1name: "android-build-sandbox"
2description: "Sandboxed Android Platform Build."
3description: "No network access and a limited access to local host resources."
4
5# All configuration options are described in
6# https://github.com/google/nsjail/blob/master/config.proto
7
8# Run once then exit
9mode: ONCE
10
11# No time limit
12time_limit: 0
13
14# Limits memory usage
15rlimit_as_type: SOFT
16# Maximum size of core dump files
17rlimit_core_type: SOFT
18# Limits use of CPU time
19rlimit_cpu_type: SOFT
20# Maximum file size
21rlimit_fsize_type: SOFT
22# Maximum number of file descriptors opened
23rlimit_nofile_type: SOFT
24# Maximum stack size
25rlimit_stack_type: SOFT
26# Maximum number of threads
27rlimit_nproc_type: SOFT
28
29# Allow terminal control
30# This let's users cancel jobs with CTRL-C
31# without exiting the jail
32skip_setsid: true
33
34# Below are all the host paths that shall be mounted
35# to the sandbox
36
37# Mount proc as read/write.
38mount {
39  dst: "/proc"
40  fstype: "proc"
41  rw: true
42}
43
44# The user must mount the source to /src using --bindmount
45# It will be set as the initial working directory
46cwd: "/src"
47
48# The sandbox User ID was chosen arbitrarily
49uidmap {
50  inside_id: "999999"
51  outside_id: ""
52  count: 1
53}
54
55# The sandbox Group ID was chosen arbitrarily
56gidmap {
57  inside_id: "65534"
58  outside_id: ""
59  count: 1
60}
61
62# By default nsjail does not propagate the environment into the jail. We need
63# the path to be set up. There are a few ways to solve this problem, but to
64# avoid an undocumented dependency we are explict about the path we inject.
65envar: "PATH=/usr/bin:/usr/sbin:/bin:/sbin"
66
67# Some tools in the build toolchain expect a $HOME to be set
68# Point $HOME to /tmp in case the toolchain needs to write something out there
69envar: "HOME=/tmp"
70mount {
71  dst: "/tmp"
72  fstype: "tmpfs"
73  rw: true
74  is_bind: false
75}
76
77# Map the working User ID to a username
78# Some tools like Java need a valid username
79mount {
80  src_content: "nobody:x:999999:65534:nobody:/tmp:/bin/bash"
81  dst: "/etc/passwd"
82  mandatory: false
83}
84
85# Define default group
86mount {
87  src_content: "nogroup::65534:nogroup"
88  dst: "/etc/group"
89  mandatory: false
90}
91
92# Empty mtab file needed for some build scripts that check for images being mounted
93mount {
94  src_content: "\n"
95  dst: "/etc/mtab"
96  mandatory: false
97}
98
99# Explicitly mount required device file nodes
100#
101# This will enable a chroot based NsJail sandbox. A chroot does not provide
102# device file nodes. So just mount the required device file nodes directly
103# from the host.
104#
105# Note that this has no effect in a docker container, since in that case
106# NsJail will just mount the container device nodes. When we use NsJail
107# in a docker container we mount the full file system root. So the container
108# device nodes were already mounted in the NsJail.
109
110# Some tools (like llvm-link) look for file descriptors in /dev/fd
111mount {
112  src: "/proc/self/fd"
113  dst: "/dev/fd"
114  is_symlink: true
115  mandatory: false
116}
117
118# /dev/null is a very commonly used for silencing output
119mount {
120  src: "/dev/null"
121  dst: "/dev/null"
122  rw: true
123  is_bind: true
124}
125
126# /dev/urandom used during the creation of system.img
127mount {
128  src: "/dev/urandom"
129  dst: "/dev/urandom"
130  rw: true
131  is_bind: true
132}
133
134# /dev/random used by test scripts
135mount {
136  src: "/dev/random"
137  dst: "/dev/random"
138  rw: true
139  is_bind: true
140}
141
142# /dev/zero is required to make vendor-qemu.img
143mount {
144  src: "/dev/zero"
145  dst: "/dev/zero"
146  is_bind: true
147}
148