sandbox:

- add flag --sandbox_add_path, which takes a list of additional paths as argument and mount these paths to sandbox. Fixes #884.
- mount target of /etc/resolv.conf if it is a symlink. Fixes #738.

RELNOTES:
- add flag --sandbox_add_path, which takes a list of additional paths as argument and mount these paths to sandbox.
- mount target of /etc/resolv.conf if it is a symlink.

--
MOS_MIGRATED_REVID=117364211

2 files changed, 47 insertions, 0 deletions

diff --git a/src/test/shell/bazel/BUILD b/src/test/shell/bazel/BUILD
index 03ea162397..bb19c0778c 100644
--- a/src/test/shell/bazel/BUILD
+++ b/src/test/shell/bazel/BUILD
@@ -274,6 +274,7 @@ sh_test(
     size = "large",
     srcs = ["bazel_sandboxing_test.sh"],
     data = [":test-deps"],
+    tags = ["local"],
 )
 
 sh_test(
diff --git a/src/test/shell/bazel/bazel_sandboxing_test.sh b/src/test/shell/bazel/bazel_sandboxing_test.sh
index e2227dc142..d0f9089764 100755
--- a/src/test/shell/bazel/bazel_sandboxing_test.sh
+++ b/src/test/shell/bazel/bazel_sandboxing_test.sh
@@ -149,6 +149,13 @@ genrule(
   outs = [ "breaks3.txt" ],
   cmd = "wc $(location :cyclic1) > $@",
 )
+
+genrule(
+  name = "check_sandbox_contain_WORKSPACE",
+  outs = [ "check_sandbox_contain_WORKSPACE.txt" ],
+  cmd = "ls -l $$(dirname \"$$(pwd)\") &> $@",
+)
+
 EOF
   cat << 'EOF' >> examples/genrule/datafile
 this is a datafile
@@ -372,6 +379,45 @@ EOF
   kill_nc
 }
 
+function test_sandbox_add_path_valid_path() {
+  output_file="${BAZEL_GENFILES_DIR}/examples/genrule/breaks2.txt"
+
+  bazel build --sandbox_add_path=/var/log examples/genrule:breaks2 &> $TEST_log \
+    || fail "Non-hermetic genrule failed: examples/genrule:breaks2 (with additional path)"
+
+  [ -f "$output_file" ] ||
+    fail "Action did not produce output: $output_file"
+
+  if [ $(wc -l < $output_file) -le 1 ]; then
+    fail "Output contained less than or equal to one line: $output_file"
+  fi
+}
+
+function test_sandbox_add_path_workspace_parent() {
+  output_file="${BAZEL_GENFILES_DIR}/examples/genrule/check_sandbox_contain_WORKSPACE.txt"
+  parent_path="$(dirname "$(pwd)")"
+
+  bazel build --sandbox_add_path=$parent_path examples/genrule:check_sandbox_contain_WORKSPACE &> $TEST_log \
+    || fail "Non-hermetic genrule succeeded: examples/genrule:works (with additional path)"
+  [ -f "$output_file" ] \
+    || fail "Genrule did not produce output: examples/genrule:check_sandbox_contain_WORKSPACE (with additional path: WORKSPACE/..)"
+  cat $output_file &> $TEST_log
+
+  # file and directory inside workspace (except project) should not be mounted
+  egrep "\bWORKSPACE\b" $output_file \
+    && fail "WORKSPACE file should not be mounted." || true
+}
+
+function test_sandbox_add_path_workspace_child() {
+  child_path="$(pwd)/examples"
+  output_file="${BAZEL_GENFILES_DIR}/examples/genrule/works.txt"
+
+  bazel build --sandbox_add_path=$child_path examples/genrule:works &> $TEST_log \
+    && fail "Non-hermetic genrule succeeded: examples/genrule:works (with additional path: WORKSPACE:/examples)" || true
+
+  expect_log "Mounting subdirectory of WORKSPACE or OUTPUTBASE to sandbox is not allowed"
+}
+
 # The test shouldn't fail if the environment doesn't support running it.
 check_supported_platform || exit 0
 check_sandbox_allowed || exit 0