Skip to content

Don't resolve symlinks for --sandbox_base#13984

Closed
ob wants to merge 1 commit intobazelbuild:masterfrom
ob:ob/sandbox-bugfix
Closed

Don't resolve symlinks for --sandbox_base#13984
ob wants to merge 1 commit intobazelbuild:masterfrom
ob:ob/sandbox-bugfix

Conversation

@ob
Copy link
Copy Markdown
Contributor

@ob ob commented Sep 13, 2021

On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

When using --experimental_sandbox_base, ensure that symlinks in the path are
resolved. Before this, you had to check whether on your system /dev/shm is a
symlink to /run/shm and then use that instead. Now it no longer matters, as
symlinks are resolved.

See #13766 for full details.

@google-cla google-cla bot added the cla: yes label Sep 13, 2021
@ob
Copy link
Copy Markdown
Contributor Author

ob commented Sep 13, 2021

CC @philwo since 656a0ba was your commit.

@aiuto aiuto added the team-Local-Exec Issues and PRs for the Execution (Local) team label Dec 18, 2021
@meisterT
Copy link
Copy Markdown
Member

meisterT commented Dec 20, 2021

cc @larsrc-google

@ob ob force-pushed the ob/sandbox-bugfix branch from 831d2a3 to 4d6faef Compare January 10, 2022 17:48
@ob
Don't resolve symlinks for --sandbox_base
a82022f 
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba on macOS, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

but I think this is okay since macOS doesn't have /dev/shm or /run.

See bazelbuild#13766 for full details.
@ob ob force-pushed the ob/sandbox-bugfix branch from 4d6faef to a82022f Compare January 10, 2022 19:07
@bazel-io bazel-io closed this in 0de7bb9 Jan 17, 2022
ob added a commit to ob/bazel that referenced this pull request Jan 18, 2022
@ob
Don't resolve symlinks for --sandbox_base
35443d5 
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

See bazelbuild#13766 for full details.

Closes bazelbuild#13984.

PiperOrigin-RevId: 422319807
(cherry picked from commit 0de7bb9)
@ob ob mentioned this pull request Jan 18, 2022
Closed
@brentleyjones
Copy link
Copy Markdown
Contributor

brentleyjones commented Jan 19, 2022

@Wyverald I think this should go in a 5.x release.

@Wyverald Wyverald added this to the 5.1 release blockers milestone Jan 21, 2022
@Wyverald
Copy link
Copy Markdown
Member

Wyverald commented Jan 21, 2022

(I realize that this is closed -- I'm still keeping track of it for 5.1 -- I'm trying a few things and seeing what's best for release management)

@Wyverald Wyverald mentioned this pull request Feb 3, 2022
Closed
@Wyverald
Copy link
Copy Markdown
Member

Wyverald commented Feb 3, 2022

@bazel-io fork 5.1

@Wyverald Wyverald removed this from the 5.1 release blockers milestone Feb 3, 2022
@bazel-io bazel-io mentioned this pull request Feb 3, 2022
Closed
brentleyjones pushed a commit to brentleyjones/bazel that referenced this pull request Feb 8, 2022
@ob @brentleyjones
Don't resolve symlinks for --sandbox_base
b04cdf1 
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

See bazelbuild#13766 for full details.

Closes bazelbuild#13984.

PiperOrigin-RevId: 422319807
(cherry picked from commit 0de7bb9)
Wyverald pushed a commit that referenced this pull request Feb 9, 2022
@brentleyjones @ob
Don't resolve symlinks for --sandbox_base (#14748)
167e79f 
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

See #13766 for full details.

Closes #13984.

PiperOrigin-RevId: 422319807
(cherry picked from commit 0de7bb9)

Co-authored-by: Oscar Bonilla <6f6231@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla: yes team-Local-Exec Issues and PRs for the Execution (Local) team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ob @meisterT @brentleyjones @Wyverald @aiuto