bazelbuild/bazel

linux sandbox spawns without env variables

Open

#27099 opened on Sep 27, 2025

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Java (25,384 stars) (4,465 forks)batch import
P3help wantedteam-Local-Exectype: bug

Description

Description of the bug:

There is a check to see if linux-sandbox can run on the host,

https://github.com/bazelbuild/bazel/blob/3ebd6adfdc836f456e0bcabac399f2e985c2933f/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java#L102-L123

This check invokes running /bin/true however on my system (nixos) this binary does not exist. Instead I have a fuse mounted on /bin and /usr/bin to resolve all binaries under there to point to their hermetic location based on the PATH.

troy@troy-server ~/g/s/scuffle (main)> ls -lah /bin/true                                                                                                                                                                                
lr----x--t 1 root root 0 Dec 31  1969 /bin/true -> /nix/store/mp7ba85zcqdj2sqwa29pql02s6nqpcxy-coreutils-9.7/bin/true

In my case it points to some nix-store.

and this is not a static binary.

troy@troy-server ~/g/s/scuffle (main)> ldd /bin/true                                                                                                                                                                                    
        linux-vdso.so.1 (0x00007f4a9b7a8000)
        libacl.so.1 => /nix/store/pi4h9797ldv1435a75246lwpdgmxiabk-acl-2.3.2/lib/libacl.so.1 (0x00007f4a9b797000)
        libattr.so.1 => /nix/store/072g4zhidpalbdjvnslfd89nx4j9s319-attr-2.5.2/lib/libattr.so.1 (0x00007f4a9b78f000)
        libgmp.so.10 => /nix/store/rbb1x89qn6h1c3r5hfz5an2h4dva8y2f-gmp-with-cxx-6.3.0/lib/libgmp.so.10 (0x00007f4a9b6e4000)
        libc.so.6 => /nix/store/zdpby3l6azi78sl83cpad2qjpfj25aqx-glibc-2.40-66/lib/libc.so.6 (0x00007f4a9b400000)
        /nix/store/zdpby3l6azi78sl83cpad2qjpfj25aqx-glibc-2.40-66/lib/ld-linux-x86-64.so.2 => /nix/store/zdpby3l6azi78sl83cpad2qjpfj25aqx-glibc-2.40-66/lib64/ld-linux-x86-64.so.2 (0x00007f4a9b7aa000)
troy@troy-server ~/g/s/scuffle (main)>    

[pid 199553] execve("/home/troy/.cache/bazel/_bazel_troy/install/1093707fde95f200c136d266696e04f7/linux-sandbox", ["/home/troy/.cache/bazel/_bazel_troy/install/1093707fde95f200c136d266696e04f7/linux-sandbox", "-T", "15", "--", "/bin/true"], []) = 0
strace: Process 199554 attached
strace: Process 199555 attached
strace: Process 199556 attached
strace: Process 199557 attached
strace: Process 199558 attached
[pid 199558] execve("/bin/true", ["/bin/true"], ["LD_LIBRARY_PATH="]) = -1 ENOENT (No such file or directory)
[pid 199558] exit_group(1)              = ?
[pid 199558] +++ exited with 1 +++
[pid 199555] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=1000, si_status=1, si_utime=0, si_stime=0} ---

Which category does this issue belong to?

No response

What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Running with the following command

strace -f -s 4096 -v -e trace=exit_group,exit,execve -- bazelisk --client_debug --batch test //... --spawn_strategy=linux-sandbox --nocache_test_results 2> out.txt

However you will need to be on a NixOS setup.

Which operating system are you running Bazel on?

NixOs

What is the output of bazel info release?

release 8.3.1

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

---- This also happens on the latest master commit 3ebd6adfdc836f456e0bcabac399f2e985c2933f

What's the output of git remote get-url origin; git rev-parse HEAD ?

If this is a regression, please try to identify the Bazel commit where the bug was introduced with bazelisk --bisect.

No response

Have you found anything relevant by searching the web?

https://github.com/bazelbuild/bazel/issues/13994 https://github.com/bazelbuild/bazel/issues/14734

Any other information, logs, or outputs that you want to share?

No response

Contributor guide

Tech stack
java
Domain
build system
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaLinux sandboxingBazel internals
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Investigate the check in LinuxSandboxedSpawnRunner.java that runs /bin/true. Determine if the issue is that the sandbox clears environment variables including LD LIBRARY PATH, preventing dynamic linking. Consider alternative approaches such as using a statically linked binary or checking for the availability of the sandbox in a different way. Also review related issues #13994 and #14734 for prior context.