Mount user-specified bind mounts before Bazel's own magic.

This makes it possible to mount directories under /tmp somewhere else. Before, /tmp was overridden by the implementation of hermetic /tmp.

Fixes #20527.

RELNOTES: None.
PiperOrigin-RevId: 592247867
Change-Id: Ib5b75cd21ffe4fa4c8ee3f75d82894da6dd61f54

src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java

@@ -423,6 +423,7 @@ private ImmutableList<BindMount> getBindMounts(
 
  LinuxSandboxUtil.validateBindMounts(bindMounts);
  ImmutableList.Builder<BindMount> result = ImmutableList.builder();
+ bindMounts.forEach((k, v) -> result.add(BindMount.of(k, v)));
 
  if (sandboxTmp != null) {
  // First mount the real exec root and the empty directory created as the working dir of the
@@ -445,7 +446,6 @@ private ImmutableList<BindMount> getBindMounts(
  result.add(BindMount.of(tmpPath, sandboxTmp));
  }
 
- bindMounts.forEach((k, v) -> result.add(BindMount.of(k, v)));
  return result.build();
  }
 

src/test/shell/bazel/bazel_sandboxing_test.sh

@@ -306,6 +306,34 @@ EOF
  bazel build //pkg:a &>$TEST_log || fail "expected build to succeed"
 }
 
+function test_add_mount_pair_tmp_source() {
+ if [[ "$PLATFORM" == "darwin" ]]; then
+ # Tests Linux-specific functionality
+ return 0
+ fi
+
+ create_workspace_with_default_repos WORKSPACE
+
+ sed -i.bak '/sandbox_tmpfs_path/d' $TEST_TMPDIR/bazelrc
+
+ mkdir -p pkg
+ cat > pkg/BUILD <<'EOF'
+genrule(
+ name = "gen",
+ outs = ["gen.txt"],
+ cmd = "cp /etc/data.txt $@",
+)
+EOF
+
+ local mounted=$(mktemp -d "/tmp/bazel_mounted.XXXXXXXX")
+ trap "rm -fr $mounted" EXIT
+ echo GOOD > "$mounted/data.txt"
+
+ # This assumes the existence of /etc on the host system
+ bazel build --sandbox_add_mount_pair="$mounted:/etc" //pkg:gen || fail "build failed"
+ assert_contains GOOD bazel-bin/pkg/gen.txt
+}
+
 # The test shouldn't fail if the environment doesn't support running it.
 check_sandbox_allowed || exit 0