Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't resolve symlinks for --sandbox_base #13984

Closed
wants to merge 1 commit into from

Conversation

ob
Copy link
Contributor

@ob ob commented Sep 13, 2021

On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

When using --experimental_sandbox_base, ensure that symlinks in the path are
resolved. Before this, you had to check whether on your system /dev/shm is a
symlink to /run/shm and then use that instead. Now it no longer matters, as
symlinks are resolved.

See #13766 for full details.

@google-cla google-cla bot added the cla: yes label Sep 13, 2021
@ob
Copy link
Contributor Author

ob commented Sep 13, 2021

CC @philwo since 656a0ba was your commit.

@aiuto aiuto added the team-Local-Exec Issues and PRs for the Execution (Local) team label Dec 18, 2021
@meisterT
Copy link
Member

cc @larsrc-google

@ob ob force-pushed the ob/sandbox-bugfix branch from 831d2a3 to 4d6faef Compare January 10, 2022 17:48
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba on macOS, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

but I think this is okay since macOS doesn't have /dev/shm or /run.

See bazelbuild#13766 for full details.
@ob ob force-pushed the ob/sandbox-bugfix branch from 4d6faef to a82022f Compare January 10, 2022 19:07
@bazel-io bazel-io closed this in 0de7bb9 Jan 17, 2022
ob added a commit to ob/bazel that referenced this pull request Jan 18, 2022
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

See bazelbuild#13766 for full details.

Closes bazelbuild#13984.

PiperOrigin-RevId: 422319807
(cherry picked from commit 0de7bb9)
@brentleyjones
Copy link
Contributor

@Wyverald I think this should go in a 5.x release.

@Wyverald Wyverald added this to the 5.1 release blockers milestone Jan 21, 2022
@Wyverald
Copy link
Member

(I realize that this is closed -- I'm still keeping track of it for 5.1 -- I'm trying a few things and seeing what's best for release management)

@Wyverald
Copy link
Member

Wyverald commented Feb 3, 2022

@bazel-io fork 5.1

@Wyverald Wyverald removed this from the 5.1 release blockers milestone Feb 3, 2022
brentleyjones pushed a commit to brentleyjones/bazel that referenced this pull request Feb 8, 2022
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

See bazelbuild#13766 for full details.

Closes bazelbuild#13984.

PiperOrigin-RevId: 422319807
(cherry picked from commit 0de7bb9)
Wyverald pushed a commit that referenced this pull request Feb 9, 2022
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

See #13766 for full details.

Closes #13984.

PiperOrigin-RevId: 422319807
(cherry picked from commit 0de7bb9)

Co-authored-by: Oscar Bonilla <6f6231@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes team-Local-Exec Issues and PRs for the Execution (Local) team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants