Expose starlark API for sandboxing configuration

[gigaroby]

In rules_rust we have a feature (pipelining) that requires filesystem sandboxing in order to work correctly but (as far as I can tell) there's no API to tell if sandboxing is enabled. We have resorted to workarounds like disabling windows (where sandboxing is not available) but this still causes confusing errors. Could we please expose such an API to rule authors?

[larsrc-google]

Before changing the API, I'd like to hear more precisely what you need to do based on this information. Would it for instance be enough to be able to tag rules with "requires-sandbox" or somesuch?

[gigaroby]

Ideally I'd like to replace part 2 here with a call to something like is_filesystem_sandboxed(). I don't really need much else.

[larsrc-google]

So this determines whether you output an extra file with metadata? That's not something that can be determined that early. Only once the action graph has been built and execution has started will the process of figuring out what strategy to use (remote, sandboxed, worker, docker, ...) get initiated. So that's already a problem. Then there's the question of how to restrict whatever action actually creates that file to only run in a sandbox. We try hard to make it transparent to the rule how it actually gets run, as we want to get the same results regardless of strategy. What is it that makes this part require sandboxing when the rest doesn't? That's unusual.

[gigaroby]

The reason why I need to know is that we run two (very similar) instances of the same compiler. Those are similar enough that they emit the same file twice (but we only care about it from one of the rules). Without filesystem sandboxing, one compiler tries to overwrite the output of the other (and fails). Right now if we try to run with the feature enabled but without sandbox we get a very confusing (for the user) message about file permissions.

[larsrc-google]

That's not a good state to be in. Bazel assumes that a given output is only declared by one rule, the ActionConflictChecker checks for that. Are you only declaring it as an output from one of the rules, but the compiler for the other one happens to also write it? If so, you ought to be able to check what outputs you declare and adjust creating metadata.