Clarify when sandboxing is enabled.
PiperOrigin-RevId: 386445443
diff --git a/site/docs/guide.md b/site/docs/guide.md
index f10ea35..5b29613 100644
--- a/site/docs/guide.md
+++ b/site/docs/guide.md
@@ -605,8 +605,10 @@
#### Sandboxed execution
-Bazel uses sandboxes to guarantee that actions run hermetically<sup>1</sup> and
-correctly. Bazel runs _Spawns_ (loosely speaking: actions) in sandboxes that
+NOTE: Sandboxing is enabled by default for local execution.
+
+Bazel can use sandboxes to guarantee that actions run hermetically<sup>1</sup>
+and correctly. Bazel runs _spawns_ (loosely speaking: actions) in sandboxes that
only contain the minimal set of files the tool requires to do its job. Currently
sandboxing works on Linux 3.12 or newer with the `CONFIG_USER_NS` option
enabled, and also on macOS 10.11 or newer.
diff --git a/site/docs/user-manual.html b/site/docs/user-manual.html
index 7796002..ba1df96 100644
--- a/site/docs/user-manual.html
+++ b/site/docs/user-manual.html
@@ -909,7 +909,9 @@
<code>sandboxed</code> causes commands to be executed inside a sandbox on the local machine.
This requires that all input files, data dependencies and tools are listed as direct
dependencies in the <code>srcs</code>, <code>data</code> and <code>tools</code> attributes.
- This is the default on systems that support sandboxed execution.
+
+
+ Bazel enables local sandboxing by default, on systems that support sandboxed execution.
</li>
<li>
