	"io"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -210,6 +211,9 @@
 	// For gensrsc sharding.
 	shard  int
 	shards int
+
+	// For nsjail tasks
+	useNsjail bool
 }
 
 func (g *Module) GeneratedSourceFiles() android.Paths {
@@ -454,21 +458,26 @@
 
 		// Pick a unique path outside the task.genDir for the sbox manifest textproto,
 		// a unique rule name, and the user-visible description.
-		manifestName := "genrule.sbox.textproto"
+		var rule *android.RuleBuilder
 		desc := "generate"
 		name := "generator"
-		if task.shards > 0 {
-			manifestName = "genrule_" + strconv.Itoa(task.shard) + ".sbox.textproto"
-			desc += " " + strconv.Itoa(task.shard)
-			name += strconv.Itoa(task.shard)
-		} else if len(task.out) == 1 {
-			desc += " " + task.out[0].Base()
+		if task.useNsjail {
+			rule = android.NewRuleBuilder(pctx, ctx).Nsjail(task.genDir, android.PathForModuleOut(ctx, "nsjail_build_sandbox"))
+		} else {
+			manifestName := "genrule.sbox.textproto"
+			if task.shards > 0 {
+				manifestName = "genrule_" + strconv.Itoa(task.shard) + ".sbox.textproto"
+				desc += " " + strconv.Itoa(task.shard)
+				name += strconv.Itoa(task.shard)
+			} else if len(task.out) == 1 {
+				desc += " " + task.out[0].Base()
+			}
+
+			manifestPath := android.PathForModuleOut(ctx, manifestName)
+
+			// Use a RuleBuilder to create a rule that runs the command inside an sbox sandbox.
+			rule = getSandboxedRuleBuilder(ctx, android.NewRuleBuilder(pctx, ctx).Sbox(task.genDir, manifestPath))
 		}
-
-		manifestPath := android.PathForModuleOut(ctx, manifestName)
-
-		// Use a RuleBuilder to create a rule that runs the command inside an sbox sandbox.
-		rule := getSandboxedRuleBuilder(ctx, android.NewRuleBuilder(pctx, ctx).Sbox(task.genDir, manifestPath))
 		if Bool(g.properties.Write_if_changed) {
 			rule.Restat()
 		}
@@ -569,6 +578,15 @@
 			cmd.OrderOnly(ctx.Config().BuildNumberFile(ctx))
 		}
 
+		if task.useNsjail {
+			for _, input := range task.in {
+				// can fail if input is a file.
+				if paths, err := ctx.GlobWithDeps(filepath.Join(input.String(), "**/*"), nil); err == nil {
+					rule.NsjailImplicits(android.PathsForSource(ctx, paths))
+				}
+			}
+		}
+
 		// Create the rule to run the genrule command inside sbox.
 		rule.Build(name, desc)
 
@@ -832,15 +850,18 @@
 	properties := &genRuleProperties{}
 
 	taskGenerator := func(ctx android.ModuleContext, rawCommand string, srcFiles android.Paths) []generateTask {
+		useNsjail := Bool(properties.Use_nsjail)
+
 		outs := make(android.WritablePaths, len(properties.Out))
 		for i, out := range properties.Out {
 			outs[i] = android.PathForModuleGen(ctx, out)
 		}
 		return []generateTask{{
-			in:     srcFiles,
-			out:    outs,
-			genDir: android.PathForModuleGen(ctx),
-			cmd:    rawCommand,
+			in:        srcFiles,
+			out:       outs,
+			genDir:    android.PathForModuleGen(ctx),
+			cmd:       rawCommand,
+			useNsjail: useNsjail,
 		}}
 	}
 
@@ -855,6 +876,8 @@
 }
 
 type genRuleProperties struct {
+	Use_nsjail *bool
+
 	// names of the output files that will be generated
 	Out []string `android:"arch_variant"`
 }