6 files changed, 68 insertions, 39 deletions

diff --git a/src/main/java/com/google/devtools/build/lib/actions/BaseSpawn.java b/src/main/java/com/google/devtools/build/lib/actions/BaseSpawn.java
index 697645d730..dd2d5de509 100644
--- a/src/main/java/com/google/devtools/build/lib/actions/BaseSpawn.java
+++ b/src/main/java/com/google/devtools/build/lib/actions/BaseSpawn.java
@@ -31,9 +31,7 @@ import java.util.Map;
 import java.util.Set;
 import javax.annotation.concurrent.Immutable;
 
-/**
- * Base implementation of a Spawn.
- */
+/** Base implementation of a Spawn. */
 @Immutable
 public class BaseSpawn implements Spawn {
   private final ImmutableList<String> arguments;
@@ -72,12 +70,13 @@ public class BaseSpawn implements Spawn {
    * Returns a new Spawn. The caller must not modify the parameters after the call; neither will
    * this method.
    */
-  public BaseSpawn(List<String> arguments,
-     Map<String, String> environment,
-     Map<String, String> executionInfo,
-     RunfilesSupplier runfilesSupplier,
-     ActionExecutionMetadata action,
-     ResourceSet localResources) {
+  public BaseSpawn(
+      List<String> arguments,
+      Map<String, String> environment,
+      Map<String, String> executionInfo,
+      RunfilesSupplier runfilesSupplier,
+      ActionExecutionMetadata action,
+      ResourceSet localResources) {
     this(
         arguments,
         environment,
@@ -93,7 +92,8 @@ public class BaseSpawn implements Spawn {
    * Returns a new Spawn. The caller must not modify the parameters after the call; neither will
    * this method.
    */
-  public BaseSpawn(List<String> arguments,
+  public BaseSpawn(
+      List<String> arguments,
       Map<String, String> environment,
       Map<String, String> executionInfo,
       Map<PathFragment, Artifact> runfilesManifests,
@@ -110,10 +110,9 @@ public class BaseSpawn implements Spawn {
         ImmutableSet.<PathFragment>of());
   }
 
-  /**
-   * Returns a new Spawn.
-   */
-  public BaseSpawn(List<String> arguments,
+  /** Returns a new Spawn. */
+  public BaseSpawn(
+      List<String> arguments,
       Map<String, String> environment,
       Map<String, String> executionInfo,
       ActionExecutionMetadata action,
@@ -151,6 +150,11 @@ public class BaseSpawn implements Spawn {
   }
 
   @Override
+  public boolean hasNoSandbox() {
+    return executionInfo.containsKey("nosandbox");
+  }
+
+  @Override
   public boolean isRemotable() {
     return !executionInfo.containsKey("local");
   }
@@ -186,9 +190,11 @@ public class BaseSpawn implements Spawn {
 
     info.addAllArgument(getArguments());
     for (Map.Entry<String, String> variable : getEnvironment().entrySet()) {
-      info.addVariable(EnvironmentVariable.newBuilder()
-        .setName(variable.getKey())
-        .setValue(variable.getValue()).build());
+      info.addVariable(
+          EnvironmentVariable.newBuilder()
+              .setName(variable.getKey())
+              .setValue(variable.getValue())
+              .build());
     }
     for (ActionInput input : getInputFiles()) {
       // Explicitly ignore middleman artifacts here.
@@ -268,38 +274,38 @@ public class BaseSpawn implements Spawn {
   }
 
   @Override
-  public ActionOwner getOwner() { return action.getOwner(); }
+  public ActionOwner getOwner() {
+    return action.getOwner();
+  }
 
   @Override
-  public String getMnemonic() { return action.getMnemonic(); }
+  public String getMnemonic() {
+    return action.getMnemonic();
+  }
 
-  /**
-   * Convert a working dir + environment map + arg list into a Bourne shell
-   * command.
-   */
-  public static String asShellCommand(Collection<String> arguments,
-                                      Path workingDirectory,
-                                      Map<String, String> environment) {
+  /** Convert a working dir + environment map + arg list into a Bourne shell command. */
+  public static String asShellCommand(
+      Collection<String> arguments, Path workingDirectory, Map<String, String> environment) {
     // We print this command out in such a way that it can safely be
     // copied+pasted as a Bourne shell command.  This is extremely valuable for
     // debugging.
-    return CommandFailureUtils.describeCommand(CommandDescriptionForm.COMPLETE,
-        arguments, environment, workingDirectory.getPathString());
+    return CommandFailureUtils.describeCommand(
+        CommandDescriptionForm.COMPLETE, arguments, environment, workingDirectory.getPathString());
   }
 
-  /**
-   * A local spawn requiring zero resources.
-   */
+  /** A local spawn requiring zero resources. */
   public static class Local extends BaseSpawn {
-    public Local(List<String> arguments, Map<String, String> environment,
-        ActionExecutionMetadata action) {
+    public Local(
+        List<String> arguments, Map<String, String> environment, ActionExecutionMetadata action) {
       this(arguments, environment, ImmutableMap.<String, String>of(), action);
     }
 
-    public Local(List<String> arguments, Map<String, String> environment,
-        Map<String, String> executionInfo, ActionExecutionMetadata action) {
-      super(arguments, environment, buildExecutionInfo(executionInfo),
-          action, ResourceSet.ZERO);
+    public Local(
+        List<String> arguments,
+        Map<String, String> environment,
+        Map<String, String> executionInfo,
+        ActionExecutionMetadata action) {
+      super(arguments, environment, buildExecutionInfo(executionInfo), action, ResourceSet.ZERO);
     }
 
     private static ImmutableMap<String, String> buildExecutionInfo(
diff --git a/src/main/java/com/google/devtools/build/lib/actions/DelegateSpawn.java b/src/main/java/com/google/devtools/build/lib/actions/DelegateSpawn.java
index d72a686679..45a1496259 100644
--- a/src/main/java/com/google/devtools/build/lib/actions/DelegateSpawn.java
+++ b/src/main/java/com/google/devtools/build/lib/actions/DelegateSpawn.java
@@ -45,6 +45,11 @@ public class DelegateSpawn implements Spawn {
   }
 
   @Override
+  public boolean hasNoSandbox() {
+    return spawn.hasNoSandbox();
+  }
+
+  @Override
   public ImmutableList<Artifact> getFilesetManifests() {
     return spawn.getFilesetManifests();
   }
diff --git a/src/main/java/com/google/devtools/build/lib/actions/Spawn.java b/src/main/java/com/google/devtools/build/lib/actions/Spawn.java
index 3e24fdca19..a069db6209 100644
--- a/src/main/java/com/google/devtools/build/lib/actions/Spawn.java
+++ b/src/main/java/com/google/devtools/build/lib/actions/Spawn.java
@@ -36,6 +36,11 @@ public interface Spawn {
   boolean isRemotable();
 
   /**
+   * Returns true iff this command should be executed without a sandbox.
+   */
+  boolean hasNoSandbox();
+
+  /**
    * Out-of-band data for this spawn. This can be used to signal hints (hardware requirements,
    * local vs. remote) to the execution subsystem.
    *
diff --git a/src/main/java/com/google/devtools/build/lib/analysis/actions/SpawnAction.java b/src/main/java/com/google/devtools/build/lib/analysis/actions/SpawnAction.java
index 612d661442..6e34e0ffbd 100644
--- a/src/main/java/com/google/devtools/build/lib/analysis/actions/SpawnAction.java
+++ b/src/main/java/com/google/devtools/build/lib/analysis/actions/SpawnAction.java
@@ -506,6 +506,7 @@ public class SpawnAction extends AbstractAction implements ExecutionInfoSpecifie
     private ParamFileInfo paramFileInfo = null;
     private String mnemonic = "Unknown";
     private ExtraActionInfoSupplier<?> extraActionInfoSupplier = null;
+    private boolean disableSandboxing = false;
 
     /**
      * Creates a SpawnAction builder.
@@ -656,6 +657,13 @@ public class SpawnAction extends AbstractAction implements ExecutionInfoSpecifie
         env = this.environment;
       }
 
+      if (disableSandboxing) {
+        ImmutableMap.Builder<String, String> builder = ImmutableMap.builder();
+        builder.putAll(executionInfo);
+        builder.put("nosandbox", "1");
+        executionInfo = builder.build();
+      }
+
       return createSpawnAction(
           owner,
           tools,
@@ -1137,5 +1145,10 @@ public class SpawnAction extends AbstractAction implements ExecutionInfoSpecifie
       paramFileInfo = new ParamFileInfo(parameterFileType, charset, flagPrefix, always);
       return this;
     }
+
+    public Builder disableSandboxing() {
+      this.disableSandboxing = true;
+      return this;
+    }
   }
 }
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java
index 7634e33af2..ad09fa34a0 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/DarwinSandboxedStrategy.java
@@ -151,7 +151,7 @@ public class DarwinSandboxedStrategy extends SandboxStrategy {
     Executor executor = actionExecutionContext.getExecutor();
 
     // Certain actions can't run remotely or in a sandbox - pass them on to the standalone strategy.
-    if (!spawn.isRemotable()) {
+    if (!spawn.isRemotable() || spawn.hasNoSandbox()) {
       SandboxHelpers.fallbackToNonSandboxedExecution(spawn, actionExecutionContext, executor);
       return;
     }
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
index 0e38d0d891..3d60a8416e 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
@@ -90,7 +90,7 @@ public class LinuxSandboxedStrategy extends SandboxStrategy {
     Executor executor = actionExecutionContext.getExecutor();
 
     // Certain actions can't run remotely or in a sandbox - pass them on to the standalone strategy.
-    if (!spawn.isRemotable()) {
+    if (!spawn.isRemotable() || spawn.hasNoSandbox()) {
       SandboxHelpers.fallbackToNonSandboxedExecution(spawn, actionExecutionContext, executor);
       return;
     }