Collect --sandbox_debug output separately from stderr.

This avoids polluting the disk/remote cache entries with debug output, causing it to be replayed in subsequent cached builds.

Only non-worker Linux sandboxes are affected. Worker sandboxes, despite currently passing the debug flag to the sandbox process, never capture the worker stderr, so after this CL they will stop emitting debug output entirely. The process wrapper sandbox doesn't currently pass the debug flag, and remains that way. Finally, the Windows sandbox is experimental and provided by an external binary we don't control, so I'd rather not touch it in this CL.

Fixes #16689.

PiperOrigin-RevId: 537861949
Change-Id: Iacd8369d1c80b0dcceaad8d901d222c6592f98ce
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
index 21609de..cf80265 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxCommandLineBuilder.java
@@ -68,7 +68,7 @@
   private boolean useFakeRoot = false;
   private boolean useFakeUsername = false;
   private boolean enablePseudoterminal = false;
-  private boolean useDebugMode = false;
+  private String sandboxDebugPath = null;
   private boolean sigintSendsSigterm = false;
   private String cgroupsDir;
 
@@ -218,10 +218,10 @@
     return this;
   }
 
-  /** Sets whether to enable debug mode (e.g. to print debugging messages). */
+  /** Sets the output path for sandbox debugging messages. */
   @CanIgnoreReturnValue
-  public LinuxSandboxCommandLineBuilder setUseDebugMode(boolean useDebugMode) {
-    this.useDebugMode = useDebugMode;
+  public LinuxSandboxCommandLineBuilder setSandboxDebugPath(String sandboxDebugPath) {
+    this.sandboxDebugPath = sandboxDebugPath;
     return this;
   }
 
@@ -306,8 +306,8 @@
     if (enablePseudoterminal) {
       commandLineBuilder.add("-P");
     }
-    if (useDebugMode) {
-      commandLineBuilder.add("-D");
+    if (sandboxDebugPath != null) {
+      commandLineBuilder.add("-D", sandboxDebugPath);
     }
     if (sigintSendsSigterm) {
       commandLineBuilder.add("-i");