--sandbox_add_mount_pair ignored on OSX

[greggdonovan]

Please provide the following information. The more we know about your system and use case, the more easily and likely we can help.

Description of the problem / feature request / question:

I would like to use --sandbox_add_mount_pair to mount specific directories into the sandbox filesystem on both OSX and Linux, but this support was only added on Linux.

If possible, provide a minimal example to reproduce the problem:

DarwinSandboxedSpawnRunner is missing sandboxAdditionalMounts, but LinuxSandboxedSpawnRunner has them.

Environment info

• Operating System:

macOS Sierra 10.12.6

• Bazel version (output of bazel info release):

release 0.7.0-homebrew

[meteorcloudy]

//cc @xingao267 @philwo
Can we provide the same support for OS X?

[mboes]

I would likewise be very interested in this feature. It would allow using rules_nixpkgs without requiring any globally installed tool (which can only be installed locally if extra directories are mapped into the sandbox).

[jin]

Moving to the local exec team and back into the untriaged pool.

[jmmv]

Bind mounts don't exist on macOS (unless you use FUSE, which we don't rely on by default at this point), so I think the only way we could offer this right now is by replicating the tree into the sandbox using symlinks. Would that be sufficient? Are you still interested in this feature?

[jmmv]

If the flag exists on macOS, and it does, then we should make it work. Given what I said in the last reply, we cannot make it work as "mounts" (unless we use sandboxfs), but the symlinking approach may be a good compromise.

[greggdonovan]

@jmmv Thanks! I'm not actively using macOS, but we most of our Bazel users are. Combined with platform specific bazelrc this would be a nice way to make our builds more hermetic.

[github-actions]

Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 3 years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team (@bazelbuild/triage) if you think this issue is still relevant or you are interested in getting the issue resolved.

[github-actions]

This issue has been automatically closed due to inactivity. If you're still interested in pursuing this, please reach out to the triage team (@bazelbuild/triage). Thanks!

[honnix]

This feature request seems to be still valid. I don't exactly know how sandbox-exec works, but it seems to be possible to add more here

bazel/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedSpawnRunner.java

Lines 254 to 258 in 04f2b03

	out.println("(allow file-write*");
	for (Path path : writableDirs) {
	out.println(" (subpath \"" + path.getPathString() + "\")");
	}
	out.println(")");

. Is that right?

[tjgq]

Yes, I think this FR still makes sense, although we might not be able to prioritize it. cc @oquenchil

[honnix]

I tried something in #20336 . Not sure whether it is a sane approach. Can someone help me understand whether it is a good way to go forward? Thanks.

[honnix]

I tried something in #20336 . Not sure whether it is a sane approach. Can someone help me understand whether it is a good way to go forward? Thanks.

Can I get some help on this? I'm a first-time contributor and I literally don't know whether I'm doing something totally wrong 😄. Thanks. @tjgq or @oquenchil maybe?

[honnix]

Trying this again. Can some one help review the PR? Thanks.

[oquenchil]

Commented on the PR.