fix run_under command

--
Change-Id: I765eaa6f0ecb31508eaf41f88be989f8e1169c51
Reviewed-on: https://bazel-review.googlesource.com/#/c/5711
MOS_MIGRATED_REVID=131934871

1 files changed, 6 insertions, 0 deletions

diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
index e3da6ab6a2..3f559babff 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxRunner.java
@@ -40,18 +40,21 @@ final class DarwinSandboxRunner extends SandboxRunner {
   private final Path argumentsFilePath;
   private final Set<Path> writableDirs;
   private final Set<Path> inaccessiblePaths;
+  private final Path runUnderPath;
 
   DarwinSandboxRunner(
       Path sandboxPath,
       Path sandboxExecRoot,
       Set<Path> writableDirs,
       Set<Path> inaccessiblePaths,
+      Path runUnderPath,
       boolean verboseFailures) {
     super(sandboxPath, sandboxExecRoot, verboseFailures);
     this.sandboxExecRoot = sandboxExecRoot;
     this.argumentsFilePath = sandboxPath.getRelative("sandbox.sb");
     this.writableDirs = writableDirs;
     this.inaccessiblePaths = inaccessiblePaths;
+    this.runUnderPath = runUnderPath;
   }
 
   static boolean isSupported() {
@@ -113,6 +116,9 @@ final class DarwinSandboxRunner extends SandboxRunner {
       for (Path inaccessiblePath : inaccessiblePaths) {
         out.println("(deny file-read* (subpath \"" + inaccessiblePath + "\"))");
       }
+      if (runUnderPath != null) {
+        out.println("(allow file-read* (subpath \"" + runUnderPath + "\"))");
+      }
 
       // Almost everything else is read-only.
       out.println("(deny file-write* (subpath \"/\"))");