Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run sandbox checker in temp directory #4787

Merged
merged 2 commits into from
Sep 1, 2021
Merged

Run sandbox checker in temp directory #4787

merged 2 commits into from
Sep 1, 2021

Conversation

dra27
Copy link
Member

@dra27 dra27 commented Aug 6, 2021

The sandbox will attempt to mount the current working directory which may fail (and which we don't necessarily have any business doing).

@dra27 dra27 added this to PR in progress in Opam 2.2.0 via automation Aug 6, 2021
@dra27 dra27 added this to the 2.2.0~alpha milestone Aug 6, 2021
@dra27 dra27 linked an issue Aug 6, 2021 that may be closed by this pull request
Upgrading opam to 2.1.0 touches files in my CWD, but it shouldn't #4783
Closed
@dra27 dra27 mentioned this pull request Aug 6, 2021
Closed
Opam 2.2.0 automation moved this from PR in progress to PR finalised Aug 6, 2021
@dra27
Run sandbox checker in temp directory
ffba047 
The sandbox will attempt to mount the current working directory which
may fail (and which we don't necessarily have any business doing).
@dra27
Simplify sandbox detection
295e273 
opam now creates a temporary directory for the CWD, so just it
@dra27
Copy link
Member Author

dra27 commented Aug 6, 2021

Revised: we're supposed to be avoiding /tmp, so making it the rw CWD seems a bit weird! OpamSystem.in_tmp_dir added which does what OpamSystem.with_tmp_dir claimed to do - it creates a temporary directory and then actually calls the function in it.

As a result, it's possible to simplify the sandbox check, as OpamSystem.in_tmp_dir also cleans up the directory, so I changed the check to use tee instead. I also verified that it fails by changing the path to /tmp/check-write 🙂

@kit-ty-kate
Copy link
Member

The underlying issue in #4783 is that /media is not mounted by the sandbox
I think a better fix would be to simply fix the sandbox to mount / readonly instead of selecting which directory need to be ro-mounted.

This would also make the linux sandbox match the macOS sandbox (which does not have this distinction).
I believe this would also fix #4751 at the same time.

@dra27
Copy link
Member Author

dra27 commented Aug 6, 2021

That's the underlying cause, it's not the underlying issue. Given that opam is doing nothing in the CWD, it definitely has no business at all mounting it in the sandbox, much less mounting it RW (when the sandbox is called normally, the CWD is already the build directory in an opam root). See also the concern for handling of symlinks in add_mounts vs add_sys_mounts in the sandbox script.

In #4751, the problem is that opam root is not accessible, which does still need fixing.

@rjbou
Copy link
Collaborator

rjbou commented Aug 6, 2021

double approval : checked, working perfectly. Thanks!

@rjbou rjbou added this to PR in Progress in Opam 2.1.x via automation Aug 9, 2021
@rjbou rjbou mentioned this pull request Aug 9, 2021
Merged
Opam 2.1.x automation moved this from PR in Progress to PR Finalised Aug 10, 2021
@rjbou rjbou merged commit 37effe2 into ocaml:master Sep 1, 2021
Opam 2.1.x automation moved this from PR Finalised to Done Sep 1, 2021
Opam 2.2.0 automation moved this from PR finalised to Done Sep 1, 2021
@rjbou
Copy link
Collaborator

rjbou commented Sep 1, 2021

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjbou rjbou rjbou approved these changes

@AltGr AltGr AltGr approved these changes

Assignees
No one assigned
Labels
AREA: SANDBOX
Projects
No open projects
Opam 2.1.x
  
Done
Opam 2.2.0
  
Done
Milestone
2.2.0~alpha
Development

Successfully merging this pull request may close these issues.

Upgrading opam to 2.1.0 touches files in my CWD, but it shouldn't
4 participants
@dra27 @kit-ty-kate @rjbou @AltGr