commit | 5730016d562bec017967e22849c4692483cf6e46 | [log] [tgz] |
---|---|---|
author | Oliver Newman <olivernewman@google.com> | Fri Apr 14 15:12:08 2023 +0000 |
committer | CQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri Apr 14 15:12:08 2023 +0000 |
tree | c2a5a8a212e81ebaafb0c2435f088184c582bdcc | |
parent | a05620dad6e547abc6cf115b85e6b9d60edbfad9 [diff] |
[nsjail] Wrapped exec'd commands with nsjail `go generate ./internal/nsjail` downloads nsjail binaries from CIPD to be checked into git and embedded in shac, then shac writes a new nsjail binary to disk to use every time it runs a subprocess. Checking in the nsjail binaries also required adding handling to shac to make sure it doesn't choke trying to process binary files as text. The nsjail wrapper code in runtime_ctx_os.go is pretty ugly, I'll clean it up later. I added one simple test to make sure that arbitrary files aren't visible when running inside the sandbox, we should add more fully-featured tests though. Change-Id: I86e032ca4c1ef135db5b3e1cb898017236ed5e83 Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/831980 Commit-Queue: Oliver Newman <olivernewman@google.com> Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
Scalable Hermetic Analysis and Checks.
go install go.fuchsia.dev/shac-project/shac@latest shac check shac doc shac.star | less
⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.
See CONTRIBUTING.md to submit changes.