Reputation: 53
How do I require the sandbox?
I don't want users to accidentally disable the sandbox by leaving user namespaces disabled in their kernel, or through other mechanisms. I want to be able to trust their build results. How do I force the sandbox on through flags?
(The easiest way I've found to test this is to move /bin/true somewhere else momentarily and verify that Bazel refuses to build anything)
Upvotes: 2
Views: 834
Answers (1)
Reputation: 444
You can specify an explicit Spawn strategy instead of relying on the "pick the best available" algorithm:
bazel build --spawn_strategy=linux-sandbox
This will let builds fail with an error if user namespaces are not available. On macOS the name of the strategy is "darwin-sandbox".
If you're building Java code, you might also want to either enable Worker sandboxing (--worker_sandboxing) or disable the persistent worker feature and compile Java inside the stricter sandbox (--strategy=Javac=linux-sandbox).
Upvotes: 3
Related Questions
- App sandbox not enabled
- How do I detect if my app is sandboxed?
- How to I run sandbox on my windows laptop?
- In bazel testing C++ gtest, how do I create a sandbox per TEST_P parameter so I can look at their content?
- Starting the Windows Sandbox from managed code
- Is there a way to get bazel to use sandbox directories when sandboxing is not supported?
- Roblox Script Builder Sandbox
- Running bazel with sandboxing in a Docker container
- How do I get started with libsandbox
- sandboxed python plugins