Enable --incompatible_sandbox_hermetic_tmp by default

Fixes #3236 Fixes #19915
bazelbuild · Nov 6, 2023 · 0a95ee2 · 0a95ee2
1 parent ec46042
commit 0a95ee2
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 5 deletions.
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
@@ -350,12 +350,12 @@ public ImmutableSet<Path> getInaccessiblePaths(FileSystem fs) {
 
   @Option(
       name = "incompatible_sandbox_hermetic_tmp",
-      defaultValue = "false",
+      defaultValue = "true",
       documentationCategory = OptionDocumentationCategory.EXECUTION_STRATEGY,
       effectTags = {OptionEffectTag.EXECUTION},
       help =
           "If set to true, each Linux sandbox will have its own dedicated empty directory mounted"
-              + " as /tmp rather thansharing /tmp with the host filesystem. Use"
+              + " as /tmp rather than sharing /tmp with the host filesystem. Use"
               + " --sandbox_add_mount_pair=/tmp to keep seeing the host's /tmp in all sandboxes.")
   public boolean sandboxHermeticTmp;
 

diff --git a/src/test/java/com/google/devtools/build/lib/buildtool/EditDuringBuildTest.java b/src/test/java/com/google/devtools/build/lib/buildtool/EditDuringBuildTest.java
@@ -44,9 +44,8 @@ public void testEditDuringBuild() throws Exception {
     Path in = write("edit/in", "line1");
     in.setLastModifiedTime(123456789);
 
-    // Make in writable from sandbox (in case sandbox strategy is used).
-    String absoluteInPath = in.getPathString();
-    addOptions("--sandbox_writable_path=" + absoluteInPath);
+    // Modify the actual source file, not a sandboxed copy.
+    addOptions("--spawn_strategy=local");
 
     // The "echo" effects editing of the source file during the build:
     write("edit/BUILD",

diff --git a/src/test/shell/bazel/bazel_sandboxing_networking_test.sh b/src/test/shell/bazel/bazel_sandboxing_networking_test.sh
@@ -36,6 +36,8 @@ source ${CURRENT_DIR}/remote_helpers.sh \
 function set_up() {
   add_to_bazelrc "build --spawn_strategy=sandboxed"
   add_to_bazelrc "build --genrule_strategy=sandboxed"
+  # Allow the network socket to be seen in the sandbox.
+  add_to_bazelrc "build --sandbox_add_mount_pair=/tmp"
 
   sed -i.bak '/sandbox_tmpfs_path/d' $TEST_TMPDIR/bazelrc
 }

diff --git a/src/test/shell/integration/sandboxing_test.sh b/src/test/shell/integration/sandboxing_test.sh
@@ -735,6 +735,7 @@ EOF
 
   touch "${temp_dir}/file"
   bazel test //pkg:tmp_test \
+    --sandbox_add_mount_pair=/tmp \
     --test_output=errors &>$TEST_log || fail "Expected test to pass"
 }
 
@@ -812,6 +813,7 @@ EOF
   chmod +x pkg/tmp_test.sh
 
   bazel test //pkg:tmp_test \
+    --sandbox_add_mount_pair=/tmp \
     --test_output=errors &>$TEST_log || fail "Expected test to pass"
   [[ -f "${temp_dir}/file" ]] || fail "Expected ${temp_dir}/file to exist"
 }