Skip to content

Commit

Permalink
Don't resolve symlinks for --sandbox_base (#14748)
Browse files Browse the repository at this point in the history
On macOS BigSur, the sandbox-exec command behaves slightly different than on
Catalina when firm links are present.

Resolving symlinks can prevent the sandbox for allowing write operations to the
sandbox base.

This effectively reverts a piece of 656a0ba, namely:

>  When using --experimental_sandbox_base, ensure that symlinks in the path are
>  resolved. Before this, you had to check whether on your system /dev/shm is a
>  symlink to /run/shm and then use that instead. Now it no longer matters, as
>  symlinks are resolved.

See #13766 for full details.

Closes #13984.

PiperOrigin-RevId: 422319807
(cherry picked from commit 0de7bb9)

Co-authored-by: Oscar Bonilla <6f6231@gmail.com>
  • Loading branch information
brentleyjones and ob authored Feb 9, 2022
1 parent d53f53c commit 167e79f
Showing 1 changed file with 4 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,10 @@ private static Path computeSandboxBase(SandboxOptions options, CommandEnvironmen
env.getRuntime().getProductName(),
Fingerprint.getHexDigest(env.getOutputBase().toString()));
FileSystem fileSystem = env.getRuntime().getFileSystem();
if (OS.getCurrent() == OS.DARWIN) {
// Don't resolve symlinks on macOS: See https://github.com/bazelbuild/bazel/issues/13766
return fileSystem.getPath(options.sandboxBase).getRelative(dirName);
}
Path resolvedSandboxBase = fileSystem.getPath(options.sandboxBase).resolveSymbolicLinks();
return resolvedSandboxBase.getRelative(dirName);
}
Expand Down

0 comments on commit 167e79f

Please sign in to comment.