Google Git
Sign in
fuchsia / shac-project / shac / 5730016d562bec017967e22849c4692483cf6e46
commit5730016d562bec017967e22849c4692483cf6e46[log] [tgz]
authorOliver Newman <olivernewman@google.com>Fri Apr 14 15:12:08 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri Apr 14 15:12:08 2023 +0000
treec2a5a8a212e81ebaafb0c2435f088184c582bdcc
parenta05620dad6e547abc6cf115b85e6b9d60edbfad9 [diff]
[nsjail] Wrapped exec'd commands with nsjail

`go generate ./internal/nsjail` downloads nsjail binaries from CIPD to
be checked into git and embedded in shac, then shac writes a new nsjail
binary to disk to use every time it runs a subprocess.

Checking in the nsjail binaries also required adding handling to shac
to make sure it doesn't choke trying to process binary files as text.

The nsjail wrapper code in runtime_ctx_os.go is pretty ugly, I'll clean
it up later.

I added one simple test to make sure that arbitrary files aren't visible
when running inside the sandbox, we should add more fully-featured tests
though.

Change-Id: I86e032ca4c1ef135db5b3e1cb898017236ed5e83
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/831980
Commit-Queue: Oliver Newman <olivernewman@google.com>
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
14 files changed
tree: c2a5a8a212e81ebaafb0c2435f088184c582bdcc
  1. .github/
  2. doc/
  3. internal/
  4. scripts/
  5. .gitignore
  6. AUTHORS
  7. check_doc.star
  8. codecov.yml
  9. CONTRIBUTING.md
  10. go.mod
  11. go.star
  12. go.sum
  13. LICENSE
  14. licenses.star
  15. main.go
  16. OWNERS
  17. PATENTS
  18. README.md
  19. shac.star
README.md

shac

Scalable Hermetic Analysis and Checks.

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.