can't bind to "localhost" with sandboxing on OS X #5206
Comments
|
I am not sure I understand. You added the |
|
external network shouldn't work yes, but binding to local host (INetAddress 'localhost/127.0.0.1:0') (with 'block-network'): |
|
oh i see. does it work to bind to an arbitrary free port? |
|
iiuc using port 0 does what you mean? |
|
What I meant was what if you try to bind to a free port that you specify explicitly. I have just tried it out myself and that doesn't work either. Seems like a legit bug - thanks for reporting it and providing a reproducer! |
|
I tried locally changing bazel to fix this, summarizing my attempts: trying to change these lines It's not possible to change this to be |
|
Hi,
Any news?
…On Tue, 19 Jun 2018 at 16:46 Talya Gendler ***@***.***> wrote:
I tried locally changing bazel to fix this, summarizing my attempts:
trying to change these lines
out.println("(allow network* (local ip \"localhost:*\"))");
out.println("(allow network* (remote ip \"localhost:*\"))");
It's not possible to change this to be localhost/127.0.0.1:* or
localhost/*:* since Apple's .sb format doesn't support this (results in this
error: host must be * or localhost in network address)
Also tried using out.println("(allow network* (local ip))"); but that
completely breaks the sandboxing since even external addresses are
accessible.
I Added the shouldNotBindToNonLoopbackAddress test to the sample repo
guard against this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5206 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABUIF-7yXHtEcckkNDO-TKk5nIv8CnQEks5t-QDOgaJpZM4UA1Y5>
.
|
|
@philwo is back tomorrow. He should be able to sort this out quickly. |
|
Hi, unfortunately this is nothing that Bazel can fix. It's an issue in macOS's sandbox implementation. As you have found out, the only valid values for the "allow/deny network" settings are "*" and "localhost". We are already setting this to "localhost". The fact that macOS's sandbox then still forbids binding to "localhost" is a bug in the sandbox, not in Bazel. However, as we hit the same issue in Bazel, luckily I can share a workaround with you that you can apply to your own code: I'd also recommend reporting this issue to Apple. Hope this helps, |
|
Thanks, the comment in the referenced code is quite detailed:) |
https://buildkite.com/bazel/bazel-bazel/builds/26312#018d1722-0e79-47b4-82ed-9cc47487e05a Related issues: - #20743 - #5206 PiperOrigin-RevId: 599452705 Change-Id: I2fdccd9df513064e5bc9add4f1802d4c1ce9c6da
https://buildkite.com/bazel/bazel-bazel/builds/26312#018d1722-0e79-47b4-82ed-9cc47487e05a Related issues: - bazelbuild#20743 - bazelbuild#5206 PiperOrigin-RevId: 599452705 Change-Id: I2fdccd9df513064e5bc9add4f1802d4c1ce9c6da
Related issues: - bazelbuild#20743 - bazelbuild#5206 PiperOrigin-RevId: 599754818 Change-Id: I228201d578b7459332aebfea6ab4d7c041b3e6c4
Set Xcode version to 15.1 on macOS arm64 machines bazel_determinism_test seems to be flaky due to an non-determinsitc issue of the clang compiler in Xcode 14.2 Fixes #20690 PiperOrigin-RevId: 598760276 Change-Id: Ibc46dfa64fe91f26acfa5091a07c17e3bf97f29c ____ Allow network for two Java tests to avoid binding issue on macOS sandbox https://buildkite.com/bazel/bazel-bazel/builds/26312#018d1722-0e79-47b4-82ed-9cc47487e05a Related issues: - #20743 - #5206 PiperOrigin-RevId: 599452705 Change-Id: I2fdccd9df513064e5bc9add4f1802d4c1ce9c6da ____ Allow network for StarlarkDebugServerTest Related issues: - #20743 - #5206 PiperOrigin-RevId: 599754818 Change-Id: I228201d578b7459332aebfea6ab4d7c041b3e6c4 ___ Add mirror for embedded JDKs URLs Reduce flakiness like: https://buildkite.com/bazel/bazel-bazel/builds/26343#018d1e09-4c23-404c-a307-7476e092c7ab PiperOrigin-RevId: 599759327 Change-Id: I43fa2ec996f03e77da926c2afeaca13cbf029a1b
|
Anyone ever open a bug for Apple to look into this? |
|
FWIW I heard on bazel slack that 127.0.0.1 works as well (unconfirmed) in addition to IPV6 |
Description of the problem / feature request:
new InetSocketAddress("localhost", 0).bind()fails on OS X when ran with sandboxing
it passes without sandboxing or with sandboxing on docker-on-mac
Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.
https://github.com/talya/bazel-localhost-resolving
Environment info
Have you found anything relevant by searching the web?
related to #2669 and seems that relevant code is DarwinSandboxedSpawnRunner (which was last changed to allow the unix-socket in #3444):
The text was updated successfully, but these errors were encountered: