`PATH` not propagated to many darwin actions

[keith]

This is a wider reaching version of #8425

In the linked issue I did some investigation around default PATH variables for actions that at the time I thought only affected py_* targets but it turns out that many other actions on darwin do not inherit any PATH and therefore fallback to macOS's default shell env of /usr/gnu/bin:/usr/local/bin:/bin:/usr/bin:. which can allow leakage of /usr/local/* binaries (which is specifically an issue because of homebrew).

While the default PATH may be ok for some use cases, if you actually try to restrict it using --action_env=PATH=something or by executing bazel with env -i PATH=something bazel ..., neither of these are applied to these actions.

For example any action that is executed in the context of Xcode is executed with these environment variables:

  exec env - \
    APPLE_SDK_PLATFORM=MacOSX \
    APPLE_SDK_VERSION_OVERRIDE=10.15 \
    XCODE_VERSION_OVERRIDE=11.5.0.11E608c \
  external/local_config_cc/wrapped_clang ...

Some actions that don't require Xcode are executed with no environment variables:

  exec env - \
  bazel-out/host/bin/external/build_bazel_rules_apple/tools/bundletool/bundletool ...

This is not the behavior of some other rules like genrule where if you build this target with --action_env=/usr/bin:/bin it hits the "Valid path":

genrule(
    name = "foo",
    outs = ["foo.txt"],
    cmd = """
if [[ "$$PATH" != "/usr/bin:/bin" ]]; then
  echo "error: path not propagated: $$PATH"
  exit 1
else
  echo "Valid path! $$PATH"
  exit 1
fi
""",
)

I think that either all actions should get a very conservative default PATH like /usr/bin:/bin, or the flags like --action_env should be able to add env vars to these actions (I believe the latter is likely the more flexible path, but I'm not sure about the implementation implications).

For native actions it seems that this can be resolved by adding:

.setInheritedEnvironment(ImmutableSet.of("PATH"));

to this logic

bazel/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcRuleClasses.java

Lines 140 to 144 in 8f67892

	static SpawnAction.Builder spawnAppleEnvActionBuilder(
	XcodeConfigInfo xcodeConfigInfo, ApplePlatform targetPlatform) {
	return spawnOnDarwinActionBuilder(xcodeConfigInfo)
	.setEnvironment(appleToolchainEnvironment(xcodeConfigInfo, targetPlatform));
	}

But for starlark actions they inherit this environment:

bazel/tools/osx/crosstool/cc_toolchain_config.bzl

Lines 4546 to 4557 in 8f67892

	env_entry(
	key = "XCODE_VERSION_OVERRIDE",
	value = "%{xcode_version_override_value}",
	),
	env_entry(
	key = "APPLE_SDK_VERSION_OVERRIDE",
	value = "%{apple_sdk_version_override_value}",
	),
	env_entry(
	key = "APPLE_SDK_PLATFORM",
	value = "%{apple_sdk_platform_value}",
	),

When accessing the environment variables for an action with the cc_common api. There doesn't seem to be a way to craft an env_entry that doesn't impose a value. So I could add /usr/bin:/bin there, but it wouldn't allow overrides via --action_env=PATH=foo

I'm happy to make a change here but I'm hoping for some guidance on the right path!

What operating system are you running Bazel on?

macOS

Bazel version?

8f67892

[susinmotion]

@gregestren is this something you'd be able to advise on?

[susinmotion]

Actually, this may be an Apple Rules issue, not an --action_env issue. @googlewalt , is this in your wheelhouse?

[googlewalt]

I think there are two issues:

1. AFAICT, based on code inspection, action_env does not work on bazel. @keith do you know of instances where it works?
2. bazel does not set a default PATH for actions.

In both cases, the issue seems to be that BazelRulesModule does not have some setup code we have internally, that does both (1) and (2).

[googlewalt]

Sorry. I found the setup code in BazelRulesModule.

[googlewalt]

Have you tried --incompatible_strict_action_env?