bazelbuild/bazel

Linux sandboxes do not isolate "abstract" UNIX domain sockets (IPC)

Open

#27181 opened on Oct 7, 2025

View on GitHub
 (5 comments) (0 reactions) (0 assignees)Java (25,384 stars) (4,465 forks)batch import
P3help wantedteam-Local-Exectype: bug

Description

Description of the bug:

I'm using a compiler which uses UNIX domain sockets (AF_UNIX) for IPC. Specifically, the compiler uses the "abstract" address format, so the socket is not bound to a specific file path on the system.

I'm using the linux-sandbox strategy. It does not seem to isolate these abstract address namespaces.

I'm seeing the compiler in one sandbox accidentally communicating over this IPC to compilers in another sandbox (when multiple sandboxes are run in parallel). This causes problems for the compiler. I'd expect the processes in one sandbox to only be able to talk to the processes in the same sandbox.

With Bazel mostly isolating the sandboxes but not isolating the "abstract" UNIX domain sockets in them, the compiler is unable to run under Bazel.

Is there any existing option that I'm missing to isolate the "abstract" UNIX domain sockets in sandboxes? If not, this seems to be a bug.

Thanks!

Which category does this issue belong to?

Local Execution

What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

No response

Which operating system are you running Bazel on?

Linux

What is the output of bazel info release?

release 8.1.0

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

N/A

What's the output of git remote get-url origin; git rev-parse HEAD ?

N/A

If this is a regression, please try to identify the Bazel commit where the bug was introduced with bazelisk --bisect.

N/A

Have you found anything relevant by searching the web?

Nothing found

Any other information, logs, or outputs that you want to share?

N/A

Contributor guide

Tech stack
java
Domain
build system
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
Linux abstract socketsBazel sandbox internalsLinux network namespaces
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
10
Research direction
Examine the Bazel sandbox implementation, particularly the LinuxSandboxedSpawn class and related code in src/main/java/com/google/devtools/build/lib/sandbox/linux/. Determine whether the sandbox currently creates a new network namespace. If so, check if abstract sockets are implicitly isolated; if not, consider adding a mount of empty /proc/sys/net/unix or using network namespaces to isolate abstract sockets. Look at existing issues or PRs referencing 'abstract sockets' or 'IPC isolation' for prior attempts.