_sandboxbwrap.py: Create /dev/shm in the sandboxcoldtom/allow-dev-shm

Creates /dev/shm as a tmpfs in the sandbox. Before now access to /dev/shm was only available by a plugin using `Sandbox.mark_directory()` or adding to `Sandbox.DEVICES`, either of which would _mount_ /dev/shm into the sandbox, allowing pollution from the host. This adds it as a tmpfs by default, which seems sensible as it is required for POSIX support. Also adds a test which makes sure that we can open a shared memory object inside the build sandbox with some (probably poor) C code.
author: Thomas Coldrick <thomas.coldrick@codethink.co.uk> 2019-11-08 15:24:00 +0000
committer: Thomas Coldrick <thomas.coldrick@codethink.co.uk> 2019-11-08 15:30:10 +0000
commit: df92b9457bac64656a701f88e19240dbd639ab46 (patch)
tree: 7161019b1f539c755dbbee6a498605992a3535a1
parent: a283f02ce9f5d72f03c783d516d69d8f57069ef4 (diff)
download: buildstream-coldtom/allow-dev-shm.tar.gz
4 files changed, 62 insertions, 2 deletions
diff --git a/src/buildstream/sandbox/_sandboxbwrap.py b/src/buildstream/sandbox/_sandboxbwrap.py
index bd60eafc1..5c4b9a295 100644
--- a/src/buildstream/sandbox/_sandboxbwrap.py
+++ b/src/buildstream/sandbox/_sandboxbwrap.py
@@ -207,6 +207,11 @@ class SandboxBwrap(Sandbox):
             for device in self.DEVICES:
                 bwrap_command += ['--dev-bind', device, device]
 
+            # Create a tmpfs for /dev/shm, if we're in interactive this
+            # is handled by `--dev /dev`
+            #
+            bwrap_command += ['--tmpfs', '/dev/shm']
+
         # Add bind mounts to any marked directories
         marked_directories = self._get_marked_directories()
         mount_source_overrides = self._get_mount_sources()
@@ -260,7 +265,7 @@ class SandboxBwrap(Sandbox):
             #
             existing_basedirs = {
                 directory: os.path.exists(os.path.join(root_directory, directory))
-                for directory in ['tmp', 'dev', 'proc']
+                for directory in ['dev/shm', 'tmp', 'dev', 'proc']
             }
 
             # Use the MountMap context manager to ensure that any redirected
@@ -294,7 +299,7 @@ class SandboxBwrap(Sandbox):
 
             # Remove /tmp, this is a bwrap owned thing we want to be sure
             # never ends up in an artifact
-            for basedir in ['tmp', 'dev', 'proc']:
+            for basedir in ['dev/shm', 'tmp', 'dev', 'proc']:
 
                 # Skip removal of directories which already existed before
                 # launching bwrap
diff --git a/tests/integration/project/elements/sandbox-bwrap/test-dev-shm.bst b/tests/integration/project/elements/sandbox-bwrap/test-dev-shm.bst
new file mode 100644
index 000000000..03dc74a35
--- /dev/null
+++ b/tests/integration/project/elements/sandbox-bwrap/test-dev-shm.bst
@@ -0,0 +1,15 @@
+kind: manual
+
+depends:
+- base.bst 
+
+config:
+  build-commands:
+  - cc test_shm.c
+
+  install-commands:
+  - ./a.out
+
+sources:
+- kind: local
+  path: files/test_shm.c
diff --git a/tests/integration/project/files/test_shm.c b/tests/integration/project/files/test_shm.c
new file mode 100644
index 000000000..4ee71cb2b
--- /dev/null
+++ b/tests/integration/project/files/test_shm.c
@@ -0,0 +1,29 @@
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+int main ()
+{
+  int fd = shm_open ("/foo", O_RDONLY | O_CREAT, S_IRWXU);
+  if (fd < 0)
+  {
+    fprintf (stderr, "Failed to open shm: %s\n", strerror (errno));
+    exit(1);
+  }
+
+  int success = shm_unlink ("/foo");
+  if  (success < 0)
+  {
+    fprintf (stderr, "Failed to close shm: %s\n", strerror (errno));
+    exit(2);
+  }
+
+  close (fd);
+
+  return 0;
+}
diff --git a/tests/integration/sandbox-bwrap.py b/tests/integration/sandbox-bwrap.py
index f48c75cbd..00fdd707c 100644
--- a/tests/integration/sandbox-bwrap.py
+++ b/tests/integration/sandbox-bwrap.py
@@ -60,3 +60,14 @@ def test_sandbox_bwrap_return_subprocess(cli, datafiles):
     result = cli.run(project=project, args=['build', element_name])
     result.assert_task_error(error_domain=ErrorDomain.SANDBOX, error_reason="command-failed")
     assert "sandbox-bwrap/command-exit-42.bst|Command failed with exitcode 42" in result.stderr
+
+@pytest.mark.skipif(HAVE_SANDBOX != 'bwrap', reason='Only available with bubblewrap')
+@pytest.mark.datafiles(DATA_DIR)
+def test_sandbox_bwrap_dev_shm(cli, datafiles):
+    project = str(datafiles)
+    element_name = 'sandbox-bwrap/test-dev-shm.bst'
+
+    result = cli.run(project=project, args=['build', element_name])
+    assert result.exit_code == 0
+
+
author	Thomas Coldrick <thomas.coldrick@codethink.co.uk>	2019-11-08 15:24:00 +0000
committer	Thomas Coldrick <thomas.coldrick@codethink.co.uk>	2019-11-08 15:30:10 +0000
commit	df92b9457bac64656a701f88e19240dbd639ab46 (patch)
tree	7161019b1f539c755dbbee6a498605992a3535a1
parent	a283f02ce9f5d72f03c783d516d69d8f57069ef4 (diff)
download	buildstream-coldtom/allow-dev-shm.tar.gz