From 491284b0c782e0df25dd0a8bc921a9c2de0e6881 Mon Sep 17 00:00:00 2001
From: Googler <lberki@google.com>
Date: Mon, 6 Nov 2023 03:04:29 -0800
Subject: [PATCH] Do not do magic to achieve a hermetic `/tmp` when the sandbox
 is hermetic.

The sandbox process already does a `chroot()` and creates a fresh `/tmp` in it so no magic is needed.

RELNOTES: None.
PiperOrigin-RevId: 579782553
Change-Id: Ia5df1911ab326b739a0693ae81c794ecd8dce53d
---
 .../build/lib/sandbox/LinuxSandboxedSpawnRunner.java        | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
index ab81372fda7b58..18cd8b1ff64325 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
@@ -187,6 +187,12 @@ private boolean useHermeticTmp() {
       return false;
     }
 
+    if (getSandboxOptions().useHermetic) {
+      // The hermetic sandbox is, well, already hermetic. Also, it creates an empty /tmp by default
+      // so nothing needs to be done to achieve a /tmp that is also hermetic.
+      return false;
+    }
+
     boolean tmpExplicitlyBindMounted =
         getSandboxOptions().sandboxAdditionalMounts.stream()
             .anyMatch(e -> e.getKey().equals("/tmp"));