[engine] Pass through $PATH, fix goroot mounting

1. Pass the value of $PATH into sandbox and mount all directories listed
   in $PATH inside the sandbox. This is helpful for getting shac to run
   on machines where prerequisite binaries are installed in
   "non-standard" directories. For example, in Buildbucket builds,
   binaries such as python3 are installed in a Buildbucket-specific
   directory that we shouldn't hardcode in shac, so just passing through
   the entirety of $PATH is the best option.
2. Previously we'd try to mount `runtime.GOROOT()` even if it was an
   empty string, which would cause the nsjail command setup to fail with
   a "no such file or directory" error when run by a production `shac`
   build.  That's because the production builds set `-trimpath` to
   remove all local filesystem paths from the executable, so
   `runtime.GOROOT()` and other build host-specific values are left
   unset.
3. Centralize tempdir sandboxing configuration in runtime_ctx_os.go to
   reduce duplication in sandbox.go.

Change-Id: Id22de2338e9ce0212e63eedffe4e48e84f52d7f0
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/863517
Commit-Queue: Oliver Newman <olivernewman@google.com>
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
2 files changed
tree: e6f6b9745178e06bcb94e1abdb4f26fa66b156a0
  1. .github/
  2. doc/
  3. images/
  4. internal/
  5. scripts/
  6. .gitignore
  7. AUTHORS
  8. check_doc.star
  9. codecov.yml
  10. CONTRIBUTING.md
  11. go.mod
  12. go.star
  13. go.sum
  14. LICENSE
  15. licenses.star
  16. main.go
  17. OWNERS
  18. PATENTS
  19. README.md
  20. shac.star
  21. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.