Let the parent linux-sandbox process move its child process (linux-sandbox-pid1) into the cgroup using the child's non-namespaced pid rather than the child process moving itself into the cgroup with using pid 1. Also, make the cgroup mount readonly to the child linux-sandbox processes (pid1/pid2). This remedies the following situations: - Fixes issues in the linux-sandbox when dealing with cgroups mounted at /dev/cgroup (when not using systemd); since cgroups manipulation is now handled by the linux-sandbox parent process, it doesn't matter that the mount is readonly to the child processes. - This will prevent the linux-sandbox(ed) spawn (process pid2) from being able to overwrite any cgroups files, because we no longer need to (and no longer do) set the cgroup dir as writable to pid1/pid2. RELNOTES: Prevent linux-sandbox(ed) spawns from being able to write in the cgroups mount. PiperOrigin-RevId: 597195981 Change-Id: I9975d848498b1ede20b8401343ca7d3c452658a0
{Fast, Correct} - Choose two
Build and test software of any size, quickly and reliably.
Speed up your builds and tests: Bazel rebuilds only what is necessary. With advanced local and distributed caching, optimized dependency analysis and parallel execution, you get fast and incremental builds.
One tool, multiple languages: Build and test Java, C++, Android, iOS, Go, and a wide variety of other language platforms. Bazel runs on Windows, macOS, and Linux.
Scalable: Bazel helps you scale your organization, codebase, and continuous integration solution. It handles codebases of any size, in multiple repositories or a huge monorepo.
Extensible to your needs: Easily add support for new languages and platforms with Bazel's familiar extension language. Share and re-use language rules written by the growing Bazel community.
Follow our tutorials:
To report a security issue, please email security@bazel.build with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. Our vulnerability management team will respond within 3 working days of your email. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.
See CONTRIBUTING.md