bazelbuild/bazel

document ways to enforce (linux) sandboxing

Open

#13,995 创建于 2021年9月15日

在 GitHub 查看
 (6 评论) (1 反应) (0 负责人)Java (4,465 fork)batch import
P3help wantedteam-Documentationteam-Local-Exectype: documentation (cleanup)

仓库指标

Star
 (25,384 star)
PR 合并指标
 (平均合并 22天 20小时) (30 天内合并 77 个 PR)

描述

Description of the problem / feature request:

Bazel can silently fallback to weaker symlink sandbox if /bin/ttue is not available (https://github.com/bazelbuild/bazel/issues/13994) or if there aren't enough privileges to execute clone syscall with new namespaces (say running in unprivileged docker container locally or in cloud / CI).

This makes one's CI checks weaker and difference between build/test targets on different machines hidden. And since not all rules are sandbox-ready it'd be nice to have control over whether sandbox is on.

Ideally there should be flags to: best effort sandboxing, failing if sandboxing isn't working, disabling sandboxing, and also all of it for specific aspects (networking, root filesystem access, write access to inputs or other undeclared places, sandboxfs mounts availability, etc)

Feature requests: what underlying problem are you trying to solve with this feature?

Have control over sandboxing to be more hermetic, consistent between machines and have reliable CI.

Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Run bazel in unprivileged docker container and execute an action that escapes the sandbox (no short example yet, may add later)

What operating system are you running Bazel on?

NixOS

What's the output of bazel info release?

release 4.2.1- (@non-git)

If bazel info release returns "development version" or "(@non-git)", tell us how you built Bazel.

NixOS nixpkgs

贡献者指南