Skip to content

[5.6] Sandbox blocks output to default plugin output directory when it's under <pkgdir>/.build #4018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 15, 2022
Merged

[5.6] Sandbox blocks output to default plugin output directory when it's under <pkgdir>/.build #4018

merged 1 commit into from
Jan 15, 2022

Conversation

abertelrud
Copy link
Contributor

This is the 5.6 nomination of #4009.

Explanation: The sandbox rules introduced in #3996 made the entire package directory read-only, but that isn't appropriate when .build is inside the package directory. Swapping the order so that the sandbox applies the allow-write rules after the deny-write rules allows .build (or whatever the output directory is) to be written to while keeping the rest of the package directory readonly to the plugin.

Scope of Issue: This affects SwiftPM users who run command plugins that write to the plugin working directory and who are not customizing the intermediate-files directory using the --build-path option.

Reason for Nominating to 5.6: This is a common use case in new functionality (command plugins).

Risk: Low — although the sandbox is used for manifest loading as well as running plugins, the ability to add custom writable locations is only used in the new functionality of command plugins.

Reviewed By: @tomerd

Automated Testing: A new unit test covers this case.

Dependencies: None

Impact on CI: None

How to Verify: Use a command plugin that writes intermediate files to the plugin working directory (as opposed to /tmp) and check that it works even when the SwiftPM intermediates directory is inside the package directory.

rdar://87417780

@abertelrud
[5.6] Sandbox blocks output to default plugin output directory when i…
befeaf9 
…t's under `<pkgdir>/.build`

The sandbox rules introduced in swiftlang#3996 made the entire package directory read-only, but that isn't appropriate when `.build` is inside the package directory.

The rules for applying read-only directories were intended to shadow the implicit rules added by specifying a writable temporary directory, not to block the ones specified by explicit writable directories.  This fixes that ordering, and adds the missing unit test that would have caught the problem.

rdar://87417780

(cherry picked from commit c3f5261)
@abertelrud
Copy link
Contributor Author

@swift-ci please test

@abertelrud abertelrud self-assigned this Jan 13, 2022
@abertelrud abertelrud added 5.6 ready Author believes the PR is ready to be merged & any feedback has been addressed labels Jan 13, 2022
@abertelrud abertelrud merged commit b812bcb into swiftlang:release/5.6 Jan 15, 2022
@abertelrud abertelrud deleted the eng/87417780-fix-sandbox-ordering-rules branch January 15, 2022 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomerd tomerd tomerd approved these changes

@airspeedswift airspeedswift airspeedswift approved these changes

@elsh elsh Awaiting requested review from elsh elsh is a code owner

@neonichu neonichu Awaiting requested review from neonichu neonichu is a code owner

Assignees

@abertelrud abertelrud

Labels
ready Author believes the PR is ready to be merged & any feedback has been addressed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abertelrud @tomerd @airspeedswift