From 068a51b073a48d2b4d0e3dd0a00add77509207e1 Mon Sep 17 00:00:00 2001
From: Thomas Coldrick <thomas.coldrick@codethink.co.uk>
Date: Fri, 8 Nov 2019 15:24:00 +0000
Subject: _sandboxbwrap.py: Create /dev/shm in the sandbox

Creates /dev/shm as a tmpfs in the sandbox. Before now access to
/dev/shm was only available by a plugin using `Sandbox.mark_directory()`
or adding to `Sandbox.DEVICES`, either of which would _mount_ /dev/shm
into the sandbox, allowing pollution from the host. This adds it as a
tmpfs by default, which seems sensible as it is required for POSIX
support.

Also adds a test which makes sure that we can open a shared memory
object inside the build sandbox with some (probably poor) C code.
---
 src/buildstream/sandbox/_sandboxbwrap.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src/buildstream/sandbox/_sandboxbwrap.py')

diff --git a/src/buildstream/sandbox/_sandboxbwrap.py b/src/buildstream/sandbox/_sandboxbwrap.py
index bd60eafc1..5c4b9a295 100644
--- a/src/buildstream/sandbox/_sandboxbwrap.py
+++ b/src/buildstream/sandbox/_sandboxbwrap.py
@@ -207,6 +207,11 @@ class SandboxBwrap(Sandbox):
             for device in self.DEVICES:
                 bwrap_command += ['--dev-bind', device, device]
 
+            # Create a tmpfs for /dev/shm, if we're in interactive this
+            # is handled by `--dev /dev`
+            #
+            bwrap_command += ['--tmpfs', '/dev/shm']
+
         # Add bind mounts to any marked directories
         marked_directories = self._get_marked_directories()
         mount_source_overrides = self._get_mount_sources()
@@ -260,7 +265,7 @@ class SandboxBwrap(Sandbox):
             #
             existing_basedirs = {
                 directory: os.path.exists(os.path.join(root_directory, directory))
-                for directory in ['tmp', 'dev', 'proc']
+                for directory in ['dev/shm', 'tmp', 'dev', 'proc']
             }
 
             # Use the MountMap context manager to ensure that any redirected
@@ -294,7 +299,7 @@ class SandboxBwrap(Sandbox):
 
             # Remove /tmp, this is a bwrap owned thing we want to be sure
             # never ends up in an artifact
-            for basedir in ['tmp', 'dev', 'proc']:
+            for basedir in ['dev/shm', 'tmp', 'dev', 'proc']:
 
                 # Skip removal of directories which already existed before
                 # launching bwrap
-- 
cgit v1.2.1