sandbox: Allow network access by default, unless a target has a "block-network" tag.
To block network access, you can set the "block-network" tag on a target like this:
genrule(
name = "no_access_to_network",
cmd = "curl http://www.bazel.io/this_will_fail",
tags = [ "block-network" ],
)
This is needed to fix a performance issue due to a bug in the Linux kernel: https://lkml.org/lkml/2014/8/28/656
RELNOTES[INC]: Sandboxed actions can access the network by default, unless their target has a "block-network" tag.
--
MOS_MIGRATED_REVID=135470811
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
index 2f6c909..5d5f542 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
@@ -68,18 +68,9 @@
}
static boolean shouldAllowNetwork(BuildRequest buildRequest, Spawn spawn) {
- // If we don't run tests, allow network access.
- if (!buildRequest.shouldRunTests()) {
- return true;
- }
-
- // If the Spawn specifically requests network access, allow it.
- if (spawn.getExecutionInfo().containsKey("requires-network")) {
- return true;
- }
-
// Allow network access, when --java_debug is specified, otherwise we can't connect to the
- // remote debug server of the test.
+ // remote debug server of the test. This intentionally overrides the "block-network" execution
+ // tag.
if (buildRequest
.getOptions(BuildConfiguration.Options.class)
.testArguments
@@ -87,7 +78,13 @@
return true;
}
- return false;
+ // If the Spawn requests to block network access, do so.
+ if (spawn.getExecutionInfo().containsKey("block-network")) {
+ return false;
+ }
+
+ // Network access is allowed by default.
+ return true;
}
static void postActionStatusMessage(Executor executor, Spawn spawn) {
