Make sandboxed execution the default in Bazel. This should be safe, as the strategy is only used if your Linux kernel is new enough and your running system supports it. If this breaks you, please file a bug and you can always go back to non-sandboxed execution by using --spawn_strategy=standalone.

--
MOS_MIGRATED_REVID=101464269

3 files changed, 53 insertions, 25 deletions

diff --git a/site/docs/bazel-user-manual.html b/site/docs/bazel-user-manual.html
index 2c615eea34..3a367ec530 100644
--- a/site/docs/bazel-user-manual.html
+++ b/site/docs/bazel-user-manual.html
@@ -952,6 +952,23 @@ $ bazel fetch //...
 
 </p>
 
+<h4 id='sandboxing'>Sandboxed execution</h4>
+<p>
+  In order to guarantee hermeticity (i.e. the build does not use input files
+  that are not explicitly listed and does not produce output files that were
+  not expected to be created) and correctness, Bazel runs spawns (i.e. a
+  compiler invocation) in sandboxes that only contain the minimum necessary
+  set of files for the tool to run and do its work. Currently this works on
+  Linux 3.12 or newer with the CONFIG_USER_NS option enabled. Bazel will
+  print a warning if sandboxing cannot be used to alert you to the fact that
+  builds are not guaranteed hermetic and might affect the host system in
+  unknown ways.
+</p>
+<p>
+  To disable the warning about non-sandboxed execution, you can pass the
+  --ignore_unsupported_sandboxing flag to Bazel.
+</p>
+
 <h3 id='clean'>Deleting the outputs of a build</h3>
 
 <h4>The <code>clean</code> command</h4>
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java b/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java
index f8e0c7d5ed..380e05c83a 100644
--- a/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java
+++ b/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java
@@ -30,19 +30,26 @@ import java.util.Properties;
 public final class BazelMain {
   private static final String BUILD_DATA_PROPERTIES = "/build-data.properties";
 
-  public static final List<Class<? extends BlazeModule>> BAZEL_MODULES = ImmutableList.of(
-      com.google.devtools.build.lib.bazel.BazelShutdownLoggerModule.class,
-      com.google.devtools.build.lib.bazel.BazelWorkspaceStatusModule.class,
-      com.google.devtools.build.lib.bazel.BazelDiffAwarenessModule.class,
-      com.google.devtools.build.lib.bazel.BazelRepositoryModule.class,
-      com.google.devtools.build.lib.bazel.dash.DashModule.class,
-      com.google.devtools.build.lib.bazel.rules.BazelRulesModule.class,
-      com.google.devtools.build.lib.sandbox.SandboxModule.class,
-      com.google.devtools.build.lib.standalone.StandaloneModule.class,
-      com.google.devtools.build.lib.runtime.BuildSummaryStatsModule.class,
-      com.google.devtools.build.lib.webstatusserver.WebStatusServerModule.class,
-      com.google.devtools.build.lib.worker.WorkerModule.class
-  );
+  /**
+   * The list of modules to load. Note that the order is important: In case multiple modules provide
+   * strategies for the same things, the last module wins and its strategy becomes the default.
+   *
+   * <p>Example: To make the "standalone" execution strategy the default for spawns, put it after
+   * all the other modules that provider spawn strategies (e.g. WorkerModule and SandboxModule).
+   */
+  public static final List<Class<? extends BlazeModule>> BAZEL_MODULES =
+      ImmutableList.of(
+          com.google.devtools.build.lib.bazel.BazelShutdownLoggerModule.class,
+          com.google.devtools.build.lib.bazel.BazelWorkspaceStatusModule.class,
+          com.google.devtools.build.lib.bazel.BazelDiffAwarenessModule.class,
+          com.google.devtools.build.lib.bazel.BazelRepositoryModule.class,
+          com.google.devtools.build.lib.bazel.dash.DashModule.class,
+          com.google.devtools.build.lib.bazel.rules.BazelRulesModule.class,
+          com.google.devtools.build.lib.worker.WorkerModule.class,
+          com.google.devtools.build.lib.standalone.StandaloneModule.class,
+          com.google.devtools.build.lib.sandbox.SandboxModule.class,
+          com.google.devtools.build.lib.runtime.BuildSummaryStatsModule.class,
+          com.google.devtools.build.lib.webstatusserver.WebStatusServerModule.class);
 
   public static void main(String[] args) {
     BlazeVersionInfo.setBuildInfo(tryGetBuildInfo());
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java
index 73d3682393..7c720dc698 100644
--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java
+++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java
@@ -53,21 +53,25 @@ public class BazelRulesModule extends BlazeModule {
    */
   public static class BazelExecutionOptions extends OptionsBase {
     @Option(
-        name = "spawn_strategy",
-        defaultValue = "standalone",
-        category = "strategy",
-        help = "Specify how spawn actions are executed by default."
-            + "'standalone' means run all of them locally."
-            + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)")
+      name = "spawn_strategy",
+      defaultValue = "",
+      category = "strategy",
+      help =
+          "Specify how spawn actions are executed by default."
+              + "'standalone' means run all of them locally."
+              + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)"
+    )
     public String spawnStrategy;
 
     @Option(
-        name = "genrule_strategy",
-        defaultValue = "standalone",
-        category = "strategy",
-        help = "Specify how to execute genrules."
-            + "'standalone' means run all of them locally."
-            + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)")
+      name = "genrule_strategy",
+      defaultValue = "",
+      category = "strategy",
+      help =
+          "Specify how to execute genrules."
+              + "'standalone' means run all of them locally."
+              + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)"
+    )
     public String genruleStrategy;
 
     @Option(name = "strategy",