search

facebook / buck

A fast build system that encourages the creation of small, reusable modules over a variety of platforms and languages.
https://buck.build
Apache License 2.0
8.56k stars 1.16k forks source link

genrule with enable_sandbox allows underspecified inputs/outputs? #2561

Open gnida-rada opened 4 years ago

gnida-rada commented 4 years ago

I'm trying to understand how well Buck builds are sandboxed on macOS. My experiments showed that

  1. genrule that write to a file that's not in "out" builds fine. genrule( name = 'copy_files', enable_sandbox = True, srcs = [ 'data.dat', ],

    NOTE that data_out_foo2.txt is not specified as out

    cmd = 'cp $SRCDIR/data.dat $OUT; cp $SRCDIR/data.dat ${OUT}_foo2.txt', out = 'data_out.dat', ) and

  2. genrule that reads files, not in srcs, using absolute path, builds just fine

genrule( name = 'copy_files', enable_sandbox = True, srcs = [ 'data.dat', ],

NOTE: it just grabs Volumes/Data/temp/test.json that was not specified anywhere

cmd = 'cp $SRCDIR/data.dat $OUT; cp /Volumes/Data/temp/test.json ${OUT}_test.json', out = 'data_out.dat', )

If scripts can read inputs that aren't specified, even under sandbox, can we trust Buck's incremental builds? Or am I missing something?

To be fair, when sandbox is enabled, I'm getting stderr message: shell-init: error retrieving current directory: getcwd: cannot access parent directories: Operation not permitted that happens even with the most vanilla cmd: srcs = [ 'data.dat', ], cmd = 'cp $SRCDIR/data.dat $OUT', out = 'data_out.dat', Thanks

caschomburg123 commented 3 years ago

Check out Facebook Kikiama Embedded lower Left corner blood coming out of dog pinned down on mattress Big screen tv distracts viewer from seeing what’s actually happening This is absurd Complained to Facebook many times only to receive ding letter that states it does not violate Facebook’s Jews They haven’t even looked

On Thu, Nov 5, 2020 at 3:12 PM gnida-rada notifications@github.com wrote:

I'm trying to understand how well Buck builds are sandboxed on macOS. My experiments showed that

  1. genrule that write to a file that's not in "out" builds fine. genrule( name = 'copy_files', enable_sandbox = True, srcs = [ 'data.dat', ],

NOTE that data_out_foo2.txt is not specified as out

cmd = 'cp $SRCDIR/data.dat $OUT; cp $SRCDIR/data.dat ${OUT}_foo2.txt', out = 'data_out.dat', ) and

  1. genrule that reads files, not in srcs, using absolute path, builds just fine

genrule( name = 'copy_files', enable_sandbox = True, srcs = [ 'data.dat', ], NOTE: it just grabs Volumes/Data/temp/test.json that was not specified anywhere

cmd = 'cp $SRCDIR/data.dat $OUT; cp /Volumes/Data/temp/test.json ${OUT}_test.json', out = 'data_out.dat', )

If scripts can read inputs that aren't specified, even under sandbox, can we trust Buck's incremental builds? Or am I missing something?

To be fair, when sandbox is enabled, I'm getting stderr message: shell-init: error retrieving current directory: getcwd: cannot access parent directories: Operation not permitted that happens even with the most vanilla cmd: srcs = [ 'data.dat', ], cmd = 'cp $SRCDIR/data.dat $OUT', out = 'data_out.dat', Thanks

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/facebook/buck/issues/2561, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE4MCYPXAPGIFURMEGDJYHTSOMBKHANCNFSM4TL2D2MQ .