mirror/flatpak
1
0
Fork 0
mirror of https://github.com/flatpak/flatpak.git synced 2026-05-19 06:11:47 -04:00
Code Issues Packages Projects Releases Wiki Activity

builder: Add --sandbox support

Browse Source 
This disables build-args support, which is nice when building things
on e.g. a shared build-machine, where we don't want the build to
be able to break out of the sandbox (by specifying e.g. --share=network).
This commit is contained in:
Alexander Larsson
2016-08-22 17:23:32 +02:00
parent b03b21f416
commit b0a7f8052b
8 changed files with 50 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
builder/builder-context.c
View File

@@ -54,6 +54,7 @@ struct BuilderContext
gboolean use_ccache;
gboolean build_runtime;
gboolean separate_locales;
gboolean sandboxed;
};
typedef struct
@@ -342,6 +343,19 @@ builder_context_get_keep_build_dirs (BuilderContext *self)
return self->keep_build_dirs;
}
void
builder_context_set_sandboxed (BuilderContext *self,
gboolean sandboxed)
{
self->sandboxed = sandboxed;
}
gboolean
builder_context_get_sandboxed (BuilderContext *self)
{
return self->sandboxed;
}
gboolean
builder_context_get_build_runtime (BuilderContext *self)
{

3
builder/builder-context.h
View File

@@ -53,6 +53,9 @@ int builder_context_get_n_cpu (BuilderContext *self);
void builder_context_set_keep_build_dirs (BuilderContext *self,
gboolean keep_build_dirs);
gboolean builder_context_get_keep_build_dirs (BuilderContext *self);
void builder_context_set_sandboxed (BuilderContext *self,
gboolean sandboxed);
gboolean builder_context_get_sandboxed (BuilderContext *self);
void builder_context_set_global_cleanup (BuilderContext *self,
const char **cleanup);
const char ** builder_context_get_global_cleanup (BuilderContext *self);

3
builder/builder-main.c
View File

@@ -43,6 +43,7 @@ static gboolean opt_ccache;
static gboolean opt_require_changes;
static gboolean opt_keep_build_dirs;
static gboolean opt_force_clean;
static gboolean opt_sandboxed;
static char *opt_stop_at;
static char *opt_arch;
static char *opt_repo;
@@ -70,6 +71,7 @@ static GOptionEntry entries[] = {
{ "gpg-sign", 0, 0, G_OPTION_ARG_STRING_ARRAY, &opt_key_ids, "GPG Key ID to sign the commit with", "KEY-ID"},
{ "gpg-homedir", 0, 0, G_OPTION_ARG_STRING, &opt_gpg_homedir, "GPG Homedir to use when looking for keyrings", "HOMEDIR"},
{ "force-clean", 0, 0, G_OPTION_ARG_NONE, &opt_force_clean, "Erase previous contents of DIRECTORY", NULL },
{ "sandbox", 0, 0, G_OPTION_ARG_NONE, &opt_sandboxed, "Enforce sandboxing, disabling build-args", NULL },
{ "stop-at", 0, 0, G_OPTION_ARG_STRING, &opt_stop_at, "Stop building at this module (implies --build-only)", "MODULENAME"},
{ NULL }
};
@@ -282,6 +284,7 @@ main (int argc,
build_context = builder_context_new (base_dir, app_dir);
builder_context_set_keep_build_dirs (build_context, opt_keep_build_dirs);
builder_context_set_sandboxed (build_context, opt_sandboxed);
if (opt_arch)
builder_context_set_arch (build_context, opt_arch);

11
builder/builder-manifest.c
View File

@@ -2151,13 +2151,12 @@ builder_manifest_run (BuilderManifest *self,
g_ptr_array_add (args, g_strdup_printf ("--bind-mount=/run/ccache=%s", ccache_dir_path));
}
build_args = builder_options_get_build_args (self->build_options, context);
build_args = builder_options_get_build_args (self->build_options, context, error);
if (build_args == NULL)
return FALSE;
if (build_args)
{
for (i = 0; build_args[i] != NULL; i++)
g_ptr_array_add (args, g_strdup (build_args[i]));
}
for (i = 0; build_args[i] != NULL; i++)
g_ptr_array_add (args, g_strdup (build_args[i]));
env = builder_options_get_env (self->build_options, context);
if (env)

5
builder/builder-module.c
View File

@@ -1239,8 +1239,11 @@ builder_module_build (BuilderModule *self,
source_subdir = g_object_ref (source_dir);
}
build_args = builder_options_get_build_args (self->build_options, context, error);
if (build_args == NULL)
return FALSE;
env = builder_options_get_env (self->build_options, context);
build_args = builder_options_get_build_args (self->build_options, context);
config_opts = builder_options_get_config_opts (self->build_options, context, self->config_opts);
if (self->cmake)

9
builder/builder-options.c
View File

@@ -622,7 +622,8 @@ builder_options_get_env (BuilderOptions *self, BuilderContext *context)
char **
builder_options_get_build_args (BuilderOptions *self,
BuilderContext *context)
BuilderContext *context,
GError **error)
{
g_autoptr(GList) options = get_all_options (self, context);
GList *l;
@@ -643,6 +644,12 @@ builder_options_get_build_args (BuilderOptions *self,
}
}
if (array->len > 0 && builder_context_get_sandboxed (context))
{
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Can't specify build-args in sandboxed build");
return NULL;
}
g_ptr_array_add (array, NULL);
return (char **) g_ptr_array_free (g_steal_pointer (&array), FALSE);

3
builder/builder-options.h
View File

@@ -47,7 +47,8 @@ const char *builder_options_get_prefix (BuilderOptions *self,
char ** builder_options_get_env (BuilderOptions *self,
BuilderContext *context);
char ** builder_options_get_build_args (BuilderOptions *self,
BuilderContext *context);
BuilderContext *context,
GError **error);
char ** builder_options_get_config_opts (BuilderOptions *self,
BuilderContext *context,
char **base_opts);

11
doc/flatpak-builder.xml
View File

@@ -739,6 +739,17 @@
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--sandbox</option></term>
<listitem><para>
Disable the possibility to specify build-args that
are passed to flatpak build. This means the build
process can't break out of its sandbox, and is
useful when building less trusted software.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>