Add script to dump system files used by build
In order to move towards builds which only use resources in the Hafnium
repo, this patch adds a script which runs the build with strace and
dumps all files touched in the process. Files in the Hafnium directory
and in /tmp are automatically filtered out.
Bug: 132428451
Test: ./build/strace_open.sh opened_files.txt
Change-Id: I03a2df4eedf40c456b65920ec8bf98ad08e747c6
diff --git a/build/run_in_container.sh b/build/run_in_container.sh
index e3c6bd0..ae0850e 100755
--- a/build/run_in_container.sh
+++ b/build/run_in_container.sh
@@ -42,14 +42,30 @@
"${SCRIPT_DIR}/docker"
IMAGE_ID="$(cat ${IID_FILE})"
-# Check if script was invoked with '-i' as first argument. If so, run
-# container in interactive mode.
+# Parse command line arguments
INTERACTIVE=false
-if [ "${1:-}" == "-i" ]
-then
- INTERACTIVE=true
- shift
-fi
+ALLOW_PTRACE=false
+while true
+do
+ case "${1:-}" in
+ -i)
+ INTERACTIVE=true
+ shift
+ ;;
+ -p)
+ ALLOW_PTRACE=true
+ shift
+ ;;
+ -*)
+ echo "ERROR: Unknown command line flag: $1" 1>&2
+ echo "Usage: $0 [-i] [-p] <command>"
+ exit 1
+ ;;
+ *)
+ break
+ ;;
+ esac
+done
ARGS=()
# Run with a pseduo-TTY for nicer logging.
@@ -59,6 +75,12 @@
then
ARGS+=(-i)
fi
+# Allow ptrace() syscall if invoked with '-p'.
+if [ "${ALLOW_PTRACE}" == "true" ]
+then
+ echo "WARNING: Docker seccomp profile is disabled!" 1>&2
+ ARGS+=(--cap-add=SYS_PTRACE --security-opt seccomp=unconfined)
+fi
# Set environment variable informing the build that we are running inside
# a container.
ARGS+=(-e HAFNIUM_HERMETIC_BUILD=inside)