Enable --incompatible_sandbox_hermetic_tmp by default

fmeum · fmeum · commit 3b9cc816ceb3 · 2023-10-25T22:22:32.000+02:00
Fixes #3236 Fixes #19915
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
@@ -350,12 +350,12 @@ public ImmutableSet<Path> getInaccessiblePaths(FileSystem fs) {
 
   @Option(
       name = "incompatible_sandbox_hermetic_tmp",
-      defaultValue = "false",
+      defaultValue = "true",
       documentationCategory = OptionDocumentationCategory.EXECUTION_STRATEGY,
       effectTags = {OptionEffectTag.EXECUTION},
       help =
           "If set to true, each Linux sandbox will have its own dedicated empty directory mounted"
-              + " as /tmp rather thansharing /tmp with the host filesystem. Use"
+              + " as /tmp rather than sharing /tmp with the host filesystem. Use"
               + " --sandbox_add_mount_pair=/tmp to keep seeing the host's /tmp in all sandboxes.")
   public boolean sandboxHermeticTmp;
 
diff --git a/src/test/java/com/google/devtools/build/lib/buildtool/EditDuringBuildTest.java b/src/test/java/com/google/devtools/build/lib/buildtool/EditDuringBuildTest.java
@@ -44,9 +44,8 @@ public void testEditDuringBuild() throws Exception {
     Path in = write("edit/in", "line1");
     in.setLastModifiedTime(123456789);
 
-    // Make in writable from sandbox (in case sandbox strategy is used).
-    String absoluteInPath = in.getPathString();
-    addOptions("--sandbox_writable_path=" + absoluteInPath);
+    // Modify the actual source file, not a sandboxed copy.
+    addOptions("--spawn_strategy=local");
 
     // The "echo" effects editing of the source file during the build:
     write("edit/BUILD",
diff --git a/src/test/shell/bazel/bazel_sandboxing_networking_test.sh b/src/test/shell/bazel/bazel_sandboxing_networking_test.sh
@@ -36,6 +36,8 @@ source ${CURRENT_DIR}/remote_helpers.sh \
 function set_up() {
   add_to_bazelrc "build --spawn_strategy=sandboxed"
   add_to_bazelrc "build --genrule_strategy=sandboxed"
+  # Allow the network socket to be seen in the sandbox.
+  add_to_bazelrc "build --sandbox_add_mount_pair=/tmp"
 
   sed -i.bak '/sandbox_tmpfs_path/d' $TEST_TMPDIR/bazelrc
 }
diff --git a/src/test/shell/integration/sandboxing_test.sh b/src/test/shell/integration/sandboxing_test.sh
@@ -735,6 +735,7 @@ EOF
 
   touch "${temp_dir}/file"
   bazel test //pkg:tmp_test \
+    --sandbox_add_mount_pair=/tmp \
     --test_output=errors &>$TEST_log || fail "Expected test to pass"
 }
 
@@ -812,6 +813,7 @@ EOF
   chmod +x pkg/tmp_test.sh
 
   bazel test //pkg:tmp_test \
+    --sandbox_add_mount_pair=/tmp \
     --test_output=errors &>$TEST_log || fail "Expected test to pass"
   [[ -f "${temp_dir}/file" ]] || fail "Expected ${temp_dir}/file to exist"
 }

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ source ${CURRENT_DIR}/remote_helpers.sh \`
`36`	`36`	`function set_up() {`
`37`	`37`	`add_to_bazelrc "build --spawn_strategy=sandboxed"`
`38`	`38`	`add_to_bazelrc "build --genrule_strategy=sandboxed"`
	`39`	`+ # Allow the network socket to be seen in the sandbox.`
	`40`	`+ add_to_bazelrc "build --sandbox_add_mount_pair=/tmp"`
`39`	`41`
`40`	`42`	`sed -i.bak '/sandbox_tmpfs_path/d' $TEST_TMPDIR/bazelrc`
`41`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -735,6 +735,7 @@ EOF`
`735`	`735`
`736`	`736`	`touch "${temp_dir}/file"`
`737`	`737`	`bazel test //pkg:tmp_test \`
	`738`	`+ --sandbox_add_mount_pair=/tmp \`
`738`	`739`	`--test_output=errors &>$TEST_log \|\| fail "Expected test to pass"`
`739`	`740`	`}`
`740`	`741`
`@@ -812,6 +813,7 @@ EOF`
`812`	`813`	`chmod +x pkg/tmp_test.sh`
`813`	`814`
`814`	`815`	`bazel test //pkg:tmp_test \`
	`816`	`+ --sandbox_add_mount_pair=/tmp \`
`815`	`817`	`--test_output=errors &>$TEST_log \|\| fail "Expected test to pass"`
`816`	`818`	`[[ -f "${temp_dir}/file" ]] \|\| fail "Expected ${temp_dir}/file to exist"`
`817`	`819`	`}`