-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sandbox doesn't work on macOS Big Sur when the sandbox directory is in a firm linked directory #13766
Comments
A followup from my conversation with Apple:
|
A bit amusing since SwiftPM is using it as well |
This diff fixes it for me: diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxModule.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxModule.java
index 4058f4bd5c..f4ead5c1eb 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxModule.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxModule.java
@@ -125,7 +125,7 @@ public final class SandboxModule extends BlazeModule {
env.getRuntime().getProductName(),
Fingerprint.getHexDigest(env.getOutputBase().toString()));
FileSystem fileSystem = env.getRuntime().getFileSystem();
- Path resolvedSandboxBase = fileSystem.getPath(options.sandboxBase).resolveSymbolicLinks();
+ Path resolvedSandboxBase = fileSystem.getPath(options.sandboxBase); // .resolveSymbolicLinks();
return resolvedSandboxBase.getRelative(dirName);
}
} I can start a PR if no one has any objections to it but it essentially reverts a piece of this commit. Namely,
I don't know if that would be considered a regression or if the diff should be conditioned to macOS... |
On macOS BigSur, the sandbox-exec command behaves slightly different than on Catalina when firm links are present. Resolving symlinks can prevent the sandbox for allowing write operations to the sandbox base. This effectively reverts a piece of 656a0ba, namely: > When using --experimental_sandbox_base, ensure that symlinks in the path are > resolved. Before this, you had to check whether on your system /dev/shm is a > symlink to /run/shm and then use that instead. Now it no longer matters, as > symlinks are resolved. See bazelbuild#13766 for full details.
That does sound like a regression, yes. Doing this only for MacOS would be better. |
Any tips on how to check if it's macOS? |
|
On macOS BigSur, the sandbox-exec command behaves slightly different than on Catalina when firm links are present. Resolving symlinks can prevent the sandbox for allowing write operations to the sandbox base. This effectively reverts a piece of 656a0ba on macOS, namely: > When using --experimental_sandbox_base, ensure that symlinks in the path are > resolved. Before this, you had to check whether on your system /dev/shm is a > symlink to /run/shm and then use that instead. Now it no longer matters, as > symlinks are resolved. but I think this is okay since macOS doesn't have /dev/shm or /run. See bazelbuild#13766 for full details.
PR updated. Thanks for the tip @larsrc-google! |
On macOS BigSur, the sandbox-exec command behaves slightly different than on Catalina when firm links are present. Resolving symlinks can prevent the sandbox for allowing write operations to the sandbox base. This effectively reverts a piece of 656a0ba on macOS, namely: > When using --experimental_sandbox_base, ensure that symlinks in the path are > resolved. Before this, you had to check whether on your system /dev/shm is a > symlink to /run/shm and then use that instead. Now it no longer matters, as > symlinks are resolved. but I think this is okay since macOS doesn't have /dev/shm or /run. See bazelbuild#13766 for full details.
On macOS BigSur, the sandbox-exec command behaves slightly different than on Catalina when firm links are present. Resolving symlinks can prevent the sandbox for allowing write operations to the sandbox base. This effectively reverts a piece of 656a0ba, namely: > When using --experimental_sandbox_base, ensure that symlinks in the path are > resolved. Before this, you had to check whether on your system /dev/shm is a > symlink to /run/shm and then use that instead. Now it no longer matters, as > symlinks are resolved. See #13766 for full details. Closes #13984. PiperOrigin-RevId: 422319807
On macOS BigSur, the sandbox-exec command behaves slightly different than on Catalina when firm links are present. Resolving symlinks can prevent the sandbox for allowing write operations to the sandbox base. This effectively reverts a piece of 656a0ba, namely: > When using --experimental_sandbox_base, ensure that symlinks in the path are > resolved. Before this, you had to check whether on your system /dev/shm is a > symlink to /run/shm and then use that instead. Now it no longer matters, as > symlinks are resolved. See bazelbuild#13766 for full details. Closes bazelbuild#13984. PiperOrigin-RevId: 422319807 (cherry picked from commit 0de7bb9)
Is this fixed by #13984? |
Yeah |
On macOS BigSur, the sandbox-exec command behaves slightly different than on Catalina when firm links are present. Resolving symlinks can prevent the sandbox for allowing write operations to the sandbox base. This effectively reverts a piece of 656a0ba, namely: > When using --experimental_sandbox_base, ensure that symlinks in the path are > resolved. Before this, you had to check whether on your system /dev/shm is a > symlink to /run/shm and then use that instead. Now it no longer matters, as > symlinks are resolved. See bazelbuild#13766 for full details. Closes bazelbuild#13984. PiperOrigin-RevId: 422319807 (cherry picked from commit 0de7bb9)
On macOS BigSur, the sandbox-exec command behaves slightly different than on Catalina when firm links are present. Resolving symlinks can prevent the sandbox for allowing write operations to the sandbox base. This effectively reverts a piece of 656a0ba, namely: > When using --experimental_sandbox_base, ensure that symlinks in the path are > resolved. Before this, you had to check whether on your system /dev/shm is a > symlink to /run/shm and then use that instead. Now it no longer matters, as > symlinks are resolved. See #13766 for full details. Closes #13984. PiperOrigin-RevId: 422319807 (cherry picked from commit 0de7bb9) Co-authored-by: Oscar Bonilla <[email protected]>
Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 1+ years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team ( |
This issue has been automatically closed due to inactivity. If you're still interested in pursuing this, please reach out to the triage team ( |
macOS Catalina (10.*) introduced a security feature where the root filesystem is mounted read-only, and a mechanism for creating directories or symlinks at boot time called firmlinks. Since the root filesystem is read-only, a new volume mounted at
/System/Volumes/Data
is overlaid on top of the root filesystem and contains the mutable portions of the filesystem (more info here).When building with Bazel on a location that is firm linked from the root, and moving the sandbox to that same location by using the
--experimental_sandbox_base
flag:In macOS Catalina (10.15.7 to be precise), it works as expected.
However, that exact same sequence of operations on macOS Big Sur (11.4), produces the following error:
I have traced the problem to a difference on how
sandbox-exec
works in Big Sur when firm links are involved.If I create the following
sandbox.sb
file (modified from the actualsandbox.sb
that Bazel creates):And put it in an empty directory in
/export/home/tester/sb
, on macOS Catalina:Everything works as expected. However on macOS Big Sur:
However, if I change the line:
to remove the
/System/Volumes/Data
prefix (since I'm using that firm link through the symlink), I get the expected results in macOS Big Sur:Now, this could be a bug in how macOS handles firm links but Bazel could also avoid resolving symlinks (or firm links) on macOS to work around this. I will file a bug with Apple but the man page of
sandbox-exec
says the command is deprecated so I don't have high hopes there.The text was updated successfully, but these errors were encountered: