"Build sandboxing disabled due to nsjail error. This may become fatal in the future."

[Ricky Ng-Adam]

Hello!

I'm building Android 10 in a Docker with overlay and getting the following error:

Building Android                                                                                                                                                                               

06:58:14 Build sandboxing disabled due to nsjail error. This may become fatal in the future.                                                                                                   

06:58:14 Please let us know why nsjail doesn't work in your environment at:                                                                                                                    

06:58:14   https://groups.google.com/forum/#!forum/android-building                                                                                                                            

06:58:14   https://issuetracker.google.com/issues/new?component=381517   

https://github.com/google/nsjail

A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters (with help of the kafel bpf language) 

I suppose this is not very helpful in my case for me as Docker is already doing process isolation? I see it's possible to run nsjail but it requires

--disable_proc and --privileged.

I'm supposing nsjail exists to provide better performance?

Does it work well with Overlay FS? I'm trying to build for every branch without copying over all source tree and output build objects.

Thanks, 

Ricky

[Dan Willemsen]

Yes, we're familiar with the docker problems, and we'll likely have to live with it for the time being: https://issuetracker.google.com/123210688 . I've removed the above message from master and Android 11 (the other common case was distributions that turned off user namespaces).

> I suppose this is not very helpful in my case for me as Docker is already doing process isolation?

I'm actually less interested in it as a security isolation boundary, and more interested in it providing more assurances about the behaviors we expect from the build, and provide more safety by default:

* Guarantees that processes don't continue running past the end of the build (or the part of the build). In practice, this should just be a safety precaution, and if you're starting the build via the docker command line every time, it should provide similar guarantees (if you're attaching to a long-running docker instance, not so much).

* Allows us to turn off the network for part of the build. In most cases right now this can be emulated by just turning off the network for that docker container, but with the remote execution work that's ongoing, we allow a daemon access to the network, but turn it off for the rest of the build (which tunnels build requests to the daemon as necessary).

* Recently on master, turns off write access to the rest of the system (except $srcdir, $outdir, $distdir, $home? something like that). Depending on your docker setup, this safety may not be too important (just mounting the necessary directories, and throwing away any changes made after the build exists, for example).

So while we can't require the use of nsjail at this point, it may mean that your build succeeds while the same build on another system using nsjail fails. You may be able to configure docker similarly, but changing the configuration during different parts of the build likely wouldn't be possible.

I'd like to do things like turn the source directory read only, but I've been hesitant to do so because it'll cause a larger behavior difference between the nsjail users and the rest. Also on the list is hiding things like /usr/include from the build, as we never want to use it. Potentially changing what parts of the output tree are read/write vs read-only vs invisible during different parts of the build is another idea I've had.

- Dan

--
--
You received this message because you are subscribed to the "Android Building" mailing list.
To post to this group, send email to android-...@googlegroups.com
To unsubscribe from this group, send email to
android-buildi...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-building?hl=en

---
You received this message because you are subscribed to the Google Groups "Android Building" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-buildi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-building/8cd8ef17-d322-404e-986e-feb0f5c7c3c8%40googlegroups.com.