Skip to content

LD_LIBRARY_PATH cannot be set within the sandbox #4360

New issue
New issue
Open
Open
LD_LIBRARY_PATH cannot be set within the sandbox#4360
@randomizedcoder

Description

@randomizedcoder
randomizedcoder
opened on May 25, 2025

This is a issue ticket about the inability to set LD_LIBRARY_PATH, which I think mostly impacts users of Nix.

The rules_go is very restrictive with which environment variables it allows into the sandbox, which means that you can't configure LD_LIBRARY_PATH, so clang can't link at runtime to a libxml2.so.2 within the sysroot.

Run this command to start an interactive shell in an identical sandboxed environment:
(exec env - \
    CC=external/toolchains_llvm++llvm+llvm_toolchain/bin/cc_wrapper.sh \
    CGO_ENABLED=1 \                                         <---- Can't set LD_LIBRARY_PATH here :(
    GOARCH=amd64 \
    GODEBUG='winsymlink=0' \                       <--- BTW - this seems like a bug on any system that isn't Windoze
    GOEXPERIMENT=nocoverageredesign \
    GOOS=linux \
    GOPATH='' \
    GOROOT=bazel-out/k8-fastbuild/bin/external/rules_go+/stdlib_ \
    GOROOT_FINAL=GOROOT \
    GOTOOLCHAIN=local \
    PATH=external/toolchains_llvm++llvm+llvm_toolchain/bin:/bin:/usr/bin \
    TMPDIR=/tmp \
    ZERO_AR_DATE=1 \
  /home/das/.cache/bazel/_bazel_das/install/254cc618fc52f01b2b1d5fd6ff343774/linux-sandbox -t 15 -w /dev/shm -w /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/execroot/_main -w /tmp -M /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/_hermetic_tmp -m /tmp -S /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/stats.out -D /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/debug.out -- /bin/sh -i)
ERROR: /home/das/Downloads/go_hello_world_race/BUILD.bazel:24:11: GoCompilePkg hello_lib.a failed: (Exit 1): linux-sandbox failed: error executing GoCompilePkg command 
  (cd /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/execroot/_main && \
  exec env - \
    CC=external/toolchains_llvm++llvm+llvm_toolchain/bin/cc_wrapper.sh \
    CGO_ENABLED=1 \
    GOARCH=amd64 \
    GODEBUG='winsymlink=0' \
    GOEXPERIMENT=nocoverageredesign \
    GOOS=linux \
    GOPATH='' \
    GOROOT=bazel-out/k8-fastbuild/bin/external/rules_go+/stdlib_ \
    GOROOT_FINAL=GOROOT \
    GOTOOLCHAIN=local \
    PATH=external/toolchains_llvm++llvm+llvm_toolchain/bin:/bin:/usr/bin \
    TMPDIR=/tmp \
    ZERO_AR_DATE=1 \
  /home/das/.cache/bazel/_bazel_das/install/254cc618fc52f01b2b1d5fd6ff343774/linux-sandbox -t 15 -w /dev/shm -w /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/execroot/_main -w /tmp -M /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/_hermetic_tmp -m /tmp -S /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/stats.out -D /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/sandbox/linux-sandbox/13/debug.out -- bazel-out/k8-opt-exec-ST-9bdd51060c36/bin/external/rules_go++go_sdk+go_sdk/builder_reset/builder compilepkg -sdk external/rules_go++go_sdk+go_sdk -goroot bazel-out/k8-fastbuild/bin/external/rules_go+/stdlib_ -installsuffix linux_amd64 -src hello.go -importpath github.com/das/go_hello_world_race -p github.com/das/go_hello_world_race -package_list bazel-out/k8-opt-exec-ST-9bdd51060c36/bin/external/rules_go++go_sdk+go_sdk/packages.txt -embedroot '' -embedroot bazel-out/k8-fastbuild-ST-59f9f3747111/bin -embedlookupdir . -embedlookupdir '' -lo bazel-out/k8-fastbuild-ST-59f9f3747111/bin/hello_lib.a -o bazel-out/k8-fastbuild-ST-59f9f3747111/bin/hello_lib.x -gcflags '' -cgo_go_srcs bazel-out/k8-fastbuild-ST-59f9f3747111/bin/hello_lib_/hello_lib.a.cgo -cppflags '-iquote . -iquote bazel-out/k8-fastbuild/bin -isystem external/+_repo_rules+bazel_sysroot_tarball/include -isystem bazel-out/k8-fastbuild/bin/external/+_repo_rules+bazel_sysroot_tarball/include' -cflags '-U_FORTIFY_SOURCE --target=x86_64-unknown-linux-gnu -U_FORTIFY_SOURCE -fstack-protector -fno-omit-frame-pointer -Wthread-safety -Wself-assign --sysroot=external/+_repo_rules+bazel_sysroot_tarball/ -no-canonical-prefixes -Wno-builtin-macro-redefined -D__DATE__="redacted" -D__TIMESTAMP__="redacted" -D__TIME__="redacted" -Iexternal/+_repo_rules+bazel_sysroot_tarball/include -fPIC' -cxxflags '-U_FORTIFY_SOURCE --target=x86_64-unknown-linux-gnu -U_FORTIFY_SOURCE -fstack-protector -fno-omit-frame-pointer -Wthread-safety -Wself-assign -std=c++17 -stdlib=libstdc++ --sysroot=external/+_repo_rules+bazel_sysroot_tarball/ -no-canonical-prefixes -Wno-builtin-macro-redefined -D__DATE__="redacted" -D__TIMESTAMP__="redacted" -D__TIME__="redacted" -fPIC' -objcflags '-U_FORTIFY_SOURCE --target=x86_64-unknown-linux-gnu -U_FORTIFY_SOURCE -fstack-protector -fno-omit-frame-pointer -Wthread-safety -Wself-assign --sysroot=external/+_repo_rules+bazel_sysroot_tarball/ -no-canonical-prefixes -Wno-builtin-macro-redefined -D__DATE__="redacted" -D__TIMESTAMP__="redacted" -D__TIME__="redacted" -Iexternal/+_repo_rules+bazel_sysroot_tarball/include -fPIC' -objcxxflags '-U_FORTIFY_SOURCE --target=x86_64-unknown-linux-gnu -U_FORTIFY_SOURCE -fstack-protector -fno-omit-frame-pointer -Wthread-safety -Wself-assign -std=c++17 -stdlib=libstdc++ --sysroot=external/+_repo_rules+bazel_sysroot_tarball/ -no-canonical-prefixes -Wno-builtin-macro-redefined -D__DATE__="redacted" -D__TIMESTAMP__="redacted" -D__TIME__="redacted" -fPIC' -ldflags '--target=x86_64-unknown-linux-gnu -no-canonical-prefixes -lm -fuse-ld=lld -Wl,--build-id=md5 -Wl,--hash-style=gnu -Wl,-z,relro,-z,now -l:libstdc++.a --sysroot=external/+_repo_rules+bazel_sysroot_tarball/ -Lexternal/+_repo_rules+bazel_sysroot_tarball/lib -Wl,-rpath,$ORIGIN/../../external/+_repo_rules+bazel_sysroot_tarball/lib -Wl,--no-as-needed -L bazel-out/k8-fastbuild/bin/_solib_k8/_U_S_S_Csystem_Udeps___Ulib -l :libxml2.so.2 -Lexternal/+_repo_rules+bazel_sysroot_tarball/lib -Wl,-rpath,$ORIGIN/../../external/+_repo_rules+bazel_sysroot_tarball/lib -Wl,--no-as-needed -lxml2')
external/toolchains_llvm++llvm+llvm_toolchain_llvm/bin/ld.lld: error while loading shared libraries: libxml2.so.2: cannot open shared object file: No such file or directory             <----- ERROR
clang: error: unable to execute command: No such file or directory
clang: error: linker command failed due to signal (use -v to see invocation)
compilepkg: error running subcommand external/toolchains_llvm++llvm+llvm_toolchain/bin/cc_wrapper.sh: exit status 1
Target //:hello_test failed to build
INFO: Elapsed time: 0.607s, Critical Path: 0.45s
INFO: 2 processes: 2 internal.
ERROR: Build did NOT complete successfully
//:hello_test                                                   FAILED TO BUILD

Executed 0 out of 1 test: 1 fails to build.

[das@t:~/Downloads/go_hello_world_race]$

However, if LD_LIBRARY_PATH can be set within the sandbox, then you can supply libxml2 shared libraries via the a sysroot path. E.g.

LD_LIBRARY_PATH=/home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/external/+_repo_rules+bazel_sysroot_tarball/lib /home/das/.cache/bazel/_bazel_das/2069c7e7bbea1cec17d73a6b1498e560/external/toolchains_llvm++llvm+llvm_toolchain_llvm/bin/lld --version
lld is a generic driver.
Invoke ld.lld (Unix), ld64.lld (macOS), lld-link (Windows), wasm-ld (WebAssembly) instead

The diagram of what I think is going on is here:
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions