Make cc_sandboxed_library a cc_library replacement

PiperOrigin-RevId: 890283751
Change-Id: Ie77eea7aa00e5263ba3b34aa0f11e78d9f09c2d0

Author: dvyukov

sandboxed_api/bazel/BUILD

@@ -13,6 +13,10 @@
 # limitations under the License.
 
 load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
+load(
+    "@bazel_skylib//rules:common_settings.bzl",
+    "string_list_setting",
+)
 
 licenses(["notice"])
 
@@ -60,6 +64,7 @@ bzl_library(
         ":build_defs_bzl",
         ":embed_data_bzl",
         ":proto_bzl",
+        "@bazel_skylib//rules:common_settings",
         "@bazel_tools//tools/cpp:toolchain_utils.bzl",
         "@rules_cc//cc:core_rules",
         "@rules_cc//cc/common",
@@ -71,3 +76,13 @@ bzl_library(
     srcs = ["llvm_config.bzl"],
     visibility = ["//visibility:private"],
 )
+
+string_list_setting(
+    name = "lib_sandboxing_enable",
+    build_setting_default = [],
+)
+
+string_list_setting(
+    name = "lib_sandboxing_disable",
+    build_setting_default = [],
+)

sandboxed_api/bazel/sapi.bzl

@@ -19,6 +19,7 @@ load("@rules_cc//cc:cc_library.bzl", "cc_library")
 load("@rules_cc//cc:cc_test.bzl", "cc_test")
 load("@rules_cc//cc/common:cc_common.bzl", "cc_common")
 load("@rules_cc//cc/common:cc_info.bzl", "CcInfo")
+load("@bazel_skylib//rules:common_settings.bzl", "BuildSettingInfo")
 load("//sandboxed_api/bazel:build_defs.bzl", "sapi_platform_copts")
 load("//sandboxed_api/bazel:embed_data.bzl", "sapi_cc_embed_data")
 load(
@@ -506,17 +507,20 @@ def sapi_library(
 
 def cc_sandboxed_library(
         name,
-        lib,
-        srcs = [],
+        annotations = [],
+        default_sandboxed = True,
         tags = [],
         host_deps = [],
         sandboxee_deps = [],
         visibility = None,
-        compatible_with = None):
-    """Creates a sandboxed drop-in replacement cc_library.
+        compatible_with = None,
+        **kwargs):
+    """Creates a drop-in replacement cc_library that may be sandboxed.
 
     NOTE: this functionality is experimental and may change in the future.
 
+    The resulting library may or may not be sandboxed depending on the default_sandboxed attribute.
+
     The resulting library can be used instead of the original cc_library
     as dependency for other targets. The behavior is supposed to be identical
     to the original library, except that the library is sandboxed with a single
@@ -529,16 +533,18 @@ def cc_sandboxed_library(
 
     Args:
       name: Name of the target
-      lib: Label of the cc_library target to sandbox
-      srcs: List of source files to tune syscall policy, and interface bridging.
+      annotations: List of source files to tune syscall policy, and interface bridging.
+      default_sandboxed: Whether the library is sandboxed by default.
       tags: Same as cc_library.tags
       host_deps: Additional dependencies for the host code.
       sandboxee_deps: Additional dependencies for the sandboxee code.
       visibility: Same as cc_library.visibility
       compatible_with: Same as cc_library.compatible_with
+      **kwargs: Same as for cc_library.
     """
 
     # Implementation outline:
+    # 0. Create unsandboxed cc_library with an internal name.
     # 1. Run clang generator tool in sandboxed library mode.
     #    In this mode it takes all functions declared in the library public headers,
     #    and generates 3 files:
@@ -565,16 +571,23 @@ def cc_sandboxed_library(
     #    Using the compilation context of the original library ensures that during
     #    compilation the replacement library "looks" exactly as the original library
     #    (this includes any use of defines/includes and any other cc_library attributes).
+    # 7. Finally, the rule that actually uses the name as name selects between
+    #    the original library and the sandboxed library using the default_sandboxed attribute.
 
     # Unique prefix for things generated by sapi_library (e.g. FooSandbox class name).
     # TODO(dvyukov): add hash/flattening of the full library /path:name, just the name is not
     # necessarily globally unique.
     wrapper_name = "Sapi" + name
     common = _common_kwargs(tags, visibility, compatible_with)
 
+    cc_library(
+        name = "_unsandboxed_" + name,
+        **(common | kwargs)
+    )
+
     _sandboxed_library_gen(
         name = "_sandboxed_library_gen_" + name,
-        lib = lib,
+        lib = "_unsandboxed_" + name,
         lib_name = wrapper_name,
         sandboxee_hdr_out = name + ".sapi.sandboxee.h.unformatted",
         sandboxee_src_out = name + ".sapi.sandboxee.cc.unformatted",
@@ -583,7 +596,7 @@ def cc_sandboxed_library(
         sandboxee_deps = sandboxee_deps,
         host_src_out = name + ".sapi.host.cc.unformatted",
         sapi_hdr = native.package_name() + "/_sapi_" + name + ".sapi.h",
-        srcs = srcs,
+        srcs = annotations,
         **common
     )
 
@@ -601,7 +614,7 @@ def cc_sandboxed_library(
         # that force linking of the sandboxee library. In global mode, it won't be linked.
         alwayslink = 1,
         deps = [
-            lib,
+            "_unsandboxed_" + name,
             "//sandboxed_api:lenval_core",
         ] + sandboxee_deps,
         **common
@@ -624,12 +637,20 @@ def cc_sandboxed_library(
     )
 
     _sandboxed_library(
-        name = name,
-        lib = lib,
+        name = "_sandboxed_" + name,
+        lib = "_unsandboxed_" + name,
         sapi = ":_sapi_" + name,
         **common
     )
 
+    _sandboxed_library_selector(
+        name = name,
+        unsandboxed_lib = "_unsandboxed_" + name,
+        sandboxed_lib = "_sandboxed_" + name,
+        default_sandboxed = default_sandboxed,
+        **common
+    )
+
 _sandboxed_library = rule(
     provides = [CcInfo],
     attrs = {
@@ -642,38 +663,68 @@ _sandboxed_library = rule(
     )],
 )
 
+def _sandboxed_library_selector_impl(ctx):
+    # TODO: disable sandboxing in non //tools/cc_target_os:linux-google[-arm] builds,
+    # host builds, and other non-interesting cases.
+    enabled = ctx.attr.default_sandboxed
+    if str(ctx.label) in ctx.attr._bin_sandboxing_enable[BuildSettingInfo].value:
+        enabled = True
+    if str(ctx.label) in ctx.attr._bin_sandboxing_disable[BuildSettingInfo].value:
+        enabled = False
+    if enabled:
+        return ctx.attr.sandboxed_lib[CcInfo]
+    return ctx.attr.unsandboxed_lib[CcInfo]
+
+_sandboxed_library_selector = rule(
+    implementation = _sandboxed_library_selector_impl,
+    provides = [CcInfo],
+    attrs = {
+        "unsandboxed_lib": attr.label(providers = [CcInfo]),
+        "sandboxed_lib": attr.label(providers = [CcInfo]),
+        "default_sandboxed": attr.bool(),
+        "_bin_sandboxing_enable": attr.label(default = "//sandboxed_api/bazel:lib_sandboxing_enable"),
+        "_bin_sandboxing_disable": attr.label(default = "//sandboxed_api/bazel:lib_sandboxing_disable"),
+    },
+)
+
 def cc_sandboxed_library_test(
         name,
         lib,
-        sandboxed_lib,
         deps = [],
         **kwargs):
     """Creates a pair of sandboxed/unsandboxed cc_test's for cc_sandboxed_library.
 
     NOTE: this functionality is experimental and may change in the future.
 
     This rule is supposed to be a replacement for any cc_test's for a library
-    that is used with cc_sandboxed_library. It creates a pair of cc_test's
+    that is converted to cc_sandboxed_library. It creates a pair of cc_test's
     that test both sandboxed and unsandboxed versions of the library.
 
     Args:
       name: Name of the target
-      lib: Label of the normal unsandboxed cc_library target
-      sandboxed_lib: Label of the cc_sandboxed_library target for the lib
-      deps: Same as cc_library.deps, must not include lib/sandboxed_lib
+      lib: Label of the cc_sandboxed_library target
+      deps: Same as cc_library.deps, must not include the lib
       **kwargs: Passed to resulting cc_test's
     """
 
     cc_test(
-        name = name + "_unsandboxed",
+        name = "_internal_" + name,
         deps = deps + [lib],
         **kwargs
     )
 
-    cc_test(
+    _transitioned_test(
+        name = name + "_unsandboxed",
+        binary = ":_internal_" + name,
+        lib_sandboxing_enable = [],
+        lib_sandboxing_disable = [str(native.package_relative_label(lib))],
+    )
+
+    _transitioned_test(
         name = name + "_sandboxed",
-        deps = deps + [sandboxed_lib],
-        **kwargs
+        binary = ":_internal_" + name,
+        lib_sandboxing_enable = [str(native.package_relative_label(lib))],
+        lib_sandboxing_disable = [],
     )
 
     native.test_suite(
@@ -777,3 +828,58 @@ sandboxed_library_gen_errors = rule(
         "errors": attr.output(),
     },
 )
+
+def _binary_transition_impl(_, attr):
+    return {
+        "//sandboxed_api/bazel:lib_sandboxing_enable": attr.lib_sandboxing_enable,
+        "//sandboxed_api/bazel:lib_sandboxing_disable": attr.lib_sandboxing_disable,
+    }
+
+_binary_transition = transition(
+    implementation = _binary_transition_impl,
+    inputs = [],
+    outputs = [
+        "//sandboxed_api/bazel:lib_sandboxing_enable",
+        "//sandboxed_api/bazel:lib_sandboxing_disable",
+    ],
+)
+
+def _transitioned_binary_impl(ctx):
+    default_info = ctx.attr.binary[0][DefaultInfo]
+    files = default_info.files.to_list()
+    orig_executable = files[0]
+    outfile = ctx.actions.declare_file(ctx.label.name)
+    ctx.actions.run_shell(
+        inputs = [orig_executable],
+        outputs = [outfile],
+        command = "cp %s %s" % (orig_executable.path, outfile.path),
+        mnemonic = "CcSandboxedLibraryCopyBinary",
+    )
+    data_runfiles = []
+    for file in default_info.data_runfiles.files.to_list():
+        if file == orig_executable:
+            file = outfile
+        data_runfiles = data_runfiles + [file]
+    default_runfiles = []
+    for file in default_info.default_runfiles.files.to_list():
+        if file == orig_executable:
+            file = outfile
+        default_runfiles = default_runfiles + [file]
+    return [
+        DefaultInfo(
+            executable = outfile,
+            data_runfiles = ctx.runfiles(files = data_runfiles),
+            default_runfiles = ctx.runfiles(files = default_runfiles),
+        ),
+    ]
+
+_transitioned_test = rule(
+    implementation = _transitioned_binary_impl,
+    attrs = {
+        "lib_sandboxing_enable": attr.string_list(),
+        "lib_sandboxing_disable": attr.string_list(),
+        "binary": attr.label(cfg = _binary_transition),
+    },
+    test = True,
+    executable = True,
+)

sandboxed_api/tests/testcases/BUILD

@@ -12,47 +12,44 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-load("@rules_cc//cc:cc_library.bzl", "cc_library")
 load("//sandboxed_api/bazel:sapi.bzl", "cc_sandboxed_library", "cc_sandboxed_library_test")
 
 package(default_visibility = ["//visibility:private"])
 
 licenses(["notice"])
 
-cc_library(
-    name = "replaced_library",
+cc_sandboxed_library(
+    name = "replacement_library",
     srcs = ["replaced_library.cc"],
     hdrs = ["replaced_library.h"],
+    annotations = ["lwbox_sandbox.cc"],
     deps = [
         "//sandboxed_api:annotations",
         "@abseil-cpp//absl/strings:string_view",
     ],
 )
 
-cc_sandboxed_library(
-    name = "replacement_library",
-    srcs = ["lwbox_sandbox.cc"],
-    lib = ":replaced_library",
-)
-
 cc_sandboxed_library(
     name = "replacement_library2",
-    srcs = ["lwbox_ignore.cc"],
-    lib = ":replaced_library",
+    srcs = ["replaced_library.cc"],
+    hdrs = ["replaced_library.h"],
+    annotations = ["lwbox_ignore.cc"],
+    deps = [
+        "//sandboxed_api:annotations",
+        "@abseil-cpp//absl/strings:string_view",
+    ],
 )
 
 cc_sandboxed_library_test(
-    name = "replaced_test",
+    name = "replacement_test",
     srcs = ["replaced_library_test.cc"],
-    lib = ":replaced_library",
-    sandboxed_lib = ":replacement_library",
+    lib = ":replacement_library",
     deps = ["@googletest//:gtest_main"],
 )
 
 cc_sandboxed_library_test(
-    name = "replaced2_test",
+    name = "replacement2_test",
     srcs = ["replaced_library_test.cc"],
-    lib = ":replaced_library",
-    sandboxed_lib = ":replacement_library2",
+    lib = ":replacement_library2",
     deps = ["@googletest//:gtest_main"],
 )