P3help wantedteam-Remote-Exectype: feature request
Description
Description of the feature request:
@thesayyn has been studying the new https://developer.apple.com/documentation/FSKit API introduced in recent versions of MacOS. We believe this could allow a sandbox implementation that's both fast and isolated, in the sense that it avoids common sandbox escaping by following symlinks.
Background:
- Current implementation is substantially slower than
localspawn: https://github.com/bazelbuild/bazel/issues/8230 from 2019 - NodeJS tooling always follows symlinks, even when implemented in Go or Rust. Thus the new Go implementation of the TypeScript type-checker can't run in a Bazel sandbox, along with ESbuild, SWC, OXC, and so on. https://github.com/aspect-build/rules_js/issues?q=is%3Aissue%20state%3Aopen%20sandbox lists some of the issues
- The
dockerstrategy gives a stronger isolation but is impractical since it doesn't re-use containers. - Sahin has some experiments at https://github.com/thesayyn/sandboxfs
Alternatives:
- Replace eager symlink creation with an on-demand userland filesystem
- If cross-device hardlinks were permitted, it might help. The kernel security system might need changes.
- MacFUSE has a FSkit implementation now, but you have to reduce secure boot.
- bb-clientd uses an NFS approach but it's brittle (@jsharpe)
Which category does this issue belong to?
Action Spawns